Download  Print this page
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
Table of Contents
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422

Advertisement

Cisco ASA Series Firewall CLI
Configuration Guide
Software Version 9.3
For the ASA 5506-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA
5555-X, ASA 5585-X, ASA Services Module, and the
Adaptive Security Virtual Appliance
Released: July 24, 2014
Updated: February 18, 2015
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: N/A, Online only

Advertisement

Table of Contents

   Related Manuals for Cisco ASA 5506-X

   Summary of Contents for Cisco ASA 5506-X

  • Page 1 Cisco ASA Series Firewall CLI Configuration Guide Software Version 9.3 For the ASA 5506-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, ASA Services Module, and the Adaptive Security Virtual Appliance Released: July 24, 2014 Updated: February 18, 2015 Cisco Systems, Inc.
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
  • Page 3 Obtaining Documentation and Submitting a Service Request, page iv Document Objectives The purpose of this guide is to help you configure the firewall features for Cisco ASA series using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios.
  • Page 4 Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.
  • Page 5 A R T Service Policies and Access Control...
  • Page 7 Feature Matching Within a Service Policy, page 1-5 • Order in Which Multiple Feature Actions are Applied, page 1-6 • • Incompatibility of Certain Feature Actions, page 1-7 • Feature Matching for Multiple Service Policies, page 1-8 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 8 1 deny version 2 deny version 2c : Inspection policy map to define SIP behavior. : The sip-high inspection policy map must be referred to by an inspect sip command Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 9 0:00:30 half-closed 0:10:00 idle 1:00:00 reset dcd 0:15:00 5 user-statistics accounting : The service-policy command applies the policy map rule set to the inside interface. : This command activates the policies. service-policy test-inside-policy interface inside Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 10 Chapter 9, “Inspection of Database and Directory • Protocols.” Chapter 10, “Inspection for Management • Application Protocols.” Chapter 14, “ASA and Cisco Cloud Web • Security.” ASA IPS Chapter 18, “ASA IPS Module.” ASA CX Chapter 17, “ASA CX Module.”...
  • Page 11 Note Application inspection includes multiple inspection types, and most are mutually exclusive. For inspections that can be combined, each inspection is considered to be a separate feature. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 12 Certain Feature Actions, page 1-7 for more information. ASA IPS ASA CX ASA FirePOWER (ASA SFR) QoS output policing QoS standard priority queue NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent. Note Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 13 Example 1-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured class-map ftp [it should be 21] match port tcp eq 80 class-map http match port tcp eq 80 policy-map test class ftp Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 14 Class maps include the following types: • Layer 3/4 class maps (for through traffic and management traffic). Inspection class maps • Regular expression class maps • match commands used directly underneath an inspection policy map • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 15 Defaults for Service Policies The following topics describe the default settings for service policies and the Modular Policy Framework: Default Service Policy Configuration, page 1-10 • Default Class Maps (Traffic Classes), page 1-11 • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 16 _default_h323_map inspect h323 ras _default_h323_map inspect ip-options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tftp inspect sip Cisco ASA Series Firewall CLI Configuration Guide 1-10...
  • Page 17 10.1.1.0/24 to any destination address. Layer 3/4 Class Map Layer 3/4 Class Map Optionally, perform additional actions on some inspection traffic. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 1-11...
  • Page 18 Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map, Step 3 as described in Define Actions (Layer 3/4 Policy Map), page 1-16. Cisco ASA Series Firewall CLI Configuration Guide 1-12...
  • Page 19 We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect all traffic, for example using match any, the ASA performance can be impacted. Cisco ASA Series Firewall CLI Configuration Guide 1-13...
  • Page 20 You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports and protocols to match, any ports and protocols in the ACL are ignored. Cisco ASA Series Firewall CLI Configuration Guide 1-14...
  • Page 21 You can specify a management class map that can match an ACL or TCP or UDP ports. The types of actions available for a management class map in the policy map are specialized for management traffic. Features Configured with Service Policies, page 1-4. Cisco ASA Series Firewall CLI Configuration Guide 1-15...
  • Page 22 The CLI enters policy-map configuration mode. Example: hostname(config)# policy-map global_policy Cisco ASA Series Firewall CLI Configuration Guide 1-16...
  • Page 23 21 hostname(config)# class-map tcp_traffic hostname(config-cmap)# match port tcp range 1 65535 hostname(config)# class-map udp_traffic hostname(config-cmap)# match port udp range 0 65535 hostname(config)# policy-map global_policy Cisco ASA Series Firewall CLI Configuration Guide 1-17...
  • Page 24 The following commands disable the default global policy, and enables a new one called new_global_policy on all other ASA interfaces: hostname(config)# no service-policy global_policy global hostname(config)# service-policy new_global_policy global Cisco ASA Series Firewall CLI Configuration Guide 1-18...
  • Page 25 See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# police output 250000 hostname(config)# service-policy http_traffic_policy interface outside Cisco ASA Series Firewall CLI Configuration Guide 1-19...
  • Page 26 Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified for HTTP inspection. Connections initiated from Server B to Host B do not match the ACL in the class map, so they are not affected. Cisco ASA Series Firewall CLI Configuration Guide 1-20...
  • Page 27 IP address used on the outside network, 209.165.200.225. You must use the real IP address in the ACL in the class map. If you applied it to the outside interface, you would also use the real address. Cisco ASA Series Firewall CLI Configuration Guide 1-21...
  • Page 28 Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide 1-22...
  • Page 29 However, you cannot set different actions for different matches. Note: Not all inspections support inspection class maps. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 30 (the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 31 There are other default inspection policy maps such as _default_esmtp_map. For example, inspect Note esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown by using the show running-config all policy-map command. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 32 Step 6 Configures parameters that affect the inspection engine. The CLI parameters enters parameters configuration mode. For the parameters available for each application, see the appropriate inspection Example: chapter. hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 33 If you want to perform different actions on different types of traffic, you should identify the traffic directly in the policy map. Restrictions Not all applications support inspection class maps. See the CLI help for class-map type inspect for a list of supported applications. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 34 The following example creates an HTTP class map that can match any of the criteria: hostname(config-cmap)# class-map type inspect http match-any monitor-http hostname(config-cmap)# match request method get hostname(config-cmap)# match request method put hostname(config-cmap)# match request method post Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 35 Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 36 Chapter 2 Special Actions for Application Inspections (Inspection Policy Map) Feature History for Inspection Policy Maps Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 37 EtherType rules (Layer 2 traffic) assigned to interfaces (transparent firewall mode only)—You can apply separate rule sets in the inbound and outbound directions. EtherType rules control network access for non-IP traffic. An EtherType rule permits or denies traffic based on the EtherType. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 38 Rather than creating multiple inbound ACLs to restrict access, you can create a single outbound ACL that allows only the specified hosts. (See the following figure.) The outbound ACL prevents any other hosts from reaching the outside network. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 39 Implicit Permits For routed mode, the following types of traffic are allowed through by default: Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface. • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 40 This section describes information about extended access rules. Extended Access Rules for Returning Traffic, page 3-5 • Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules, • page 3-5 Management Access Rules, page 3-5 • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 41 ACL. Alternatively, you can use ICMP rules to control ICMP traffic to the device. Use regular extended access rules to control ICMP traffic through the device. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 42 IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ASA.
  • Page 43 Before you can create an access group, create the ACL. See the general operations configuration guide for more information. To bind an ACL to an interface or to apply it globally, use the following command: access-group access_list { {in | out} interface interface_name [per-user-override | control-plane] | global} Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 44 To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 45 Examples The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface: hostname(config)# icmp deny host 10.1.1.15 inside hostname(config)# icmp permit any inside Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 46 A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. Cisco ASA Series Firewall CLI Configuration Guide 3-10...
  • Page 47 The following example allows some EtherTypes through the ASA, but it denies all others: hostname(config)# access-list ETHER ethertype permit 0x1234 hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside Cisco ASA Series Firewall CLI Configuration Guide 3-11...
  • Page 48 Support for TrustSec 9.0(1) You can now use TrustSec security groups for the source and destination. You can use an identity firewall ACL with access rules. We modified the following commands: access-list extended. Cisco ASA Series Firewall CLI Configuration Guide 3-12...
  • Page 49 Forward referencing of objects and ACLs in for objects or ACLs that do not yet exist. access rules. We introduced the clear config-session, clear session, configure session, forward-reference, and show config-session commands. Cisco ASA Series Firewall CLI Configuration Guide 3-13...
  • Page 50 Chapter 3 Access Rules History for Access Rules Cisco ASA Series Firewall CLI Configuration Guide 3-14...
