Page 1
Cisco ASA Series CLI Configuration Guide Software Version 9.0 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.
Page 4
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Page 5
ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402. Advanced Inspection and Prevention. For example, the AIP SSM or AIP SSC, which runs IPS software. Cisco ASA Series CLI Configuration Guide GL-1...
Page 6
BPDU Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network. Protocol data unit is the OSI term for packet. Cisco ASA Series CLI Configuration Guide GL-2...
Page 7
Compression can reduce the size of transferring packets and increase communication performance. configuration, config, A file on the ASA that represents the equivalent of settings, preferences, and properties administered config file ASDM or the CLI. Cisco ASA Series CLI Configuration Guide GL-3...
Page 8
CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports NAT, PAT, and bidirectional NAT. This protocol enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the ASA.
Page 9
See also encryption. Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths),...
Page 10
Enhanced Interior Gateway Routing Protocol. The ASA does not support EIGRP. EMBLEM Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications. encryption Application of a specific algorithm or cipher to data so as to render the data incomprehensible to those unauthorized to see the information.
Page 11
Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable video conferencing over LANs and other packet-switched networks, as well as video over the Internet. Cisco ASA Series CLI Configuration Guide GL-7...
Page 12
A hash algorithm is a one-way function that operates on a message of arbitrary length to create a Algorithm fixed-length message digest used by cryptographic services to ensure its data integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco uses both SHA-1 hashes within our implementation of the IPsec framework.
Page 13
The use of where the IP address is also the IP address of the outside interface. See Dynamic PAT, Static PAT. Internet The global network that uses IP. Not a LAN. See also intranet. Cisco ASA Series CLI Configuration Guide GL-9...
Page 14
Internet Service Provider. An organization that provides connection to the Internet via their services, such as modem dial in over telephone voice lines or DSL. JTAPI Java Telephony Application Programming Interface. A Java-based API supporting telephony functions. See also TAPI. Cisco ASA Series CLI Configuration Guide GL-10...
Page 15
Layer Two Tunneling Protocol. An IETF standards track protocol defined in RFC 2661 that provides tunneling of PPP. L2TP is an extension to the PPP. L2TP merges the older Cisco Layer Two Forwarding (L2F) protocol with PPTP. L2TP can be used with IPsec encryption and is considered more secure against attack than PPTP.
Page 16
Mode Config IKE Mode Configuration. Modular Policy A means of configuring ASA features in a manner similar to Cisco IOS software Modular CLI. Framework mobile station. Refers generically to any mobile device, such as a mobile handset or computer, that is used to access network services.
Page 17
IMSI. See also IMSI. NSSA not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in Cisco IOS software release 11.2. It is a nonproprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area.
Page 18
See also PIM-SM. PIM-SM Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next, until the packets reach every registered host. See also PIM.
Page 19
These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the Internet. Cisco ASA Series CLI Configuration Guide GL-15...
Page 20
(named after its inventors, Rivest, Shamir, and Adelman) with a variable key length. The main weakness of RSA is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES. The Cisco implementation of uses a Diffie-Hellman exchange to get the secret keys.
Page 21
SA is used by only, and unlike the IPsec SA, it is bidirectional. SCCP Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager and Cisco VoIP phones. SCEP Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as enrolling) certificates from CAs.
Page 22
ASA is sent through an IPsec tunnel. All traffic originating from the client is sent to the outside interface through a tunnel, and client access to the Internet from its remote site is denied. Cisco ASA Series CLI Configuration Guide GL-18...
Page 23
See also AAA, RADIUS. TAPI Telephony Application Programming Interface. A programming interface in Microsoft Windows that supports telephony functions. Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. Cisco ASA Series CLI Configuration Guide GL-19...
Page 24
Transport mode is less secure than tunnel mode. TAPI Service Provider. See also TAPI. tunnel mode IPsec encryption mode that encrypts both the header and data portion (payload) of each packet. Tunnel mode is more secure than transport mode. Cisco ASA Series CLI Configuration Guide GL-20...
Page 25
IP address that matches the correct source interface according to the routing table. Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com. user EXEC mode The lowest privilege level at the ASA CLI. The user EXEC mode prompt appears as follows when you first access the ASA: hostname>...
Page 26
This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A...
Page 27
IKE Extended Authentication. xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or the mapping of one IP address/port pair to another. Cisco ASA Series CLI Configuration Guide GL-23...
Page 28
Glossary Cisco ASA Series CLI Configuration Guide GL-24...
Page 30
Clientless SSL VPN actions application access using WebVPN command replication 77-69 and hosts file errors configuration synchronization 77-70 quitting properly device initialization application inspection primary unit 45-1 about secondary unit 45-6 applying triggers 45-6 configuring Cisco ASA Series CLI Configuration Guide IN-2...
Page 31
Ethernet TCP state bypass 11-8, 11-10 9-19 protected switch ports asymmetric routing support 11-2 Security Plus license attacks 74-1 62-10 server (headend) DNS request for all records 11-4 62-10 SPAN DNS zone transfer Cisco ASA Series CLI Configuration Guide IN-3...
Page 32
Auto-MDI/MDIX 60-7 updates auto-signon 60-19 70-84 examples group policy attribute for Clientless SSL VPN 60-22 feature history 70-101 username attribute for Clientless SSL VPN 84-28 graylist Auto-Update, configuring 60-2 description 60-13 dropping traffic Cisco ASA Series CLI Configuration Guide IN-4...
Page 33
Cisco Trust Agent caching 85-2 Cisco UMA. See Cisco Unified Mobility. capturing packets Cisco Unified Mobility 67-23 cascading access lists 53-2 architecture CA server 50-2, 50-3 40-4 ASA role Digicert 53-5 40-4 certificate Geotrust Cisco ASA Series CLI Configuration Guide IN-5...
Page 34
EtherChannels, configuring on paging 6-22 switch syntax formatting 6-46 executing a command cluster-wide client 6-23 failover 69-4 VPN 3002 hardware, forcing client update 6-63 feature history 69-4 Windows, client update notification Cisco ASA Series CLI Configuration Guide IN-6...
Page 36
66-1 about 65-4 64-21, 64-23, 66-14 loading an image 66-10 sending traffic to 66-3 what to scan 66-19 CSC SSM feature history 80-18 date and time in messages 70-78 custom firewall 16-2 DDNS Cisco ASA Series CLI Configuration Guide IN-8...
Page 37
DSCP preservation 15-6 12-2 Cisco IP Phones dual IP stack, configuring 15-5 25-6 options dual-ISP support 15-8 10-12, 11-5 relay duplex, configuring 15-4 67-35 server dynamic crypto map 41-5 72-12 transparent firewall creating Cisco ASA Series CLI Configuration Guide IN-9...
Page 50
B-11 TCP and UDP 65-3 PRSM port translation 40-2 public key cryptography 32-4 about posture validation 73-11 exemptions 73-10 revalidation timer 73-1 uses, requirements, and limitations 57-1, 57-3 11-4 about power over Ethernet Cisco ASA Series CLI Configuration Guide IN-22...
Page 52
See also SAs 39-12, 39-14, 39-15, 39-18, 40-10, 42-4 keys, generating 70-64 security attributes, group policy RTSP inspection security contexts 47-15 about about 47-15 configuring 5-19 adding rules admin context 42-10 ICMP about Cisco ASA Series CLI Configuration Guide IN-24...
Page 53
Clientless SSL VPN 80-12 sending messages to a Telnet or SSH session SIP inspection 80-11 47-19 sending messages to the console port about 80-9 47-18 sending messages to the internal log buffer configuring Cisco ASA Series CLI Configuration Guide IN-25...
Page 54
77-16 to ?? reload SSO with WebVPN 64-24, 66-16 reset configuring HTTP Basic and NTLM 77-17 authentication 64-10 routing 77-23 configuring HTTP form protocol 64-13 sessioning to 77-18, 77-20 configuring SiteMinder 64-23, 66-17 shutdown Cisco ASA Series CLI Configuration Guide IN-26...