  • Page 51 A R T Network Address Translation...
  • Page 53 Other functions of NAT include: Security—Keeping internal IP addresses hidden discourages direct attacks. • • IP routing solutions—Overlapping IP addresses are not a problem when you use NAT. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 54 NAT rules, and one or both can be translated/untranslated. For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 55 Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that sourceA/destinationA can have a different translation than sourceA/destinationB. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 56 Order of NAT Rules. • Network object NAT—Automatically ordered in the NAT table. – Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules). – Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 57 NAT rule to section 3 when you add the rule. For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 58 In transparent mode, you must choose specific source and destination interfaces. Guidelines for NAT The following topics provide detailed guidelines for implementing NAT. Firewall Mode Guidelines for NAT, page 4-7 • IPv6 NAT Guidelines, page 4-7 • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 59 For example, if the IPv6 prefix is a /96 prefix, then the IPv4 address is appended in the last 32-bits of the address. For example, if you map 192.168.1.0/24 to 201b::0/96, then 192.168.1.4 will Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 60 IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 61 If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback. • Dynamic PAT (Hide): Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 62 The mapped object or group can contain a host, range, or subnet. – – The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. Cisco ASA Series Firewall CLI Configuration Guide 4-10...
  • Page 63 NAT, you can only perform port translation on the destination. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. Cisco ASA Series Firewall CLI Configuration Guide 4-11...
  • Page 64 The following figure shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. Figure 4-2 Dynamic NAT Security Appliance 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Cisco ASA Series Firewall CLI Configuration Guide 4-12...
  • Page 65 Some multimedia applications that have a data stream on one port, the control path on another port, • and are not open standard. Default Inspections and NAT Limitations, page 6-6 for more information about NAT and PAT support. Cisco ASA Series Firewall CLI Configuration Guide 4-13...
  • Page 66 You can also specify the keyword any for one or both of the interfaces, for example (any,outside). • Mapped IP address—Specify the network object or network object group that includes the mapped IP addresses. Cisco ASA Series Firewall CLI Configuration Guide 4-14...
  • Page 67 IPv4_PAT hostname(config-network-object)# host 209.165.201.31 hostname(config-network-object)# object-group network IPv4_GROUP hostname(config-network-object)# network-object object IPv4_NAT_RANGE hostname(config-network-object)# network-object object IPv4_PAT hostname(config-network-object)# object network my_net_obj5 hostname(config-network-object)# subnet 2001:DB8::/96 hostname(config-network-object)# nat (inside,outside) dynamic IPv4_GROUP interface Cisco ASA Series Firewall CLI Configuration Guide 4-15...
  • Page 68 NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the applicable section using the line argument. Source addresses: • Real—Specify a network object, group, or the any keyword. – Cisco ASA Series Firewall CLI Configuration Guide 4-16...
  • Page 69 209.165.201.0 255.255.255.224 hostname(config)# object network SERVERS_2 hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0 hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination static SERVERS_1 SERVERS_1 hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2 Cisco ASA Series Firewall CLI Configuration Guide 4-17...
  • Page 70 Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. Cisco ASA Series Firewall CLI Configuration Guide 4-18...
  • Page 71 If you use the same PAT pool object in two separate rules, then be sure to specify the same options for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range. Cisco ASA Series Firewall CLI Configuration Guide 4-19...
  • Page 72 {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For • IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60. Cisco ASA Series Firewall CLI Configuration Guide 4-20...
  • Page 73 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword. Cisco ASA Series Firewall CLI Configuration Guide 4-21...
  • Page 74 If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges. Cisco ASA Series Firewall CLI Configuration Guide 4-22...
  • Page 75 -- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when Cisco ASA Series Firewall CLI Configuration Guide 4-23...
  • Page 76 PAT_POOL hostname(config-network-object)# range 209.165.200.225 209.165.200.254 hostname(config)# object network TELNET_SVR hostname(config-network-object)# host 209.165.201.23 hostname(config)# object service TELNET hostname(config-service-object)# service tcp destination eq 23 hostname(config)# object network SERVERS hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 4-24...
  • Page 77 Cisco ASA Series Firewall CLI Configuration Guide 4-25...
  • Page 78 The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT: hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719 Cisco ASA Series Firewall CLI Configuration Guide 4-26...
  • Page 79 About Static NAT with Port Address Translation When you specify the port with static NAT, you can choose to map the port and/or the IP address to the same value or to a different value. Cisco ASA Series Firewall CLI Configuration Guide 4-27...
  • Page 80 NAT with port translation rules that use the same mapped IP address, but different ports. For details on how to configure this example, see Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation), page 5-5. Cisco ASA Series Firewall CLI Configuration Guide 4-28...
  • Page 81 NAT, when the real host initiates traffic, it always uses the first mapped address. However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they will be untranslated to the single real address. Cisco ASA Series Firewall CLI Configuration Guide 4-29...
  • Page 82 Multiple Mapped Addresses (Static NAT, One-to-Many), page 5-4. Figure 4-9 One-to-Many Static NAT Example Host Undo Translation Outside 209.165.201.5 10.1.2.27 Undo Translation 209.165.201.3 10.1.2.27 Undo Translation 209.165.201.4 10.1.2.27 Inside Load Balancer 10.1.2.27 Web Servers Cisco ASA Series Firewall CLI Configuration Guide 4-30...
  • Page 83 TCP destination port, and both hosts are translated to the same IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique). Cisco ASA Series Firewall CLI Configuration Guide 4-31...
  • Page 84 Example hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0 Configure static NAT for the object IP addresses. You can only define a single NAT rule for a given Step 4 object. Cisco ASA Series Firewall CLI Configuration Guide 4-32...
  • Page 85 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object. Cisco ASA Series Firewall CLI Configuration Guide 4-33...
  • Page 86 You can, however, have different quantities if desired. For more information, see Static NAT, page 4-27. (Optional.) Create service objects for the: Step 2 Source or Destination real ports • Source or Destination mapped ports • Cisco ASA Series Firewall CLI Configuration Guide 4-34...
  • Page 87 The order of the service objects for destination port translation is service mapped_obj real_obj. In the rare case where you specify both the source and destination ports in the object, the first service object contains the real source Cisco ASA Series Firewall CLI Configuration Guide 4-35...
  • Page 88 IPv6 network, and the dynamic PAT translation to an IPv4 PAT pool when accessing the IPv4 network: hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 2001:DB8:AAAA::/96 hostname(config)# object network MAPPED_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:BBBB::/96 hostname(config)# object network OUTSIDE_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:CCCC::/96 hostname(config)# object network OUTSIDE_IPv4_NW hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 4-36...
  • Page 89 Create or edit the network object for which you want to configure NAT. The object must be a different Step 2 one than what you use for the mapped addresses, even though the contents must be the same in each object. object network obj_name Example Cisco ASA Series Firewall CLI Configuration Guide 4-37...
  • Page 90 Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the • egress interface using a route lookup instead of using the interface specified in the NAT command. Determining the Egress Interface, page 5-14 for more information. Cisco ASA Series Firewall CLI Configuration Guide 4-38...
  • Page 91 Step 3 Configure identity NAT. nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static {nw_obj nw_obj | any any} [destination static {mapped_obj | interface [ipv6]} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [no-proxy-arp] [route-lookup] [inactive] [description desc] Cisco ASA Series Firewall CLI Configuration Guide 4-39...
  • Page 92 To reactivate it, reenter the whole command without the inactive keyword. Description—Optional.) Provide a description up to 200 characters using the description keyword. • Monitoring NAT To monitor object NAT, use the following commands: show nat • Cisco ASA Series Firewall CLI Configuration Guide 4-40...
  • Page 93 Twice NAT 8.3(1) Twice NAT lets you identify both the source and destination address in a single rule. We modified or introduced the following commands: nat, show nat, show xlate, show nat pool. Cisco ASA Series Firewall CLI Configuration Guide 4-41...
  • Page 94 PAT IP address if ports are available. We did not modify any commands. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 4-42...
  • Page 95 We modifed the following command: nat dynamic [pat-pool mapped_object [extended]] and nat source dynamic [pat-pool mapped_object [extended]]. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 4-43...
  • Page 96 Because of routing issues, we do not recommend using this feature unless you know you need it; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: Only supports Cisco IPsec and AnyConnect Client.
  • Page 97 Engine compilation is completed; without affecting the rule matching performance. We added the nat keyword to the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit. Cisco ASA Series Firewall CLI Configuration Guide 4-45...
  • Page 98 Chapter 4 Network Address Translation (NAT History for NAT Cisco ASA Series Firewall CLI Configuration Guide 4-46...
  • Page 99 The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 100 The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 101 (inside,outside) dynamic myNatPool Create a network object for the outside web server. Step 4 hostname(config)# object network myWebServ hostname(config-network-object)# host 209.165.201.12 Configure static NAT for the web server. Step 5 hostname(config-network-object)# nat (outside,inside) static 10.1.2.20 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 102 Create a network object for the load balancer. Step 2 hostname(config)# object network myLBHost hostname(config-network-object)# host 10.1.2.27 Step 3 Configure static NAT for the load balancer applying the range object. hostname(config-network-object)# nat (inside,outside) static myPublicIPs Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 103 10.1.2.28 hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp http http Create a network object for the SMTP server and configure static NAT with port translation, mapping Step 3 the SMTP port to itself. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 104 10.1.2.27 209.165.202.129 10.1.2.27 209.165.202.130 Inside 10.1.2.0/24 Packet Packet Dest. Address: Dest. Address: 209.165.201.11 209.165.200.225 10.1.2.27 Add a network object for the inside network: Step 1 hostname(config)# object network myInsideNetwork hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 105 Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 106 Step 6 Add a network object for the PAT address when using HTTP: hostname(config)# object network PATaddress2 hostname(config-network-object)# host 209.165.202.130 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 107 You can configure NAT in both routed and transparent firewall mode. This section describes typical usage for each firewall mode. NAT in Routed Mode, page 5-10 • • NAT in Transparent Mode, page 5-10 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 108 The following figure shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. Cisco ASA Series Firewall CLI Configuration Guide 5-10...
  • Page 109 This section describes how the ASA handles accepting and delivering packets with NAT. • Mapped Addresses and Routing, page 5-12 Cisco ASA Series Firewall CLI Configuration Guide 5-11...
  • Page 110 ASA: specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the upstream router, you can alternatively specify the downstream router IP address. Cisco ASA Series Firewall CLI Configuration Guide 5-12...
  • Page 111 ARP functionality. Due to internal processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet address rather than send the traffic out the source interface according to the NAT rule. (See the following figure). Cisco ASA Series Firewall CLI Configuration Guide 5-13...
  • Page 112 The following figure shows the egress interface selection method in routed mode. In almost all cases, a route lookup is equivalent to the NAT rule interface, but in some configurations, the two methods might differ. Cisco ASA Series Firewall CLI Configuration Guide 5-14...
  • Page 113 NAT to access the Internet. The below example uses interface PAT rules. To allow the VPN traffic to exit the same interface it entered, you also need to enable intra-interface communication (also known as “hairpin” networking). Cisco ASA Series Firewall CLI Configuration Guide 5-15...
  • Page 114 PAT rule by using an identity NAT rule between those networks. Identity NAT simply translates an address to the same address. Cisco ASA Series Firewall CLI Configuration Guide 5-16...
  • Page 115 10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an identity NAT rule. Identity NAT simply translates an address to the same address. Cisco ASA Series Firewall CLI Configuration Guide 5-17...
  • Page 116 See the following sample NAT configuration for ASA1 (Boulder): ! Enable hairpin for VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: Cisco ASA Series Firewall CLI Configuration Guide 5-18...
  • Page 117 ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface. Cisco ASA Series Firewall CLI Configuration Guide 5-19...
  • Page 118 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside network, & perform object interface PAT when going to Internet: object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface Cisco ASA Series Firewall CLI Configuration Guide 5-20...
  • Page 119 DNS rewrite is actually done on the xlate entry, not the NAT rule. Thus, if there is no xlate for a • dynamic rule, rewrite cannot be done correctly. The same problem does not occur for static NAT. Cisco ASA Series Firewall CLI Configuration Guide 5-21...
  • Page 120 In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
  • Page 121 DNS Reply Modification, DNS Server, Host, and Server on Separate Networks The following figure shows a user on the inside network requesting the IP address for ftp.cisco.com, which is on the DMZ network, from an outside DNS server. The DNS server replies with the mapped address (209.165.201.10) according to the static rule between outside and DMZ even though the user is...
  • Page 122 DNS and NAT If the user needs to access ftp.cisco.com using the real address, then no further configuration is required. If there is also a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule.
  • Page 123 In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225. Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation.
  • Page 124 DNS_SERVER hostname(config-network-object)# host 209.165.201.15 hostname(config-network-object)# nat (outside,inside) static 2001:DB8::D1A5:C90F/128 net-to-net Step 3 Configure an IPv4 PAT pool for translating the inside IPv6 network. hostname(config)# object network IPv4_POOL hostname(config-network-object)# range 203.0.113.1 203.0.113.254 Cisco ASA Series Firewall CLI Configuration Guide 5-26...
  • Page 125 PTR Modification, DNS Server on Host Network ftp.cisco.com 209.165.201.10 Static Translation on Inside to: 10.1.2.56 DNS Server PTR Record Outside ftp.cisco.com Reverse DNS Query 209.165.201.10 Reverse DNS Query Modification 10.1.2.56 209.165.201.10 Inside Reverse DNS Query 10.1.2.56? User 10.1.2.27 Cisco ASA Series Firewall CLI Configuration Guide 5-27...
  • Page 126 Chapter 5 NAT Examples and Reference DNS and NAT Cisco ASA Series Firewall CLI Configuration Guide 5-28...
  • Page 127 A R T Application Inspection...
  • Page 129 As illustrated in the following figure, the ASA uses three databases for its basic operation: ACLs—Used for authentication and authorization of connections based on specific networks, hosts, • and services (TCP/UDP port numbers). Inspections—Contains a static, predefined set of application-level inspection functions. • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 130 However, the fast path relies on predictable port numbers and does not perform address translations inside a packet. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 131 For example: hostname(config)# policy-map test hostname(config-pmap)# class sip hostname(config-pmap-c)# no inspect sip sip-map1 hostname(config-pmap-c)# inspect sip sip-map2 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 132 They are matched according to the order in the policy map: ftp3 and then ftp2. class-map type inspect ftp match-all ftp1 match request-cmd get class-map type inspect ftp match-all ftp2 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 133 200 connections. For example, if an FTP client opens multiple secondary connections, the FTP inspection engine allows only 200 active connections and the 201 connection is dropped and the adaptive security appliance generates a system error message. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 134 No NAT support is available for RFC 1123 — name resolution through WINS. TCP/21 (Clustering) No static PAT. RFC 959 — UDP/3386 No extended PAT. — Requires a special license. UDP/2123 No NAT. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 135 NAT of the packets for NBNS UDP port No NAT64. ports) 137 and NBDS UDP port 138. PPTP TCP/1723 No NAT64. RFC 2637 — (Clustering) No static PAT. RADIUS 1646 No NAT64. RFC 2865 — Accounting Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 136 TCP port 111, you need to create a new rule that matches TCP port 111 and performs Sun RPC inspection. TFTP UDP/69 No NAT64. RFC 1350 Payload IP addresses are not translated. (Clustering) No static PAT. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 137: Table Of Contents

    ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 138 SNMP inspection, enable SNMP inspection for the default class. Do not add another class that matches SNMP. Enable application inspection. Step 5 hostname(config-pmap-c)# inspect protocol The protocol is one of the following values: Cisco ASA Series Firewall CLI Configuration Guide 6-10...
  • Page 139 HTTP Inspection, page 7-14. If you added an HTTP inspection policy map according to Configure an HTTP Inspection Policy Map, page 7-16, identify the map name in this command. icmp ICMP Inspection, page 7-21. Cisco ASA Series Firewall CLI Configuration Guide 6-11...
  • Page 140 RSH Inspection, page 10-15. rtsp [map_name] RTSP Inspection, page 8-17. If you added a RTSP inspection policy map according to Configure RTSP Inspection Policy Map, page 8-19, identify the map name in this command. Cisco ASA Series Firewall CLI Configuration Guide 6-12...
  • Page 141 TFTP Inspection, page 7-45. waas Enables TCP option 33 parsing. Use when deploying Cisco Wide Area Application Services products. xdmcp XDMCP Inspection, page 10-17. If you are editing the default global policy (or any in-use policy) to use a different inspection...
  • Page 142 21 hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056 hostname(config)# class-map new_inspection hostname(config-cmap)# match access-list ftp_inspect Cisco ASA Series Firewall CLI Configuration Guide 6-14...
  • Page 143 Matches either expression it separates. For example, dog|cat matches dog or cat. Question mark A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose. Cisco ASA Series Firewall CLI Configuration Guide 6-15...