Page 55
80-16 address range by message class 80-1, 80-6 determining output destinations 80-6 dotted decimal syslog message server 80-6 number of hosts Telnet or SSH session Cisco ASA Series CLI Configuration Guide IN-27...
Page 56
56-5 unsupported features B-15 timestamp reply, ICMP message 62-6, 62-9 TCP SYN+FIN flags attack B-15 timestamp request, ICMP message Telnet 77-7 TLS1, used to access the security appliance Cisco ASA Series CLI Configuration Guide IN-28...
C H A P T E R Introduction to the Cisco ASA The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device, and for some models, integrated services modules such as IPS. The ASA includes many advanced...
When using Java 6 for accessing the splash screen in a browser, by default, Internet Explorer on Windows Vista and later and Firefox on all operating systems do not support DES for SSL; therefore without the strong encryption license (3DES/AES), see the following workarounds: Cisco ASA Series CLI Configuration Guide...
To change the security setting, open System Preferences, and click Security & Privacy. On the General tab, under Allow applications downloaded from, click Anywhere. Hardware and Software Compatibility For a complete list of supported hardware and software, see the Cisco ASA Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html VPN Specifications See Supported VPN Platforms, Cisco ASA 5500 Series: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html...
The active cluster member count • The output of the show cluster info command and the show cluster history command on the cluster master New Features in ASA 9.0(2)/ASDM 7.1(2) Released: February 25, 2013 Cisco ASA Series CLI Configuration Guide...
Page 67
See the following limitations: • Secure Desktop (Vault) is not supported with Windows 8. Dynamic Access Policies: ASDM was updated to enable selection of Windows 8 in the DAP Operating Windows 8 Support System attribute. Cisco ASA Series CLI Configuration Guide...
Page 68
Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed. The login password is also used for Telnet sessions from the switch to the ASASM (see the session command).
Page 69
Released: October 29, 2012 Table 1-5 lists the new features for ASA Version 9.0(1)/ASDM Version 7.0(1). Note Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(1) unless they are explicitly listed in this table. Cisco ASA Series CLI Configuration Guide...
Page 70
IP addresses. The ASA can utilize the Cisco TrustSec solution for other types of security group based policies, such as application inspection; for example, you can configure a class map containing an access policy based on a security group.
Page 71
New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued) Feature Description Cisco Cloud Web Security (ScanSafe) Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. Note Clientless SSL VPN is not supported with Cloud Web Security;...
Page 72
Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists. Also available in 8.4(4.1). Cisco ASA Series CLI Configuration Guide 1-10...
Page 73
We modified the following commands: set connection conn-max, set connection embryonic-conn-max, set connection per-client-embryonic-max, set connection per-client-max. We modified the following screen: Configuration > Firewall > Service Policy Rules > Connection Settings. Also available in 8.4(5) High Availability and Scalability Features Cisco ASA Series CLI Configuration Guide 1-11...
Page 74
For EIGRP, bulk synchronization, route synchronization, and spanned EtherChannels are supported in the clustering environment. Multicast routing supports clustering. We introduced or modified the following commands: show route cluster, debug route cluster, show mfib cluster, debug mfib cluster. Cisco ASA Series CLI Configuration Guide 1-12...
Page 75
This release of the ASA continues to support IPv6 VPN traffic on its inside interface using the SSL protocol as it has in the past. This release does not provide IKEv2/IPsec protocol on the inside interface. Cisco ASA Series CLI Configuration Guide 1-13...
Page 76
IKEv2/IPsec protocol. We introduced the following command: ipv6-split-tunnel-policy. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > Split Tunneling. Cisco ASA Series CLI Configuration Guide 1-14...
Page 77
This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol. We introduced the following command: gateway-fqdn. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > AnyConnect. Cisco ASA Series CLI Configuration Guide 1-15...
Page 81
(767001) when unsupported inspections receive and drop IPv6 traffic. We modified the following command: service-policy fail-close. We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Service Policy. Remote Access Features Cisco ASA Series CLI Configuration Guide 1-19...
Page 82
Remote File Explorer network from their web browser. When users click the Remote File System icon on the Cisco SSL VPN portal page, an applet is launched on the user's system displaying the remote file system in a tree and folder view.
Page 83
Custom attributes can benefit AnyConnect clients configured for either IKEv2/IPsec or SSL protocols. We added the following command: anyconnect-custom-attr. A new screen was added: Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes. Cisco ASA Series CLI Configuration Guide 1-21...
Page 85
You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1). Module Features ASA Services Module support on the Cisco The Cisco 7600 series now supports the ASASM. For specific hardware and 7600 switch software requirements, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. Cisco ASA Series CLI Configuration Guide...
We did not modify any screens. How the ASA Services Module Works with the Switch You can install the ASASM in the Catalyst 6500 series and Cisco 7600 series switches with Cisco IOS software on both the switch supervisor and the integrated MSFC.
Page 87
MSFC/Router In Front of the ASASM Internet Internet Router VLAN 100 VLAN 200 MSFC/Router ASASM VLAN 200 VLAN 201 ASASM MSFC/Router VLAN 201 VLAN 301 VLAN 303 VLAN 203 Inside Inside VLAN 302 VLAN 202 Cisco ASA Series CLI Configuration Guide 1-25...
Because the ASA lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only. Cisco ASA Series CLI Configuration Guide 1-26...
You can use private addresses on your inside networks. Private addresses are not routable on the Internet. • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses. Cisco ASA Series CLI Configuration Guide 1-27...
Page 90
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic. Cisco ASA Series CLI Configuration Guide 1-28...
Page 91
Configuring Cisco Unified Communications The Cisco ASA 5500 series is a strategic platform to provide proxy functions for unified communications deployments. The purpose of a proxy is to terminate and reoriginate connections between a client and server.
Page 92
These protocols include FTP, H.323, and SNMP. • Is this an established connection? Cisco ASA Series CLI Configuration Guide 1-30...
Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. Cisco ASA Series CLI Configuration Guide 1-31...
(management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. You perform all configuration (aside from the bootstrap configuration) on the master unit only; the configuration is then replicated to the member units. Cisco ASA Series CLI Configuration Guide 1-32...
Page 95
Configuring the Switch for Use with the ASA Services Module This chapter describes how to configure the Catalyst 6500 series or Cisco 7600 series switch for use with the ASASM. Before completing the procedures in this chapter, configure the basic properties of your switch, including assigning VLANs to switch ports, according to the documentation that came with your switch.
Configuring the Switch for Use with the ASA Services Module Guidelines and Limitations To view a matrix of hardware and software compatibility for the ASASM and Cisco IOS versions, see the Cisco ASA 5500 Series Hardware and Software Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Some ASASM features interact with Cisco IOS features.
You can assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an inside group and an outside group; or you can create a group for each customer.
ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI). This section includes the following topics: • Information About SVIs, page 1-6 • Configuring SVIs, page 1-8 Cisco ASA Series ASDM Configuration Guide...
Page 100
For example, with multiple SVIs, you could accidentally allow traffic to pass around the ASASM by assigning both the inside and outside VLANs to the MSFC. (See Figure 1-1.) Figure 1-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 ASA SM VLAN 201 VLAN 201 Inside Cisco ASA Series ASDM Configuration Guide...
Page 101
IPX traffic to pass on VLAN 201. Figure 1-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 ASA SM VLAN 201 VLAN 201 Inside IPX Host IP Host Cisco ASA Series ASDM Configuration Guide...
Page 102
Allows you to add more than one SVI to the ASASM. firewall multiple-vlan-interfaces Example: Router(config)# firewall multiple-vlan-interfaces Step 2 Adds a VLAN interface to the MSFC. interface vlan vlan_number Example: Router(config)# interface vlan 55 Cisco ASA Series ASDM Configuration Guide...
Assigning VLANs to the Secondary ASA Services Module, page 1-10 • Adding a Trunk Between a Primary Switch and Secondary Switch, page 1-10 • Ensuring Compatibility with Transparent Firewall Mode, page 1-10 • Enabling Autostate Messaging for Rapid Link Failure Detection, page 1-10 Cisco ASA Series ASDM Configuration Guide...
Page 104
The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. Detailed Steps Command Purpose Enables autostate messaging in Cisco IOS software. firewall autostate Autostate messaging is disabled by default. Example: Router(config)# firewall autostate Cisco ASA Series ASDM Configuration Guide...
Displays all configured VLAN groups. show firewall vlan-group Displays the status and information about the configured show interface vlan VLAN interface. Examples The following is sample output from the show firewall module [mod-num] state command: Cisco ASA Series ASDM Configuration Guide 1-11...
Page 106
Router# show firewall module Module Vlan-groups 50,52 51,52 The following is sample output from the show firewall module [mod-num] version command: Router# show firewall module 2 version ASA Service Module 2: Sw Version: 100.7(8)19 Cisco ASA Series ASDM Configuration Guide 1-12...
We introduced or modified the following commands: firewall transparent, mac address auto, firewall autostate (IOS), interface vlan. ASA Services Module support on the Cisco 9.0(1) The Cisco 7600 series now supports the ASASM. 7600 switch Cisco ASA Series ASDM Configuration Guide 1-13...
Page 108
Chapter 1 Configuring the Switch for Use with the ASA Services Module Feature History for the Switch for Use with the ASA Services Module Cisco ASA Series ASDM Configuration Guide 1-14...
Press the Enter key to see the following prompt: hostname> This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode. Step 3 To access privileged EXEC mode, enter the following command: hostname> enable Cisco ASA Series CLI Configuration Guide...
Later, you can configure remote access directly to the ASASM using Telnet or SSH according to the “Configuring ASA Access for ASDM, Telnet, or SSH” section on page 1-1. This section includes the following topics: • Information About Connection Methods, page 1-3 Cisco ASA Series CLI Configuration Guide...
Page 111
You must use a direct serial connection to return the console to the switch prompt. In this case, either change the terminal server or switch escape character in Cisco IOS, or use the Telnet session command instead. Note Because of the persistence of the console connection, if you do not properly log out of the ASASM, the connection may exist longer than intended.
Page 112
Enter the login password to the ASASM. Set the password using the passwd command. 9.0(1): The default password is “cisco.” 9.0(2) and later: There is no default password. You access user EXEC mode. Step 2...
(^) character as a standalone character, you can temporarily or permanently change the escape character to a different character. In Cisco IOS, before you session to the ASASM, use the terminal escape-character ascii_number command (to change temporarily) or the default escape-character ascii_number command (to change permanently).
Accessing ASDM Using the Factory Default Configuration With a factory default configuration (see the “Factory Default Configurations” section on page 1-18), ASDM connectivity is pre-configured with default network settings. Connect to ASDM using the following interface and network settings: Cisco ASA Series CLI Configuration Guide...
Page 115
Step 1 Enables transparent firewall mode. This command clears your (Optional) configuration. firewall transparent Example: hostname(config)# firewall transparent Step 2 Do one of the following to configure a management interface, depending on your mode: Cisco ASA Series CLI Configuration Guide...
Page 116
DHCP range. You can later change the 192.168.1.5-192.168.1.254 inside IPS module management address using the ASA if hostname(config)# dhcpd enable inside required. Step 5 Enables the HTTP server for ASDM. http server enable Example: hostname(config)# http server enable Cisco ASA Series CLI Configuration Guide...
Page 117
If you do not have a factory default configuration, or want to change the firewall or context mode, perform the following steps. Prerequisites Access the CLI according to the “Accessing the Appliance Command-Line Interface” section on page 1-1. Cisco ASA Series CLI Configuration Guide...
Page 118
Enables the HTTP server for ASDM. http server enable Example: hostname(config)# http server enable Step 6 Allows the management host to access ASDM. http ip_address mask interface_name Example: hostname(config)# http 192.168.1.0 255.255.255.0 management Cisco ASA Series CLI Configuration Guide 1-10...
“Assigning VLANs to the ASA Services Module” section on page 1-4. • Connect to the ASASM and access global configuration mode according to the “Accessing the ASA Services Module Command-Line Interface” section on page 1-2. Cisco ASA Series CLI Configuration Guide 1-11...
Page 120
Enables DHCP for the management host on the management interface network. Make sure you do not include the management dhcpd address ip_address-ip_address address in the range. interface_name dhcpd enable interface_name Example: hostname(config)# dhcpd address 192.168.1.2-192.168.1.254 inside hostname(config)# dhcpd enable inside Cisco ASA Series CLI Configuration Guide 1-12...
Page 121
The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, and enables ASDM for a management host: firewall transparent interface bvi 1 ip address 192.168.1.1 255.255.255.0 interface vlan 1 bridge-group 1 nameif inside Cisco ASA Series CLI Configuration Guide 1-13...
Where interface_ip_address is the management IP address of the ASA. See the “Configuring ASDM Access for Appliances” section on page 1-6 or the “Configuring ASDM Access for the ASA Services Module” section on page 1-11 for more information about management access. Cisco ASA Series CLI Configuration Guide 1-14...
Page 123
With HTTPS authentication enabled, enter your username and associated password. If there is a new version of ASDM on the ASA, the ASDM Launcher automatically downloads the new version and requests that you update the current version before starting ASDM. Cisco ASA Series CLI Configuration Guide 1-15...
Page 124
Step 1 Start the Java Web Start application. Step 2 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears. Step 3 Enter the username and password, and click OK. For a factory default configuration, leave these fields empty.
Page 125
Step 2 Double-click the installer to install the software. Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Step 4 Check the Run in Demo Mode check box. The Demo Mode window appears.
Getting Started Factory Default Configurations Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new ASAs. • ASA 5505—The factory default configuration configures interfaces and NAT so that the ASA is ready to use in your network immediately.
Page 127
Ethernet 0/0 assigned to outside. • IP addresses— Outside address from DHCP; inside address set manually to 192.168.1.1/24. • Network address translation (NAT)—All inside IP addresses are translated when accessing the outside using interface PAT. Cisco ASA Series CLI Configuration Guide 1-19...
Page 128
Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown Cisco ASA Series CLI Configuration Guide 1-20...
Page 129
IP addresses—The IP addresses configured should be changed to match the network to which you are connecting. • Static routes—For some kinds of traffic, static routes are required. See the “MAC Address vs. Route Lookups” section on page 1-6. Cisco ASA Series CLI Configuration Guide 1-21...
Additional information about contexts is in Chapter 1, “Configuring Multiple Context Mode.” This section includes the following topics: • Saving Configuration Changes, page 1-24 • Copying the Startup Configuration to the Running Configuration, page 1-25 Cisco ASA Series CLI Configuration Guide 1-23...
URL, except for an HTTP or HTTPS hostname# write memory URL, which do not let you save the configuration to the server. Note The copy running-config startup-config command is equivalent to the write memory command. Cisco ASA Series CLI Configuration Guide 1-24...
Page 133
The context 'context a' could not be saved due to Unknown errors Copying the Startup Configuration to the Running Configuration Copy a new startup configuration to the running configuration using one of the following options. Cisco ASA Series CLI Configuration Guide 1-25...
Page 134
Example: For example, to remove a specific nat command, enter enough of the hostname(config)# no nat (inside) 1 command to identify it uniquely as follows: hostname(config)# no nat (inside) 1 Cisco ASA Series CLI Configuration Guide 1-26...
To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. To disconnect connections, enter one of the following commands. Cisco ASA Series CLI Configuration Guide 1-27...
Reloading the ASA To reload the ASA, enter the following command: Command Purpose Reloads the ASA. reload Note In multiple context mode, you can only reload from the system Example: execution space. hostname (config)# reload Cisco ASA Series CLI Configuration Guide 1-28...