  • Page 144 Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space. Procedure Test a regular expression to make sure it matches what you think it will match. Step 1 Cisco ASA Series Firewall CLI Configuration Guide 6-16...
  • Page 145 (Optional) Add a description to the class map: Step 2 hostname(config-cmap)# description string Identify the regular expressions you want to include by entering the following command for each regular Step 3 expression: Cisco ASA Series Firewall CLI Configuration Guide 6-17...
  • Page 146 Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide 6-18...
  • Page 147 DNS Inspection The following sections describe DNS application inspection. DNS Inspection Actions, page 7-2 • Defaults for DNS Inspection, page 7-2 • Configure DNS Inspection, page 7-2 • • Monitoring DNS Inspection, page 7-8 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 148: Class-map Inspection_default

    Configure DNS Inspection DNS inspection is enabled by default. You need to configure it only if you want non-default processing. If you want to customize DNS inspection, use the following process. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 149 Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 150 {[drop] [log]} | mask [log] | log} Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available. The drop keyword drops all packets that match. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 151 {[drop] [log]}—Requires a TSIG resource record to be present. You can drop a non-conforming packet, log the packet, or both. For example: hostname(config-pmap)# parameters hostname(config-pmap-p)# dns-guard hostname(config-pmap-p)# message-length maximum 1024 hostname(config-pmap-p)# nat-rewrite hostname(config-pmap-p)# protocol-enforcement Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 152 For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Step 2 Add or edit a policy map that sets the actions to take with the class map traffic. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 153 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 154 Configure FTP Inspection, page 7-10 • Verifying and Monitoring FTP Inspection, page 7-14 FTP Inspection Overview The FTP application inspection inspects the FTP sessions and performs four tasks: Prepares dynamic secondary data connection • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 155 Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024. As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the negotiated port falls in this range, then the TCP connection is freed. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 156 To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. Cisco ASA Series Firewall CLI Configuration Guide 7-10...
  • Page 157 [not] username regex {regex_name | class class_name}—Matches the FTP username • against the specified regular expression or regular expression class. Enter exit to leave class map configuration mode. Cisco ASA Series Firewall CLI Configuration Guide 7-11...
  • Page 158 The following example shows how to mask this banner: hostname(config)# policy-map type inspect ftp mymap hostname(config-pmap)# parameters hostname(config-pmap-p)# mask-banner hostname(config)# class-map match-all ftp-traffic hostname(config-cmap)# match port tcp eq ftp hostname(config)# policy-map ftp-policy hostname(config-pmap)# class ftp-traffic Cisco ASA Series Firewall CLI Configuration Guide 7-12...
  • Page 159 Otherwise, you are specifying the class you created earlier in this procedure. Configure FTP inspection. Step 4 inspect ftp [strict [ftp_policy_map]] Where: • strict implements strict FTP. You must use strict FTP to specify an FTP inspection policy map. Cisco ASA Series Firewall CLI Configuration Guide 7-13...
  • Page 160 In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. HTTP Inspection The following sections describe the HTTP inspection engine. • HTTP Inspection Overview, page 7-15 • Configure HTTP Inspection, page 7-15 Cisco ASA Series Firewall CLI Configuration Guide 7-14...
  • Page 161 Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not compatible. Procedure Configure an HTTP Inspection Policy Map, page 7-16. Step 1 Configure the HTTP Inspection Service Policy, page 7-19. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 7-15...
  • Page 162 [not] request body {regex {regex_name | class class_name} | length gt bytes}—Matches text found in the HTTP request message body against the specified regular expression or regular expression class, or messages where the request body is greater than the specified length. Cisco ASA Series Firewall CLI Configuration Guide 7-16...
  • Page 163 (count) in the header. You can specify the field name explicitly or match the field name to a regular expression or regular expression class. Field names are listed in the previous bullet. Cisco ASA Series Firewall CLI Configuration Guide 7-17...
  • Page 164 • HTTP message that should be searched in a body match. The default is 200 bytes. A large number will have a significant impact on performance. Cisco ASA Series Firewall CLI Configuration Guide 7-18...
  • Page 165 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map http_class_map hostname(config-cmap)# match access-list http Cisco ASA Series Firewall CLI Configuration Guide 7-19...
  • Page 166 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 7-20...
  • Page 167 The Instant Messaging (IM) inspect engine lets you control the network usage of IM and stop leakage of confidential data, propagation of worms, and other threats to the corporate network. IM inspection is not enabled by default. You must configure it if you want IM inspection. Cisco ASA Series Firewall CLI Configuration Guide 7-21...
  • Page 168 If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. • match [not] protocol {im-yahoo | im-msn}—Matches a specific IM protocol, either Yahoo or MSN. Cisco ASA Series Firewall CLI Configuration Guide 7-22...
  • Page 169 The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. Cisco ASA Series Firewall CLI Configuration Guide 7-23...
  • Page 170 However, the default inspect class does include the default IM ports, so you can simply edit the default global inspection policy to add IM inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy. Cisco ASA Series Firewall CLI Configuration Guide 7-24...
  • Page 171 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces. service-policy policymap_name {global | interface interface_name} Cisco ASA Series Firewall CLI Configuration Guide 7-25...
  • Page 172 The Options field is padded so that the field ends on a 32 bit boundary. • Internet header length (IHL) in the packet changes. • • The total length of the packet changes. Cisco ASA Series Firewall CLI Configuration Guide 7-26...
  • Page 173 IP options inspection is enabled by default. You need to configure it only if you want to allow additional options than the default map allows. Procedure Configure an IP Options Inspection Policy Map, page 7-28. Step 1 Configure the IP Options Inspection Service Policy, page 7-28. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 7-27...
  • Page 174 Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. class-map name match parameter Example: hostname(config)# class-map ip_options_class_map hostname(config-cmap)# match access-list ipoptions Cisco ASA Series Firewall CLI Configuration Guide 7-28...
  • Page 175 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 7-29...
  • Page 176 IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass Through inspection. Procedure Step 1 Configure an IPsec Pass Through Inspection Policy Map, page 7-31. Step 2 Configure the IPsec Pass Through Inspection Service Policy, page 7-32. Cisco ASA Series Firewall CLI Configuration Guide 7-30...
  • Page 177 10 timeout 0:11:00 hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00 hostname(config)# policy-map inspection_policy hostname(config-pmap)# class ipsecpassthru-traffic hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap hostname(config)# service-policy inspection_policy interface outside Cisco ASA Series Firewall CLI Configuration Guide 7-31...
  • Page 178 For information on creating the inspection policy map, Configure an IPsec Pass Through Inspection Policy Map, page 7-31. Example: hostname(config-class)# no inspect ipsec-pass-thru hostname(config-class)# inspect ipsec-pass-thru ipsec-map Cisco ASA Series Firewall CLI Configuration Guide 7-32...
  • Page 179 Drops any packet with a routing type header. • Following is the policy map configuration: policy-map type inspect ipv6 _default_ipv6_map description Default IPV6 policy-map parameters verify-header type verify-header order match header routing-type range 0 255 drop log Cisco ASA Series Firewall CLI Configuration Guide 7-33...
  • Page 180 Specify the action to perform on matching packets. You can drop the packet and optionally log it, or just log it. If you do not enter an action, the packet is logged. hostname(config-pmap)# {drop [log] | log} Cisco ASA Series Firewall CLI Configuration Guide 7-34...
  • Page 181 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map ipv6_class_map hostname(config-cmap)# match access-list ipv6 Cisco ASA Series Firewall CLI Configuration Guide 7-35...
  • Page 182 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 7-36...
  • Page 183 Where the drop action drops the packet. The log action sends a system log message when this policy map matches traffic. Example hostname(config)# policy-map type inspect netbios netbios_map hostname(config-pmap)# parameters hostname(config-pmap-p)# protocol-violation drop log hostname(config)# policy-map netbios_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect netbios netbios_map Cisco ASA Series Firewall CLI Configuration Guide 7-37...
  • Page 184 Where netbios_policy_map is the optional NetBIOS inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the NetBIOS inspection policy map, see Configure a NetBIOS Inspection Policy Map for Additional Inspection Control, page 7-37. Example: hostname(config-class)# no inspect netbios Cisco ASA Series Firewall CLI Configuration Guide 7-38...
  • Page 185 ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay. The following sections describe the ESMTP inspection engine. • SMTP and ESMTP Inspection Overview, page 7-40 Cisco ASA Series Firewall CLI Configuration Guide 7-39...
  • Page 186 For unknown commands, the ASA changes all the characters in the packet to X. In this case, the • server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted. TCP stream editing. • Cisco ASA Series Firewall CLI Configuration Guide 7-40...