Page 137
The ASA acts as a router between connected networks, and each interface requires an IP address on a different subnet. The ASA supports multiple dynamic routing protocols. However, we recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the ASA for extensive routing needs. Cisco ASA Series CLI Configuration Guide...
Page 138
Using the Transparent Firewall in Your Network The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network. Cisco ASA Series CLI Configuration Guide...
Page 139
For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. Cisco ASA Series CLI Configuration Guide...
ACL. Note Broadcast and multicast traffic can be passed using access rules. See the “Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules” section on page 7-6 for more information. Cisco ASA Series CLI Configuration Guide...
Page 141
EtherType access list to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes. See the “Transparent Firewall Mode Requirements” section on page 9-14 for more information. Cisco ASA Series CLI Configuration Guide...
Page 142
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. Cisco ASA Series CLI Configuration Guide...
The default timeout value for dynamic MAC address table entries is 5 minutes. • By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds corresponding entries to the MAC address table. Cisco ASA Series CLI Configuration Guide...
ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the ASA using the console port in any case. • Set the mode within the context. Cisco ASA Series CLI Configuration Guide...
If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated. Note The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the ASA, such as management traffic. Cisco ASA Series CLI Configuration Guide 1-10...
Page 147
Examples For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command: hostname(config)# arp-inspection outside enable no-flood Cisco ASA Series CLI Configuration Guide 1-11...
To change the timeout, enter the following command: Command Purpose Sets the MAC address entry timeout. mac-address-table aging-time timeout_value The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes is the default. Example: hostname(config)# mac-address-table aging-time 10 Cisco ASA Series CLI Configuration Guide 1-12...
The following is sample output from the show mac-address-table command that shows the entire table: hostname# show mac-address-table interface mac address type Time Left ----------------------------------------------------------------------- outside 0009.7cbe.2100 static inside 0010.7cbe.6101 static inside 0009.7cbe.5101 dynamic Cisco ASA Series CLI Configuration Guide 1-13...
Page 150
An Inside User Visits a Web Server on the DMZ, page 1-17 • An Outside User Attempts to Access an Inside Host, page 1-17 • A DMZ User Attempts to Access an Inside Host, page 1-19 Cisco ASA Series CLI Configuration Guide 1-14...
Page 151
The ASA performs NAT by untranslating the global destination address to the local user address, 10.1.2.27. The ASA forwards the packet to the inside user. Cisco ASA Series CLI Configuration Guide 1-15...
Page 152
The ASA performs NAT by translating the local source address to 209.165.201.3. The ASA forwards the packet to the outside user. Cisco ASA Series CLI Configuration Guide 1-16...
Page 153
The ASA forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 1-6 shows an outside user attempting to access the inside network. Cisco ASA Series CLI Configuration Guide 1-17...
Page 154
The packet is denied, and the ASA drops the packet and logs the connection attempt. If the outside user is attempting to attack the inside network, the ASA employs many technologies to determine if a packet is valid for an already established session. Cisco ASA Series CLI Configuration Guide 1-18...
Page 155
The ASA receives the packet and because it is a new session, the ASA verifies if the packet is allowed according to the security policy (access lists, filters, AAA). The packet is denied, and the ASA drops the packet and logs the connection attempt. Cisco ASA Series CLI Configuration Guide 1-19...
Page 156
An Inside User Visits a Web Server Using NAT, page 1-22 • An Outside User Visits a Web Server on the Inside Network, page 1-23 • An Outside User Attempts to Access an Inside Host, page 1-24 Cisco ASA Series CLI Configuration Guide 1-20...
Page 157
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA forwards the packet to the inside user. Cisco ASA Series CLI Configuration Guide 1-21...
Page 158
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA performs NAT by untranslating the mapped address to the real address, 10.1.2.27. Cisco ASA Series CLI Configuration Guide 1-22...
Page 159
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA forwards the packet to the outside user. Cisco ASA Series CLI Configuration Guide 1-23...
Page 160
The packet is denied because there is no access list permitting the outside host, and the ASA drops the packet. If the outside user is attempting to attack the inside network, the ASA employs many technologies to determine if a packet is valid for an already established session. Cisco ASA Series CLI Configuration Guide 1-24...
You can set the firewall mode independently for each context mode security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. Cisco ASA Series CLI Configuration Guide 1-25...
Page 162
Chapter 1 Configuring the Transparent or Routed Firewall Feature History for the Firewall Mode Cisco ASA Series CLI Configuration Guide 1-26...
Page 163
VPN License and Feature Compatibility, page 1-23 Licenses Per Model This section lists the feature licenses available for each model: • ASA 5505, page 1-3 • ASA 5510, page 1-4 • ASA 5520, page 1-5 Cisco ASA Series CLI Configuration Guide...
Page 164
If you have a No Payload Encryption model, then some of the features below are not supported. See the “No Payload Encryption Models” section on page 1-32 for a list of unsupported features. For detailed information about licenses, see the “License Notes” section on page 1-18. Cisco ASA Series CLI Configuration Guide...
Page 165
Use the show local-host command to view host limits. 3. For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models. Cisco ASA Series CLI Configuration Guide...
Page 166
Ethernet 0/2, 0/3, 0/4 (and others): Fast Eth. Security Contexts No support Optional licenses: Clustering No support No support VLANs, Maximum 1. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software. Cisco ASA Series CLI Configuration Guide...
Page 167
Other VPN (sessions) VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 764 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 168
Other VPN (sessions) 5000 VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 964 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 169
Other VPN (sessions) 5000 VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1764 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 170
Security Contexts Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide...
Page 171
Opt. lic.: Strong (3DES/AES) Failover No support Active/Standby or Active/Active Interfaces of all types, Max. 716 Security Contexts No support Optional licenses: IPS Module Disabled Optional license: Available Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
Page 172
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 916 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-10...
Page 173
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1316 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-11...
Page 174
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1716 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-12...
Page 175
General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 2516 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-13...
Page 176
Base License: Disabled; fiber ifcs run at 1 GE Security Plus License: Enabled; fiber ifcs run at 10 GE Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 4612 Security Contexts Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 Cisco ASA Series CLI Configuration Guide 1-14...
Page 177
Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-15...
Page 178
Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-16...
Page 179
Security Contexts Optional licenses: Clustering No support VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-17...
Page 180
• SSL VPN • IPsec remote access VPN using IKEv2 This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license. Note With the AnyConnect Essentials license, VPN users can use a web browser to log in, and download and start (WebLaunch) the AnyConnect client.
Page 181
To prevent the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to use only strong encryption. Failover, Active/Active You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby failover. Cisco ASA Series CLI Configuration Guide 1-19...
Page 182
IPS version of the ASA 5515-X (part number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part number ASA5515-K9), then Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit.
Page 183
1 session is used in total. However, if you start the AnyConnect client first (from a standalone client, for example) and then log into the clientless SSL VPN portal, then 2 sessions are used. Cisco ASA Series CLI Configuration Guide 1-21...
Page 184
IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 185
This section includes the following topics: • Preinstalled License, page 1-24 • Permanent License, page 1-24 • Time-Based Licenses, page 1-24 • Shared AnyConnect Premium Licenses, page 1-27 Cisco ASA Series CLI Configuration Guide 1-23...
Page 186
For example, if an evaluation license includes the Botnet Traffic Filter and a 1000-session AnyConnect Premium license, you cannot also activate a standalone time-based 2500-session AnyConnect Premium license. Cisco ASA Series CLI Configuration Guide 1-24...
Page 187
For licenses with numerical tiers, the higher value is used. Typically, you will not install a time-based license that has less capability than the permanent license, but if you do so, then the permanent license is used. Cisco ASA Series CLI Configuration Guide 1-25...
Page 188
1000-session AnyConnect Premium license (inactive), and a permanent 500-session AnyConnect Premium license. While the 2500-session license expires, the ASA activates the 1000-session license. After the 1000-session license expires, the ASA uses the 500-session permanent license. Cisco ASA Series CLI Configuration Guide 1-26...