  • Page 187 998 match header line length gt 998 drop-connection log match sender-address length gt 320 drop-connection log match MIME filename length gt 255 drop-connection log match ehlo-reply-parameter others mask Cisco ASA Series Firewall CLI Configuration Guide 7-41...
  • Page 188 [not] ehlo-reply-parameter parameter [parameter2...]—Matches ESMTP EHLO reply • parameters. You can specify one or more of the following parameters: 8bitmime, auth, binaryname, checkpoint, dsn, etrn, others, pipelining, size, vrfy. Cisco ASA Series Firewall CLI Configuration Guide 7-42...
  • Page 189 {drop-connection [log] | log}—Identifies a domain name for • mail relay. You can either drop the connection and optionally log it, or log it. mask-banner—Masks the banner from the ESMTP server. • Cisco ASA Series Firewall CLI Configuration Guide 7-43...
  • Page 190 For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 7-44...
  • Page 191 You can only apply one policy map to each interface. TFTP Inspection TFTP inspection is enabled by default. TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client. Cisco ASA Series Firewall CLI Configuration Guide 7-45...
  • Page 192 TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic. For information on enabling TFTP inspection, see Configure Application Layer Protocol Inspection, page 6-9. Cisco ASA Series Firewall CLI Configuration Guide 7-46...
  • Page 193 SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the ASA. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager. For information on enabling CTIQBE inspection, see...
  • Page 194 Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
  • Page 195 • H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
  • Page 196 TCP packet as H.225 and H.245 messages, the ASA must remember the TPKT length to process and decode the messages properly. For each connection, the ASA keeps a record that contains the TPKT length for the next expected message. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 197 ASN.1 coder. Limitations for H.323 Inspection H.323 inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0. It is not supported for CUCM 8.0 and higher. H.323 inspection might work with other releases and products.
  • Page 198 “example.com,” then any traffic that includes “example.com” does not match the class map. For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 199 Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {drop [log] | drop-connection | reset} The drop keyword drops the packet. For media type matches, you can include the log keyword to send a system log message. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 200 ASA. You can add a maximum of ten endpoints per HSI group. Example The following example shows how to configure phone number filtering: hostname(config)# regex caller 1 “5551234567” hostname(config)# regex caller 2 “5552345678” Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 201 To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure. Configure H.323 inspection. Step 4 inspect h323 {h255 | ras} [h323_policy_map] Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 202 Verifying and Monitoring H.323 Inspection The following sections describe how to display information about H.323 sessions. • Monitoring H.225 Sessions, page 8-11 • Monitoring H.245 Sessions, page 8-11 Monitoring H.323 RAS Sessions, page 8-12 • Cisco ASA Series Firewall CLI Configuration Guide 8-10...
  • Page 203 4-byte header. The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. Cisco ASA Series Firewall CLI Configuration Guide 8-11...
  • Page 204 Examples of residential gateways include cable modem/cable set-top boxes, xDSL devices, broad-band wireless devices. • Business gateways, that provide a traditional digital PBX interface or an integrated soft PBX interface to a Voice over IP network. Cisco ASA Series Firewall CLI Configuration Guide 8-12...
  • Page 205 A common and recommended practice is to send RTP data from a resilient IP address, such as a loopback or virtual IP address; however, the ASA requires the RTP data to come from the same address as MGCP signaling. Cisco ASA Series Firewall CLI Configuration Guide 8-13...
  • Page 206 The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group. Cisco ASA Series Firewall CLI Configuration Guide 8-14...
  • Page 207 In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. Identify the L3/L4 class map you are using for MGCP inspection. Step 3 class name Example: Cisco ASA Series Firewall CLI Configuration Guide 8-15...
  • Page 208 The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
  • Page 209 The following sections describe RTSP application inspection. RTSP Inspection Overview, page 8-18 • RealPlayer Configuration Requirements, page 8-18 • • Limitations for RSTP Inspection, page 8-18 • Configure RTSP Inspection, page 8-19 Cisco ASA Series Firewall CLI Configuration Guide 8-17...
  • Page 210 SDP files as part of HTTP or RTSP messages. Packets could be fragmented and the ASA cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the ASA performs on the SDP part of the message is •...
  • Page 211 Inspection for Voice and Video Protocols RTSP Inspection You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT • if the Viewer and Content Manager are on the outside network and the server is on the inside network.
  • Page 212 Defining Actions in an Inspection Policy Map, page 2-4. Step 5 To configure parameters that affect the inspection engine, perform the following steps: To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide 8-20...
  • Page 213 (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step. For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Cisco ASA Series Firewall CLI Configuration Guide 8-21...
  • Page 214 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 8-22...
  • Page 215 SIP Request URI that the ASA supports is 255. Limitations for SIP Inspection SIP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0, 8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SIP inspection might work with other releases and products.
  • Page 216 The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be translated. Cisco ASA Series Firewall CLI Configuration Guide 8-24...
  • Page 217 Configure the SIP Inspection Service Policy, page 8-29 Configure SIP Inspection Policy Map You can create a SIP inspection policy map to customize SIP inspection actions if the default inspection behavior is not sufficient for your network. Cisco ASA Series Firewall CLI Configuration Guide 8-25...
  • Page 218 0 to 65536. match [not] content type {sdp | regex {regex_name | class class_name}—Matches the content • type as SDP or against the specified regular expression or regular expression class. Cisco ASA Series Firewall CLI Configuration Guide 8-26...
  • Page 219 You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see Defining Actions in an Inspection Policy Map, page 2-4. Cisco ASA Series Firewall CLI Configuration Guide 8-27...
  • Page 220 • trust-verification-server ip ip_address—Identifies Trust Verification Services servers, which enable Cisco Unified IP Phones to authenticate application servers during HTTPS establishment. You can enter the command up to four times to identify four servers. SIP inspection opens pinholes to each server for each registered phone, and the phone decides which to use.
  • Page 221 In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. Identify the L3/L4 class map you are using for SIP inspection. Step 3 class name Example: hostname(config-pmap)# class inspection_default Cisco ASA Series Firewall CLI Configuration Guide 8-29...
  • Page 222 This command configures the idle timeout after which a SIP control connection is closed. To configure the timeout for the SIP media connection, enter the following command: hostname(config)# timeout sip_media hh:mm:ss This command configures the idle timeout after which a SIP media connection is closed. Cisco ASA Series Firewall CLI Configuration Guide 8-30...
  • Page 223 The ASA also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
  • Page 224 Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry.
  • Page 225 Example: hostname(config-pmap)# match message-id 0x181 hostname(config-pmap)# match message-id range 0x200 0xffff Cisco ASA Series Firewall CLI Configuration Guide 8-33...
  • Page 226 The default ASA configuration includes SCCP inspection on the default port applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy. Cisco ASA Series Firewall CLI Configuration Guide 8-34...
  • Page 227 If you are editing the default global policy (or any in-use policy) to use a different SCCP Note inspection policy map, you must remove the SCCP inspection with the no inspect skinny command, and then re-add it with the new SCCP inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 8-35...
  • Page 228 There are two active Skinny sessions set up across the ASA. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager.
  • Page 229 You can now configure Trust Verification Services servers NAT66, CUCM 10.5, and model 8831 phones. in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5. We added the trust-verification-server parameter command. Cisco ASA Series Firewall CLI Configuration Guide 8-37...
  • Page 230 Chapter 8 Inspection for Voice and Video Protocols History for Voice and Video Protocol Inspection Cisco ASA Series Firewall CLI Configuration Guide 8-38...
  • Page 231 During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 232 (ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a)) SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 233 Dynamic ACLs are always added on the ingress direction and not on egress; therefore, this inspection engine does not support outbound ACLs. To view the dynamic ACLs configured for the ASA, use the show asp table classify domain permit command. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 234 To display the information about the Sun RPC service table configuration, enter the show running-config sunrpc-server command. The following is sample output from the show running-config sunrpc-server command: hostname(config)# show running-config sunrpc-server Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 235 In this output, port 647 corresponds to the mountd daemon running over UDP. The mountd process would more commonly be using port 32780. The mountd process running over TCP uses port 650 in this example. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 236 Chapter 9 Inspection of Database and Directory Protocols Sun RPC Inspection Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 237 The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection. Cisco ASA Series Firewall CLI Configuration Guide 10-1...
  • Page 238 (Optional) To add a description to the policy map, enter the following command: Step 2 hostname(config-pmap)# description string To configure parameters that affect the inspection engine, perform the following steps: Step 3 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide 10-2...