Page 189
Note The shared licensing server can also participate in the shared license pool. It does not need a participant license as well as the server license to participate. Cisco ASA Series CLI Configuration Guide 1-27...
Page 190
When the main server comes back up, the backup server starts to increment again day-by-day. For example, if the main server is down for 20 days, with the backup server active during Cisco ASA Series CLI Configuration Guide 1-28...
Page 191
The ASA does not limit the number of participants for the shared license; however, a very large shared network could potentially affect the performance on the licensing server. In this case, you can increase the delay between participant refreshes, or you can create two shared networks. Cisco ASA Series CLI Configuration Guide 1-29...
Page 192
If you have licenses on multiple units, they combine into a single running ASA cluster license. The exceptions to this rule include: • Clustering license—Each unit must have a clustering license. • Encryption license—Each unit must have the same encryption license. Cisco ASA Series CLI Configuration Guide 1-30...
Page 193
If you do not restore communication during the 30-day period, then for time-based licenses, time is subtracted from all unit licenses, if installed. They are treated as separate licenses and do not benefit from the combined license. The time elapsed includes the 30-day grace period. Cisco ASA Series CLI Configuration Guide 1-31...
Page 194
No Payload Encryption Models You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA series. The ASA software senses a No Payload Encryption model, and disables the following features: •...
Page 195
Shared licenses are not supported in Active/Active mode. See the “Failover and Shared Licenses” section on page 1-29 for more information. • Failover units do not require the same license on each unit. Cisco ASA Series CLI Configuration Guide 1-33...
Page 196
(except in the case of a hardware failure). If you have to replace your device due to a hardware failure, and it is covered by Cisco TAC, contact the Cisco Licensing Team to have your existing license transferred to the new serial number. The Cisco Licensing Team will ask for the Product Authorization Key reference number and existing serial number.
Page 197
To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional AnyConnect Premium sessions.
Page 198
Any other keys are made inactive. – If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even if the keys are matching, the license used will no longer be a combined license. Cisco ASA Series CLI Configuration Guide 1-36...
Page 199
Configuring the Shared Licensing Participant, page 1-39 Configuring the Shared Licensing Server This section describes how to configure the ASA to be a shared licensing server. Prerequisites The server must have a shared licensing server key. Cisco ASA Series CLI Configuration Guide 1-37...
Page 201
What to Do Next See the “Configuring the Shared Licensing Participant” section on page 1-39. Configuring the Shared Licensing Participant This section configures a shared licensing participant to communicate with the shared licensing server. Cisco ASA Series CLI Configuration Guide 1-39...
Page 202
If you have a No Payload Encryption model, then you view the license, VPN and Unified Communications licenses will not be listed. See the “No Payload Encryption Models” section on page 1-32 for more information. Cisco ASA Series CLI Configuration Guide 1-40...
Page 203
The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 646 days 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Total UC Proxy Sessions : 10 62 days Cisco ASA Series CLI Configuration Guide 1-41...
Page 204
Total UC Proxy Sessions perpetual Botnet Traffic Filter : Enabled 39 days Intercompany Media Engine : Disabled perpetual The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: Cisco ASA Series CLI Configuration Guide 1-42...
Page 206
The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. Cisco ASA Series CLI Configuration Guide 1-44...
Page 207
This platform has an ASA 5520 VPN Plus license. Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Cisco ASA Series CLI Configuration Guide 1-45...
Page 208
: Enabled perpetual 3DES-AES : Enabled perpetual Security Contexts : 50 perpetual GTP/GPRS : Enabled perpetual Botnet Traffic Filter : Enabled 330 days This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. Cisco ASA Series CLI Configuration Guide 1-46...
Page 209
Output in a Cluster for show activation-key hostname# show activation-key Serial Number: JMX1504L2TD Running Permanent Activation Key: 0x4a3eea7b 0x54b9f61a 0x4143a90c 0xe5849088 0x4412d4a9 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Cisco ASA Series CLI Configuration Guide 1-47...
Page 210
Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual...
Page 212
Increased interfaces for the Base license on the 7.2(2) For the Base license on the ASA 5510, the maximum ASA 5510 number of interfaces was increased from 3 plus a management interface to unlimited interfaces. Cisco ASA Series CLI Configuration Guide 1-50...
Page 213
Advanced Endpoint Assessment License 8.0(2) The Advanced Endpoint Assessment license was introduced. As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connections, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates.
Page 214
The AnyConnect Essentials License was introduced. This license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.
Page 215
We modified the following commands: show activation-key and show version. Discrete activation and deactivation of 8.3(1) You can now activate or deactivate time-based licenses time-based licenses. using a command. We modified the following commands: activation-key [activate | deactivate]. Cisco ASA Series CLI Configuration Guide 1-53...
Page 216
No Payload Encryption hardware for export 8.4(1) For models available with No Payload Encryption (for example, the ASA 5585-X), the ASA software disables Unified Communications and VPN features, making the ASA available for export to certain countries. Cisco ASA Series CLI Configuration Guide 1-54...
Page 217
(you can use two SSPs of the same level in the same SSP-60); VPN support for Dual SSPs chassis). VPN is now supported when using dual SSPs. We did not modify any commands. Cisco ASA Series CLI Configuration Guide 1-55...
Page 218
Chapter 1 Managing Feature Licenses Feature History for Licensing Cisco ASA Series CLI Configuration Guide 1-56...
Page 219
A R T Configuring High Availability and Scalability...
Page 221
How the ASA Classifies Packets, page 1-3 • Cascading Security Contexts, page 1-6 • Management Access to Security Contexts, page 1-7 • Information About Resource Management, page 1-8 • Information About MAC Addresses, page 1-11 Cisco ASA Series CLI Configuration Guide...
This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco ASA Series CLI Configuration Guide...
Page 223
If you disable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Cisco ASA Series CLI Configuration Guide...
Page 224
GE 0/0.1 (Shared Interface) Classifier MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco ASA Series CLI Configuration Guide...
Page 225
Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco ASA Series CLI Configuration Guide...
Page 226
Cascading contexts requires unique MAC addresses for each context interface (the default setting). Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco ASA Series CLI Configuration Guide...
Page 227
“enable_15” user, or you can log in as a different name for which you provide sufficient privileges. To log in with a new username, enter the login command. For Cisco ASA Series CLI Configuration Guide...
Page 228
ASA sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service Cisco ASA Series CLI Configuration Guide...
Page 229
SSH sessions—5 sessions. (The maximum per context.) • IPsec sessions—5 sessions. (The maximum per context.) • MAC addresses—65,535 entries. (The maximum per context.) • VPN site-to-site tunnels—0 sessions. (You must manually configure the class to allow any VPN sessions.) Cisco ASA Series CLI Configuration Guide...
Page 230
Figure 1-6 Resource Oversubscription Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. (159,984) Connections in use. (119,988) Connections denied because system limit (79,992) was reached. (39,996) Contexts in Class Cisco ASA Series CLI Configuration Guide 1-10...
Page 231
MAC address. This section includes the following topics: • Default MAC Address, page 1-12 • Interaction with Manual MAC Addresses, page 1-12 • Failover MAC Addresses, page 1-12 • MAC Address Format, page 1-12 Cisco ASA Series CLI Configuration Guide 1-11...
Page 232
For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the ASA native form: A24D.00zz.zzzz Cisco ASA Series CLI Configuration Guide 1-12...
Page 233
Base License: 2 contexts. SSP-20, -40, and -60 Optional licenses: 5, 10, 20, 50, 100, or 250 contexts. ASASM Base License: 2 contexts. Optional licenses: 5, 10, 20, 50, 100, or 250 contexts. Cisco ASA Series CLI Configuration Guide 1-13...
Page 234
If you store context configurations in the root directory of flash memory, on some models you might run out of room in that directory, even though there is available memory. In this case, create a subdirectory for your configuration files. Background: some models, such as the ASA 5585-X, use Cisco ASA Series CLI Configuration Guide 1-14...
Page 235
“Automatically Assigning MAC Addresses to Context Interfaces” section on page 1-25. Step 6 Complete interface configuration in the context. See Chapter 1, “Completing Interface Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” Cisco ASA Series CLI Configuration Guide 1-15...
Page 236
Enabling or Disabling Multiple Context Mode Your ASA might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you need to convert from single mode to multiple mode, follow the procedures in this section.
Page 237
Prerequisites Perform this procedure in the system execution space. Guidelines Table 1-1 lists the resource types and the limits. See also the show resource types command. Cisco ASA Series CLI Configuration Guide 1-17...
1-1 for the Other model limit. The sessions you assign for this VPN sessions available resource are guaranteed to the context. for your model. Concurrent 1 minimum SSH sessions. 5 maximum Cisco ASA Series CLI Configuration Guide 1-18...
Page 239
2 All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold hostname(config-class)# limit-resource mac-addresses 10000 hostname(config-class)# limit-resource conns 15% Cisco ASA Series CLI Configuration Guide 1-19...
Page 240
Although this context does not exist yet in your configuration, you can subsequently enter the context name command to continue the admin context configuration. Cisco ASA Series CLI Configuration Guide 1-20...
Page 241
“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used. Step 2 (Optional) Adds a description for this context. description text Example: hostname(config-ctx)# description Administrator Context Cisco ASA Series CLI Configuration Guide 1-21...
Page 242
Specify visible to see the real interface ID in the show interface command if you set a mapped name. The default invisible keyword shows only the mapped name. Cisco ASA Series CLI Configuration Guide 1-22...
Page 243
[mapped_name] [default] See the “Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)” section on page 1-16 for detailed information about virtual sensors. Example: hostname(config-ctx)# allocate-ips sensor1 highsec Cisco ASA Series CLI Configuration Guide 1-23...
Page 244
Example: indicate from which organization the request comes. The hostname(config-ctx)# scansafe authentication key is a 16-byte hexidecimal number. “Configuring the ASA for Cisco Cloud Web Security” section on page 1-1 for detailed information about ScanSafe. Examples The following example sets the admin context to be “administrator,” creates a context called “administrator”...
Page 245
For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. Cisco ASA Series CLI Configuration Guide 1-25...
Page 246
URL location. Removes all contexts (including the admin context). The context clear context configuration files are not removed from the config URL locations. Cisco ASA Series CLI Configuration Guide 1-26...
Page 247
You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. Cisco ASA Series CLI Configuration Guide 1-27...
Page 248
This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces. This section includes the following topics: • Reloading by Clearing the Configuration, page 1-29 Cisco ASA Series CLI Configuration Guide 1-28...
100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% silver 10.00% bronze All Contexts: 20.00% Telnet default Cisco ASA Series CLI Configuration Guide 1-32...
Page 253
The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco ASA Series CLI Configuration Guide 1-33...
Page 254
The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for six contexts. hostname# show resource usage summary Cisco ASA Series CLI Configuration Guide 1-34...
Page 255
ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. Cisco ASA Series CLI Configuration Guide 1-35...
Page 257
You can view auto-generated MAC addresses within the system configuration or within the context. This section includes the following topics: • Viewing MAC Addresses in the System Configuration, page 1-38 • Viewing MAC Addresses Within a Context, page 1-39 Cisco ASA Series CLI Configuration Guide 1-37...
Page 258
Management0/0 a2d2.0400.125a a2d2.0400.125b config-url disk0:/admin.cfg context CTX1 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5 mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd mac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1 mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5 mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9 Cisco ASA Series CLI Configuration Guide 1-38...
Page 259
The show interface command shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration. Cisco ASA Series CLI Configuration Guide 1-39...
Page 260
Cisco ASA Series CLI Configuration Guide 1-40...
Page 261
50 to 100. The maximum for the ASA 5580 was increased from 50 to 250. Automatic MAC address assignment enabled by 8.5(1) Automatic MAC address assignment is now enabled by default default. We modified the following command: mac-address auto. Cisco ASA Series CLI Configuration Guide 1-41...
Page 262
A new resource type, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. Cisco ASA Series CLI Configuration Guide 1-42...
Page 263
New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. Cisco ASA Series CLI Configuration Guide 1-43...
Page 264
Chapter 1 Configuring Multiple Context Mode Feature History for Multiple Context Mode Cisco ASA Series CLI Configuration Guide 1-44...
Page 265
ASA Cluster Interfaces, page 1-4 • Cluster Control Link, page 1-6 • High Availability within the ASA Cluster, page 1-9 • Configuration Replication, page 1-10 • ASA Cluster Management, page 1-10 • Load Balancing Methods, page 1-12 Cisco ASA Series CLI Configuration Guide...
Page 266
70% of 80 Gbps (8 units x 10 Gbps): 56 Gbps. Cluster Members • ASA Hardware and Software Requirements, page 1-3 • Bootstrap Configuration, page 1-3 • Master and Slave Unit Roles, page 1-3 • Master Unit Election, page 1-3 Cisco ASA Series CLI Configuration Guide...
Page 267
Any other units with a higher priority respond to the election request; the priority is set between 1 and 100, where 1 is the highest priority. If after 45 seconds, a unit does not receive a response from another unit with a higher priority, then it becomes master. Cisco ASA Series CLI Configuration Guide...
IP address is assigned to the bridge group, not to the interface. The EtherChannel inherently provides load balancing as part of basic operation. See also the “Spanned EtherChannel (Recommended)” section on page 1-12. Cisco ASA Series CLI Configuration Guide...
Page 269
“Load Balancing Methods” section on page 1-12. Note We recommend Spanned EtherChannels instead of Individual interfaces because Individual interfaces rely on routing protocols to load-balance traffic, and routing protocols often have slow convergence during a link failure. Cisco ASA Series CLI Configuration Guide...
Page 270
Each unit must dedicate at least one hardware interface as the cluster control link. • Cluster Control Link Traffic Overview, page 1-7 • Cluster Control Link Network, page 1-7 • Sizing the Cluster Control Link, page 1-7 • Cluster Control Link Redundancy, page 1-8 Cisco ASA Series CLI Configuration Guide...
Page 271
When membership changes, the cluster needs to rebalance a large number of connections, thus temporarily using a large amount of cluster control link bandwidth. A higher-bandwidth cluster control link helps the cluster to converge faster when there are membership changes and prevents throughput bottlenecks. Cisco ASA Series CLI Configuration Guide...
Page 272
IP pool. However if you reload, and the unit is still inactive in the cluster, the management interface is not accessible (because it then uses the Main IP address, which is the same as the master unit). You must use the console port for any further configuration. Cisco ASA Series CLI Configuration Guide...
Page 273
TCP/UDP state information, so that the connection can be seamlessly transferred to a new owner in case of a failure. Cisco ASA Series CLI Configuration Guide...
For the management interface, we recommend using one of the dedicated management interfaces. You can configure the management interfaces as Individual interfaces (for both routed and transparent modes) or as a Spanned EtherChannel interface. Cisco ASA Series CLI Configuration Guide 1-10...
Page 275
Main cluster IP address using ASDM, then a warning message about a mismatched IP address appears because the certificate uses the Local IP address, and not the Main cluster IP address. Cisco ASA Series CLI Configuration Guide 1-11...
Page 276
IP address (the default) or the source and destination port as the hashing algorithm. • Use the same type of line cards when connecting the ASAs to the switch so that hashing algorithms applied to all packets are the same. Cisco ASA Series CLI Configuration Guide 1-12...
Page 277
16 links in the EtherChannel. The active links are shown as solid lines, while the inactive links are dotted. cLACP load-balancing can automatically choose the best 8 links to be active in the EtherChannel. As shown, cLACP helps achieve load balancing at the link level. Cisco ASA Series CLI Configuration Guide 1-13...