  • Page 239 For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 10-3...
  • Page 240 You can only apply one policy map to each interface. GTP Inspection The following sections describe the GTP inspection engine. GTP inspection requires a special license. Note Cisco ASA Series Firewall CLI Configuration Guide 10-4...
  • Page 241 GTP data connection (with a “j” flag set) is not replicated to the standby unit. This occurs because the active unit does not replicate embryonic connections to the standby unit. Cisco ASA Series Firewall CLI Configuration Guide 10-5...
  • Page 242 Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map. Procedure Create a GTP inspection policy map: Step 1 hostname(config)# policy-map type inspect gtp policy_map_name hostname(config-pmap)# Cisco ASA Series Firewall CLI Configuration Guide 10-6...
  • Page 243 GTP tunnels allowed to be active on • the ASA. The default is 500. New requests will be dropped once the number of tunnels specified by this command is reached. Cisco ASA Series Firewall CLI Configuration Guide 10-7...
  • Page 244 GTP inspection map to permit responses from the GSN pool to the SGSN. hostname(config)# object-group network gsnpool32 hostname(config-network)# network-object 192.168.100.0 255.255.255.0 hostname(config)# object-group network sgsn32 hostname(config-network)# network-object host 192.168.50.100 Cisco ASA Series Firewall CLI Configuration Guide 10-8...
  • Page 245 In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. Step 3 Identify the L3/L4 class map you are using for GTP inspection. class name Cisco ASA Series Firewall CLI Configuration Guide 10-9...
  • Page 246 The following is sample output from the show service-policy inspect gtp statistics command: hostname# show service-policy inspect gtp statistics GPRS GTP Statistics: version_not_support msg_too_short unknown_msg unexpected_sig_msg unexpected_data_msg ie_duplicated mandatory_ie_missing mandatory_ie_incorrect optional_ie_incorrect ie_unknown ie_out_of_order ie_unexpected total_forwarded total_dropped signalling_msg_dropped data_msg_dropped Cisco ASA Series Firewall CLI Configuration Guide 10-10...
  • Page 247 MS user. RADIUS Accounting Inspection The following sections describe the RADIUS Accounting inspection engine. • RADIUS Accounting Inspection Overview, page 10-12 • Configure RADIUS Accounting Inspection, page 10-12 Cisco ASA Series Firewall CLI Configuration Guide 10-11...
  • Page 248 Configure the RADIUS Accounting Inspection Service Policy, page 10-14. Step 2 Configure a RADIUS Accounting Inspection Policy Map You must create a RADIUS accounting inspection policy map to configure the attributes needed for the inspection. Cisco ASA Series Firewall CLI Configuration Guide 10-12...
  • Page 249 00:00:00. The default is one hour. Example policy-map type inspect radius-accounting radius-acct-pmap parameters send response enable gprs validate-attribute 31 host 10.2.2.2 key 123456789 host 10.1.1.1 key 12345 class-map type management radius-class Cisco ASA Series Firewall CLI Configuration Guide 10-13...
  • Page 250 Where radius_accounting_policy_map is the RADIUS accounting inspection policy map you created in Configure a RADIUS Accounting Inspection Policy Map, page 10-12. Example: hostname(config-class)# no inspect radius-accounting hostname(config-class)# inspect radius-accounting radius-class-map Cisco ASA Series Firewall CLI Configuration Guide 10-14...
  • Page 251 Use the snmp-map map_name command to create the map and enter SNMP map configuration mode, then the deny version version command to identify the versions to disallow. The version can be 1, 2, 2c, or 3. Cisco ASA Series Firewall CLI Configuration Guide 10-15...
  • Page 252 If you are editing the default global policy (or any in-use policy) to use a different inspection Note policy map, you must remove the SNMP inspection with the no inspect snmp command, and then re-add it with the new inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 10-16...
  • Page 253 When XDMCP is used, the display is negotiated using IP addresses, which the ASA can NAT if needed. XDCMP inspection does not support PAT. For information on enabling XDMCP inspection, see Configure Application Layer Protocol Inspection, page 6-9. Cisco ASA Series Firewall CLI Configuration Guide 10-17...
  • Page 254 Chapter 10 Inspection for Management Application Protocols XDMCP Inspection Cisco ASA Series Firewall CLI Configuration Guide 10-18...
  • Page 255 A R T Connection Settings and Quality of Service...
  • Page 257 Whenever idle times are exceeded, DCD probes both sides of the connection to see if both sides agree the connection is valid. The show service-policy command includes counters to show the amount of activity from DCD. Cisco ASA Series Firewall CLI Configuration Guide 11-1...
  • Page 258 You also use these rules to customize TCP Normalizer, change TCP sequence randomization, decrement time-to-live on packets, and implement TCP Intercept, Dead Connection Detection, or TCP State Bypass. Cisco ASA Series Firewall CLI Configuration Guide 11-2...
  • Page 259 1 minute. The default is 2 minutes. The SIP media timer is used used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout. Cisco ASA Series Firewall CLI Configuration Guide 11-3...
  • Page 260 Wikipedia for details on SYN cookies). When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. The component that performs the proxy is called TCP Intercept. Cisco ASA Series Firewall CLI Configuration Guide 11-4...
  • Page 261 Set the embryonic connection limits. Step 3 set connection embryonic-conn-max n—The maximum number of simultaneous embryonic • connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. Cisco ASA Series Firewall CLI Configuration Guide 11-5...
  • Page 262 <Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)> ---------------------------------------------------------------------------------- 10.1.1.5:80 inside 1249 9503 2249245 <various> Last: 10.0.0.3 (0 secs ago) 10.1.1.6:80 inside 10 10 6080 10.0.0.200 (0 secs ago) Cisco ASA Series Firewall CLI Configuration Guide 11-6...
  • Page 263 TCP packet sending out, it is an invalid ACK. – Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK. Cisco ASA Series Firewall CLI Configuration Guide 11-7...
  • Page 264 {allow | clear}—Set the action for packets with the URG flag. You can allow the • packet, or clear the flag and allow the packet. The default is to clear the flag. Cisco ASA Series Firewall CLI Configuration Guide 11-8...
  • Page 265 For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands: hostname(config)# tcp-map tmap hostname(config-tcp-map)# urgent-flag allow hostname(config-tcp-map)# class-map urg-class hostname(config-cmap)# match port tcp range ftp-data telnet Cisco ASA Series Firewall CLI Configuration Guide 11-9...
  • Page 266 ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through Cisco ASA Series Firewall CLI Configuration Guide 11-10...
  • Page 267 TCP normalization—The TCP normalizer is disabled. • Service module functionality—You cannot use TCP state bypass and any application running on an • any type of service module, such as IPS or CX. Stateful failover • Cisco ASA Series Firewall CLI Configuration Guide 11-11...
  • Page 268 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 11-12...
  • Page 269 Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class Step 2 map. policy-map name class name Example: hostname(config)# policy-map global_policy hostname(config-pmap)# class preserve-sq-no Cisco ASA Series Firewall CLI Configuration Guide 11-13...
  • Page 270 However, you can enter the commands on one line, and if you enter them separately, they are shown in the configuration as one command. Cisco ASA Series Firewall CLI Configuration Guide 11-14...
  • Page 271 {enable | disable}—Whether to enable or disable TCP sequence number randomization. Randomization is enabled by default. Example: hostname(config-pmap-c)# set connection conn-max 256 random-sequence-number disable Step 4 Set connection timeouts and Dead Connection Detection (DCD). Cisco ASA Series Firewall CLI Configuration Guide 11-15...
  • Page 272 50 burst-size 6 Customize TCP Normalizer behavior by applying a TCP map. Step 6 set connection advanced-options tcp-map-name Example: hostname(config-pmap-c)# set connection advanced-options tcp_map1 Implement TCP State Bypass. Step 7 set connection advanced-options tcp-state-bypass Cisco ASA Series Firewall CLI Configuration Guide 11-16...
  • Page 273 The detail keyword shows history sampling data. The ASA samples the number of attacks 30 times during the rate interval, so for the default 30 minute period, statistics are collected every 60 seconds. Cisco ASA Series Firewall CLI Configuration Guide 11-17...
  • Page 274 30 seconds timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection. We modified the following commands: set connection timeout half-closed, timeout half-closed. Cisco ASA Series Firewall CLI Configuration Guide 11-18...
  • Page 275 This section describes the QoS features available on the ASA. Supported QoS Features, page 12-2 • What is a Token Bucket?, page 12-2 • Policing, page 12-2 • Priority Queuing, page 12-3 • DSCP (DiffServ) Preservation, page 12-3 • Cisco ASA Series Firewall CLI Configuration Guide 12-1...