Page 278
ASA. For example, if you have a Cisco router, redundancy can be achieved by using IOS PBR with Object Tracking. IOS Object Tracking monitors each ASA using ICMP ping. PBR can then enable or disable route maps based on reachability of a particular ASA.
Page 279
A connection can have multiple forwarders; the most efficient throughput is achieved by a good load-balancing method where there are no forwarders and all packets of a connection are received by the owner. Cisco ASA Series CLI Configuration Guide 1-15...
Page 280
If packets are delivered to any additional units, it will query the director for the owner and establish a flow. Any state change for the flow results in a state update from the owner to the director. Cisco ASA Series CLI Configuration Guide 1-16...
Page 282
Authentication and Authorization for network access. Accounting is decentralized. • Filtering Services Features Applied to Individual Units These features are applied to each ASA unit, instead of the cluster as a whole or to the master unit. Cisco ASA Series CLI Configuration Guide 1-18...
If a routing packet arrives at a slave, it is redirected to the master unit. Figure 1-1 Dynamic Routing in Spanned EtherChannel Mode Only master unit uses OSPF with neighboring routers. EtherChannel Slave units are invisible. Load Balancing Cluster members Router B Cisco ASA Series CLI Configuration Guide 1-19...
Multicast Routing in Spanned EtherChannel Mode In Spanned EtherChannel mode, the master unit handles all multicast routing packets and data packets until fast-path forwarding is established. After the connection is established, each slave can forward multicast data packets. Cisco ASA Series CLI Configuration Guide 1-20...
Page 285
“Per-Session PAT vs. Multi-Session PAT” section on page 1-9 in the firewall configuration guide. • No static PAT for the following inspections— – – PPTP – – SQLNET – TFTP – XDMCP – All Voice-over-IP applications Cisco ASA Series CLI Configuration Guide 1-21...
Page 286
For connections to an Individual interface when using PBR or ECMP, you must always connect to the Main cluster IP address, not a Local address. VPN-related keys and certificates are replicated to all units. Cisco ASA Series CLI Configuration Guide 1-22...
IP address. – Except for the IP address used by the master unit (typically the first unit you add to the cluster), these management IP addresses are for temporary use only. Cisco ASA Series CLI Configuration Guide 1-23...
PortFast on the switch ports connected to the ASA to speed up the join process for new units. • When you see slow bundling of a Spanned EtherChannel on the switch, you can enable LACP rate fast for an Individual interface on the switch. Cisco ASA Series CLI Configuration Guide 1-24...
Page 290
ASA cluster. These messages can result in some units of the ASA cluster experiencing high CPU, which can affect performance. We recommend that you throttle ICMP error messages. Cisco ASA Series CLI Configuration Guide 1-26...
Page 291
Configure the security policy on the master unit. See the chapters in this guide to configure supported features on the master unit. The configuration is replicated to the slave units. For a list of supported and unsupported features, see the “ASA Features and Clustering” section on page 1-17. Cisco ASA Series CLI Configuration Guide 1-27...
VLAN subinterface of the EtherChannel. Using subinterfaces lets both inside and outside interfaces take advantage of the benefits of an EtherChannel. • 1 Management interface. You have one switch for both the inside and outside networks. Cisco ASA Series CLI Configuration Guide 1-28...
Page 293
VLAN 200 for the inside and VLAN 201 for the outside. Management interface Management 0/0 4 ports total Place all interfaces on the same isolated management VLAN, for example VLAN 100. Cisco ASA Series CLI Configuration Guide 1-29...
Page 294
(rare), the mode is changed and the configuration is preserved. If you do not want to clear your configuration, you can exit the command by typing n. To remove the interface mode, enter the no cluster interface-mode command. Cisco ASA Series CLI Configuration Guide 1-30...
Page 295
For a redundant interface, see the “Configuring a Redundant Interface” section on page 1-26. Management-only interfaces cannot be redundant interfaces. – For subinterfaces, see the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 1-31. Cisco ASA Series CLI Configuration Guide 1-31...
Page 296
DHCP, PPPoE, and IPv6 autoconfiguration are not supported; you ipv6 address ipv6-address/prefix-length must manually configure the IP addresses. cluster-pool poolname Example: hostname(config-if)# ip address 192.168.1.1 255.255.255.0 cluster-pool ins hostname(config-if)# ipv6 address 2001:DB8::1002/32 cluster-pool insipv6 Cisco ASA Series CLI Configuration Guide 1-32...
Page 297
Mode on Each Unit” section on page 1-30. • For multiple context mode, start this procedure in the system execution space. If you are not already in the System configuration mode, enter the changeto system command. Cisco ASA Series CLI Configuration Guide 1-33...
Page 298
• For detailed EtherChannel guidelines, limitations, and prerequisites, see the “Configuring an EtherChannel” section on page 1-28. • See also the “EtherChannel Guidelines” section on page 1-11. Cisco ASA Series CLI Configuration Guide 1-34...
Page 299
ASAs to the VSS (or vPC) pair are span-cluster balanced. You must configure the vss-id keyword in the channel-group command for each member interface before enabling load balancing (see Step Cisco ASA Series CLI Configuration Guide 1-35...
Page 300
Sets the IPv4 and/or IPv6 address. DHCP, PPPoE, and IPv6 autoconfig are not supported. (IPv4) ip address ip_address [mask] (IPv6) ipv6 address ipv6-prefix/prefix-length Example: hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# ipv6 address 2001:DB8::1001/32 Cisco ASA Series CLI Configuration Guide 1-36...
Page 301
Prerequisites, page 1-38 • Enabling the Cluster Control Link Interface, page 1-38 • Configuring Basic Bootstrap Settings and Enabling Clustering, page 1-40 • Configuring Advanced Clustering Settings, page 1-42 • Examples, page 1-43 Cisco ASA Series CLI Configuration Guide 1-37...
Page 302
You cannot use a Management x/x interface as the cluster control link, either alone or as an EtherChannel. • For the ASA 5585-X with an ASA IPS or ASA CX module, you cannot use the module interfaces for the cluster control link. Cisco ASA Series CLI Configuration Guide 1-38...
Page 303
Step 4 Repeat for each additional interface you want to add to the interface interface_id channel-group channel_id mode on EtherChannel. no shutdown Example: hostname(config)# interface tengigabitethernet 0/7 hostname(config-if)# channel-group 1 mode hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-39...
Page 304
Sets the priority of this unit for master unit elections, between 1 priority priority_number and 100, where 1 is the highest priority. See the “Master Unit Election” section on page 1-3 for more information. Example: hostname(cfg-cluster)# priority 1 Cisco ASA Series CLI Configuration Guide 1-40...
Page 305
Cryptochecksum (changed): f16b7fc2 want to remove the unit from the cluster entirely (and thus a742727e e40bc0b0 cd169999 want to have active data interfaces), see the “Leaving the INFO: Done Cluster” section on page 1-49. Cisco ASA Series CLI Configuration Guide 1-41...
Page 306
VSS or vPC) you should disable the health check feature. When the topology change is complete, and the configuration change is synced to all units, you can re-enable the health check feature. Cisco ASA Series CLI Configuration Guide 1-42...
Page 307
1 mode on no shutdown cluster group pod1 local-unit unit1 cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Configuring Slave Unit Bootstrap Settings Perform the following procedures to configure the slave units. Cisco ASA Series CLI Configuration Guide 1-43...
Page 308
0/6 Step 2 Enables the interface. You only need to enable the interface; do no shutdown not configure a name for the interface, or any other parameters. Example: hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-44...
Page 309
Configure the slave unit bootstrap settings. See the Configuring Bootstrap Settings and Joining the Cluster, page 1-45. Configuring Bootstrap Settings and Joining the Cluster Perform the following steps to configure bootstrap settings and join the cluster as a slave unit. Cisco ASA Series CLI Configuration Guide 1-45...
Page 310
Sets the priority of this unit for master unit elections, between 1 priority priority_number and 100, where 1 is the highest priority. See the “Master Unit Election” section on page 1-3 for more information. Example: hostname(cfg-cluster)# priority 2 Cisco ASA Series CLI Configuration Guide 1-46...