  • Page 276 When traffic exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic allowed. Cisco ASA Series Firewall CLI Configuration Guide 12-2...
  • Page 277 Supported in routed firewall mode only. Does not support transparent firewall mode. IPv6 Guidelines Does not support IPv6. Model Guidelines (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 • interface. (ASASM) Only policing is supported. • Cisco ASA Series Firewall CLI Configuration Guide 12-3...
  • Page 278 VPN, you might use 160 bytes. We recommend 256 bytes if you do not know what size to use. Delay—The delay depends on your application. For example, the recommended maximum delay for • VoIP is 200 ms. We recommend 500 ms if you do not know what delay to use. Cisco ASA Series Firewall CLI Configuration Guide 12-4...
  • Page 279 (Mbps or Kbps) Kbps 0.125 __________ # of bytes/ms ÷ ___________ __________ __________ __________ # of bytes/ms Maximum packet Delay (ms) TX ring limit from Step 1 size (bytes) (# of packets) Cisco ASA Series Firewall CLI Configuration Guide 12-5...
  • Page 280 The upper limit of the range of values for the tx-ring-limit command is determined dynamically at run time. To view this limit, enter tx-ring-limit ? on the command line. The key determinants are the memory needed to support the queues and the memory available on the device. Cisco ASA Series Firewall CLI Configuration Guide 12-6...
  • Page 281 Identify Traffic (Layer 3/4 Class Maps), page 1-13 for more information. Create a class map to identify the traffic for which you want to perform policing. Step 3 Cisco ASA Series Firewall CLI Configuration Guide 12-7...
  • Page 282 56000 10500 The options are: conform-burst argument—Specifies the maximum number of instantaneous bytes allowed in a • sustained burst before throttling to the conforming rate value, between 1000 and 512000000 bytes. Cisco ASA Series Firewall CLI Configuration Guide 12-8...
  • Page 283 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Class-map: cmap2 police Interface outside: cir 200000 bps, bc 37500 bytes conformed 17179 packets, 20614800 bytes; actions: transmit exceeded 617 packets, 770718 bytes; actions: drop Cisco ASA Series Firewall CLI Configuration Guide 12-9...
  • Page 284 “Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco ASA Series Firewall CLI Configuration Guide 12-10...
  • Page 285 LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: hostname(config)# access-list host-over-l2l extended permit ip any host 192.168.10.10 hostname(config)# class-map host-specific hostname(config-cmap)# match access-list host-over-l2l Cisco ASA Series Firewall CLI Configuration Guide 12-11...
  • Page 286 56000 10500 hostname(config-pmap-c)# class TG1-voice hostname(config-pmap-c)# priority hostname(config-pmap-c)# class TG1-best-effort hostname(config-pmap-c)# police output 200000 37500 hostname(config-pmap-c)# class class-default hostname(config-pmap-c)# police output 1000000 37500 hostname(config-pmap-c)# service-policy qos global Cisco ASA Series Firewall CLI Configuration Guide 12-12...
  • Page 287 Ten Gigabit Ethernet support for a standard 8.2(3)/8.4(1) We added support for a standard priority queue on Ten priority queue on the ASA 5585-X Gigabit Ethernet interfaces for the ASA 5585-X. Cisco ASA Series Firewall CLI Configuration Guide 12-13...
  • Page 288 Chapter 12 Quality of Service History for QoS Cisco ASA Series Firewall CLI Configuration Guide 12-14...
  • Page 289 What You Can Test Using Ping When you ping a device, a packet is sent to the device and the device returns a reply. This process enables network devices to discover, identify, and test each other. Cisco ASA Series Firewall CLI Configuration Guide 13-1...
  • Page 290 ICMP rules, all ICMP access is allowed. In this case, no action is required. However, if you do implement ICMP rules, ensure that you include at least the following on each interface, replacing “inside” with the name of an interface on your device. Cisco ASA Series Firewall CLI Configuration Guide 13-2...
  • Page 291 Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) However, you can also add parameters to control some aspects of the ping. Following are your basic options: Cisco ASA Series Firewall CLI Configuration Guide 13-3...
  • Page 292 Telnet or SSH sessions and sends them to those sessions, and enables logging. Instead of logging monitor debug, you can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command. Cisco ASA Series Firewall CLI Configuration Guide 13-4...
  • Page 293 Step 1 levels, and IP addresses. The diagram should also include any directly connected routers and a host on the other side of the router from which you will ping the ASA. Cisco ASA Series Firewall CLI Configuration Guide 13-5...
  • Page 294 Ping Failure at the ASA Interface Ping Router Host If the ping reply does not return to the router, then a switch loop or redundant IP addresses might exist (see the following figure). Cisco ASA Series Firewall CLI Configuration Guide 13-6...
  • Page 295 NAT failed (305005 or 305006). If the ping is from an outside host to an inside host, and you do not have a static translation, you get message 106010. Figure 13-5 Ping Failure Because the ASA is Not Translating Addresses Ping Security Router Router Host Host Appliance Cisco ASA Series Firewall CLI Configuration Guide 13-7...
  • Page 296 If you are editing an existing service policy (such as the default global policy called global_policy), you Step 4 can skip this step. Otherwise, activate the policy map on one or more interfaces. service-policy policymap_name {global | interface interface_name} Example: hostname(config)# service-policy global_policy global Cisco ASA Series Firewall CLI Configuration Guide 13-8...
  • Page 297 No response was received for the probe within the timeout period. nn msec For each node, the round-trip time (in milliseconds) for the specified number of probes. ICMP network unreachable. ICMP host unreachable. ICMP unreachable. ICMP administratively prohibited. Unknown ICMP error. Cisco ASA Series Firewall CLI Configuration Guide 13-9...
  • Page 298 Besides verifying your configuration, you can use the tracer to debug unexpected behavior, such as packets being denied when they should be allowed. Cisco ASA Series Firewall CLI Configuration Guide 13-10...
  • Page 299 Trustsec. You can specify a security group name or a tag number. • fqdn fqdn-string—The fully qualified domain name of the destination host, IPv4 only. • dport—The destination port for TCP/UDP traces. Do not include this value for ICMP or raw IP traces. Cisco ASA Series Firewall CLI Configuration Guide 13-11...
  • Page 300 Shows free and used memory. show blocks • Shows memory block information based on block size. show cpu • Shows CPU utilization. show process • Shows system process information. Following are some useful variants: Cisco ASA Series Firewall CLI Configuration Guide 13-12...
  • Page 301 Monitoring Connections To view current connections with information about source, destination, protocol, and so forth, use the show conn all detail command. Cisco ASA Series Firewall CLI Configuration Guide 13-13...
  • Page 302 Chapter 13 Troubleshooting Connections and Resources Monitoring Connections Cisco ASA Series Firewall CLI Configuration Guide 13-14...
  • Page 303 A R T Advanced Network Protection...
  • Page 305 HTTPS traffic to the Cloud Web Security proxy servers based on service policy rules. The Cloud Web Security proxy servers then scan the content and allow, block, or send a warning about the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware.
  • Page 306 In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security then applies the configured action for the rule, allowing or blocking the traffic, or warning the user. With warnings, the user has the option to continue on to the web site. Cisco ASA Series Firewall CLI Configuration Guide 14-2...
  • Page 307 ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter notation. For example, if you specify “Cisco\\Boulder1,” the ASA modifies the group name to be “Cisco\Boulder1” with only one backslash (\) when sending the group name to Cloud Web Security.
  • Page 308 Many combinations of keys, groups, and policy rules are possible. Failover from Primary to Backup Proxy Server When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web Security proxy server and backup proxy server.
  • Page 309 ASA and Cisco Cloud Web Security Guidelines for Cloud Web Security On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify the number of users that the ASA handles. Then log into ScanCenter and generate your authentication keys.
  • Page 310 Security proxy servers do not become unreachable in the Active/Active failover scenario. Procedure Step 1 Enter ScanSafe general-options configuration mode. In multiple context mode, do this in the system context. scansafe general-options Example Cisco ASA Series Firewall CLI Configuration Guide 14-6...
  • Page 311 192.168.43.10 hostname(cfg-scansafe)# server backup fqdn server.example.com When you subscribe to the Cisco Cloud Web Security service, you are assigned primary and backup Cloud Web Security proxy servers. Enter their IP addresses (ip), or fully-qualified domain names (fqdn), on these commands.