192.168.1.2 255.255.255.0 priority 2 key chuntheunavoidable enable as-slave Managing ASA Cluster Members • Becoming an Inactive Member, page 1-48 • Inactivating a Member, page 1-48 Cisco ASA Series CLI Configuration Guide 1-47...
Page 312
When an ASA becomes inactive, all data interfaces are shut down; only the management-only interface can send and receive traffic. To resume traffic flow, re-enable clustering; or you can remove the unit altogether from the cluster. See the “Leaving the Cluster” section on page 1-49. The management Cisco ASA Series CLI Configuration Guide 1-48...
Page 313
You must use the console port; when you remove the cluster configuration, all interfaces are shut down, including the management interface and cluster control link. Moreover, you cannot enable or disable clustering from a remote CLI connection. Cisco ASA Series CLI Configuration Guide 1-49...
Page 314
Note, however, that for centralized features, if you force a master unit change using this procedure, then all connections are dropped, and you have to re-establish the connections on the new master unit. See the “Centralized Features” section on page 1-18 for a list of centralized features. Cisco ASA Series CLI Configuration Guide 1-50...
Page 315
The following sample output for the cluster exec show port-channel summary command shows EtherChannel information for each member in the cluster: hostname# cluster exec show port-channel summary primary(LOCAL):*********************************************************** Number of channel-groups in use: 2 Group Port-channel Protocol Span-cluster Ports ------+-------------+-----------+----------------------------------------------- LACP Gi0/0(P) LACP Gi0/1(P) Cisco ASA Series CLI Configuration Guide 1-51...
This command is useful for datapath troubleshooting. Example 1-1 show cluster info hostname# show cluster info Cluster stbu: On This is "C" in state SLAVE Version : 100.8(0.52) Cisco ASA Series CLI Configuration Guide 1-52...
Page 318
See the “Capturing Packets” section on page 1-2. Cisco ASA Series CLI Configuration Guide 1-54...
Page 319
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, c - cluster centralized, Cisco ASA Series CLI Configuration Guide 1-55...
Page 325
1 mode on no shutdown interface tengigabitethernet 0/7 channel-group 1 mode on no shutdown interface port-channel 1 description CCL cluster group cluster1 local-unit asa1 cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Cisco ASA Series CLI Configuration Guide 1-61...
Page 326
2 mode active no shutdown interface port-channel 2 port-channel span-cluster nameif inside ip address 10.10.10.5 255.255.255.0 ipv6 address 2001:DB8:1::5/64 mac-address 000C.F142.4CDE interface tengigabitethernet 0/9 channel-group 3 mode active no shutdown interface port-channel 3 Cisco ASA Series CLI Configuration Guide 1-62...
Page 327
Interface Mode on Each Unit cluster interface-mode individual force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0/6 channel-group 1 mode on Cisco ASA Series CLI Configuration Guide 1-63...
Page 328
Master Interface Configuration ip local pool mgmt 10.1.1.2-10.1.1.5 ipv6 local pool mgmtipv6 2001:DB8::1002/64 4 interface management 0/0 channel-group 2 mode active no shutdown interface management 0/1 channel-group 2 mode active no shutdown Cisco ASA Series CLI Configuration Guide 1-64...
Page 329
VSS/vPC is used. The following diagram shows what happens when the total number of links grows as more units join the cluster: Cisco ASA Series CLI Configuration Guide 1-65...
Page 330
The principle is to first maximize the number of active ports in the channel, and secondly keep the number of active primary ports and the number of active secondary ports in balance. Note that when a 5th unit joins the cluster, traffic is not balanced evenly between all units. Cisco ASA Series CLI Configuration Guide 1-66...
Page 331
Link or device failure is handled with the same principle. You may end up with a less-than-perfect load balancing situation. The following figure shows a 4-unit cluster with a single link failure on one of the units. ASA1 ASA2 ASA3 ASA4 Cisco ASA Series CLI Configuration Guide 1-67...
Page 332
0/7 channel-group 1 mode on no shutdown interface tengigabitethernet 0/8 channel-group 1 mode on no shutdown interface tengigabitethernet 0/9 channel-group 1 mode on no shutdown interface port-channel 1 description CCL Cisco ASA Series CLI Configuration Guide 1-68...
Page 333
1 description CCL cluster group cluster1 local-unit asa3 cluster-interface port-channel1 ip 192.168.1.3 255.255.255.0 priority 3 key chuntheunavoidable enable as-slave ASA4 Slave Bootstrap Configuration interface tengigabitethernet 0/6 channel-group 1 mode on Cisco ASA Series CLI Configuration Guide 1-69...
Page 334
4 mode active vss-id 1 no shutdown interface tengigabitethernet 1/9 channel-group 4 mode active vss-id 2 no shutdown interface port-channel 4 port-channel span-cluster vss-load-balance nameif outside ip address 209.165.201.1 255.255.255.224 mac-address 000C.F142.5CDE Cisco ASA Series CLI Configuration Guide 1-70...
(interface), mac-address pool, mtu cluster, port-channel span-cluster, priority (cluster group), prompt cluster-unit, show asp cluster counter, show asp table cluster chash-table, show cluster, show cluster info, show cluster user-identity, show lacp cluster, show running-config cluster. Cisco ASA Series CLI Configuration Guide 1-71...
Page 336
Chapter 1 Configuring a Cluster of ASAs Feature History for ASA Clustering Cisco ASA Series CLI Configuration Guide 1-72...
Page 337
C H A P T E R Information About Failover This chapter provides an overview of the failover features that enable you to achieve high availability on the Cisco 5500 series ASAs. For information about configuring high availability, see Chapter 1, “Configuring Active/Active Failover”...
The two units in a failover configuration do not need to have identical licenses; the licenses combine to make a failover cluster license. See the “Failover or ASA Cluster Licenses” section on page 1-30 more information. Cisco ASA Series CLI Configuration Guide...
Page 339
The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX. Cisco ASA Series CLI Configuration Guide...
Page 340
MDIX. Enable the PortFast option on Cisco switch ports that connect directly to the ASA. If you use a data interface as the Stateful Failover link, you receive the following warning when you...
Page 341
Subsequently, the failover operation is suspended until the health of the failover link is restored. Cisco ASA Series CLI Configuration Guide...
Page 342
Switch 1 outside outside Primary Secondary inside inside Switch 2 Failover link Failover link Figure 1-4 Connecting with a Cable Switch 1 outside outside Primary Secondary inside inside Failover link Failover link Ethernet cable Cisco ASA Series CLI Configuration Guide...
Page 343
Switch 1 Switch 2 outside outside Switch 3 Active redundant Active redundant Primary Secondary failover link failover link Switch 4 Standby redundant Standby redundant failover link failover link Switch 5 Switch 6 inside inside Cisco ASA Series CLI Configuration Guide...
Page 344
The type of failover you choose depends upon your ASA configuration and how you plan to use the ASAs. If you are running the ASA in single mode, then you can use only Active/Standby failover. Active/Active failover is only available to ASAs running in multiple context mode. Cisco ASA Series CLI Configuration Guide...
Page 345
VPN failover subsystem, which is part of Stateful Failover. You must use Stateful Failover to synchronize these elements between the members of the failover pair. Stateless (regular) failover is not recommended for clientless SSL VPN. Cisco ASA Series CLI Configuration Guide...
Page 346
The call must be re-established. The following clientless SSL VPN features are not supported with Stateful Failover: • Smart Tunnels • Port Forwarding • Plugins • Java Applets Cisco ASA Series CLI Configuration Guide 1-10...
Page 347
Citrix authentication (Citrix users must reauthenticate after failover) Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Cisco CallManager.
Page 348
ASASM redundancy configuration. The trunk between the two switches carries the failover ASASM VLANs (VLANs 10 and 11). Note ASASM failover i