  • Page 312 Example hostname(config)# class-map type inspect scansafe match-any whitelist1 Specify the whitelisted users and groups. Step 2 match [not] {[user username] [group groupname]} Cisco ASA Series Firewall CLI Configuration Guide 14-8...
  • Page 313 The match not keyword specifies that the user or group should be filtered using Cloud Web Security. For example, if you whitelist the group “cisco,” but you want to scan traffic from users “johncrichton” and “aerynsun,” which are members of that group, you can specify match not for those users. Repeat this command to add as many users and groups as needed.
  • Page 314 FQDN network objects might be useful in exempting traffic to specific servers. You can also use identity firewall user arguments and Cisco Trustsec security groups to help identify traffic. Note that Trustsec security group information is not sent to Cloud Web Security; you cannot define policy based on security group.
  • Page 315 If you are editing the default global policy (or any in-use policy) to use a different ScanSafe Note inspection policy map, you must remove the ScanSafe inspection with the no inspect scansafe command, and then re-add it with the new inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 14-11...
  • Page 316 The following example configures two classes: one for HTTP and one for HTTPS. Each ACL exempts traffic to www.cisco.com and to tools.cisco.com, and to the DMZ network, for both HTTP and HTTPS. All other traffic is sent to Cloud Web Security, except for traffic from several whitelisted users and groups.
  • Page 317 CISCO\\Engineering Where: user-group—Specifies a group name defined in the AD server. • object-group-user—The name of a local object created by the object-group user command. This • group can include multiple groups. Cisco ASA Series Firewall CLI Configuration Guide 14-13...
  • Page 318 After you configure the ASA service policy rules, launch the ScanCenter Portal to configure Web content scanning, filtering, malware protection services, and reports. Go to: https://scancenter.scansafe.com/portal/admin/login.jsp. For more information, see the Cisco ScanSafe Cloud Web Security Configuration Guides: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h Monitoring Cloud Web Security...
  • Page 319 Active Directory Integration Example for Identity Firewall, page 14-17 Cloud Web Security Example with Identity Firewall The following example shows a complete configuration for Cisco Cloud Web Security in single context mode, including the optional configuration for identity firewall. Configure Cloud Web Security on the ASA.
  • Page 320 Cisco ASA Series Firewall CLI Configuration Guide 14-16...
  • Page 321 Running the last command should show the status as “UP.” For the AD_Agent to monitor logon/logoff events, you need to ensure that these are logged on all DCs that are actively being monitored. To do this, choose: Cisco ASA Series Firewall CLI Configuration Guide 14-17...
  • Page 322 The following example shows how to manually start the download of the database from the Active Directory Agent if you think the user database is out of sync with Active Directory: hostname(config)# user-identity update active-user-database Cisco ASA Series Firewall CLI Configuration Guide 14-18...
  • Page 323 Cloud Web Security 9.0(1) This feature was introduced. Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. We introduced or modified the following commands:...
  • Page 324 Chapter 14 ASA and Cisco Cloud Web Security History for Cisco Cloud Web Security Cisco ASA Series Firewall CLI Configuration Guide 14-20...
  • Page 325 ACL statistics are enabled by default. • Scanning threat detection, which determines when a host is performing a scan. You can optionally shun any hosts determined to be a scanning threat. Cisco ASA Series Firewall CLI Configuration Guide 15-1...
  • Page 326 The threat-detection statistics host command affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. The threat-detection statistics port command, however, has modest impact. Cisco ASA Series Firewall CLI Configuration Guide 15-2...
  • Page 327 Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is • allowed through the ASA and that creates a flow is affected by scanning threat detection. Cisco ASA Series Firewall CLI Configuration Guide 15-3...
  • Page 328 Basic threat detection statistics are enabled by default, and might be the only threat detection service that you need. Use the following procedure if you want to implement additional threat detection services. Cisco ASA Series Firewall CLI Configuration Guide 15-4...
  • Page 329 You can configure up to three different rate intervals for each event type. Configure Advanced Threat Detection Statistics You can configure the ASA to collect extensive statistics. By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps. Cisco ASA Series Firewall CLI Configuration Guide 15-5...
  • Page 330 Protect Servers from a SYN Flood DoS Attack (TCP Intercept), page 11-4). threat-detection statistics tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec] Example: hostname(config)# threat-detection statistics tcp-intercept rate-interval 60 burst-rate 800 average-rate 600 Cisco ASA Series Firewall CLI Configuration Guide 15-6...
  • Page 331 Step 3 threat-detection rate scanning-threat rate-interval rate_interval average-rate av_rate burst-rate burst_rate Example: hostname(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20 hostname(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20 Cisco ASA Series Firewall CLI Configuration Guide 15-7...
  • Page 332 You can clear statistics using the clear threat-detection rate command. The following is sample output from the show threat-detection rate command: hostname# show threat-detection rate Average(eps) Current(eps) Trigger Total events 10-min ACL drop: Cisco ASA Series Firewall CLI Configuration Guide 15-8...
  • Page 333 [rate-1 | rate-2 | rate-3] | tcp-intercept [all] detail]] statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647. Following rows explain optional keywords. Cisco ASA Series Firewall CLI Configuration Guide 15-9...
  • Page 334 The following is sample output from the show threat-detection statistics host command: hostname# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0 1-hour Sent byte: 2938 10580308 Cisco ASA Series Firewall CLI Configuration Guide 15-10...
  • Page 335 HOST_PORT_CLOSE. Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout. Cisco ASA Series Firewall CLI Configuration Guide 15-11...
  • Page 336 Monitoring Shunned Hosts, Attackers, and Targets To monitor and manage shunned hosts and attackers and targets, use the following commands: show threat-detection shun • Displays the hosts that are currently shunned. For example: Cisco ASA Series Firewall CLI Configuration Guide 15-12...
  • Page 337 60 burst-rate 800 average-rate 600 threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0 threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20 threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20 Cisco ASA Series Firewall CLI Configuration Guide 15-13...
  • Page 338 The following commands were modified: threat-detection statistics port number-of-rates, threat-detection statistics protocol number-of-rates. Improved memory usage 8.3(1) The memory usage for threat detection was improved. The following command was introduced: show threat-detection memory. Cisco ASA Series Firewall CLI Configuration Guide 15-14...
  • Page 339 A R T ASA Modules...
  • Page 341 VMware server. (FireSIGHT Management Center is also known as Defense Center.) For ASA FirePOWER running on ASA 5506-X devices, you can optionally configure the device using ASDM rather than FireSIGHT Management Center. How the ASA FirePOWER Module Works with the ASA, page 16-2 •...
  • Page 342 The following figure shows the traffic flow when using the ASA FirePOWER module in inline mode. In this example, the module blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA. Cisco ASA Series Firewall CLI Configuration Guide 16-2...
  • Page 343 ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline tap monitor-only mode for some contexts, and regular inline mode for others. The following figure shows the traffic flow when operating in inline tap mode. Cisco ASA Series Firewall CLI Configuration Guide 16-3...
  • Page 344 Figure 16-3 ASA FirePOWER Passive Monitor-Only, Traffic-Forwarding Mode Switch Main System Gig 1/1 inside outside Firewall Decryption Policy Gig 1/3 SPAN Port Forwarded Traffic ASA FirePOWER inspection ASA FirePOWER Cisco ASA Series Firewall CLI Configuration Guide 16-4...
  • Page 345 After you perform initial configuration, configure the ASA FirePOWER security policy using FireSIGHT Management Center (for all models) or ASDM (for 5506-X) . Then configure the ASA policy for sending traffic to the ASA FirePOWER module using ASDM or Cisco Security Manager. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 346 Management Center. Do not use different ASA-interface-based zone definitions for devices in the cluster. Model Guidelines For ASA model software and hardware compatibility with the ASA FirePOWER module, see Cisco • Compatibility. Cisco ASA Series Firewall CLI Configuration Guide 16-6...
  • Page 347 ASA FirePOWER (SFR) Module Defaults for ASA FirePOWER For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more • information, see the ASA 5500-X hardware guide. (The SSD is standard on the 5506-X.)
  • Page 348 ASA Management 0/0 and ASA FirePOWER Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router. Cisco ASA Series Firewall CLI Configuration Guide 16-8...
  • Page 349 ASA Management 0/0 not used (for example) ASA 5506-X and 5512-X through ASA 5555-X (Software Module) These models run the ASA FirePOWER module as a software module, and the ASA FirePOWER management interface shares the Management 0/0 interface with the ASA (Management 1/1 on 5506-X) .
  • Page 350 ASA FirePOWER address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the ASA FirePOWER address can be on any network, for example, the ASA inside network. Cisco ASA Series Firewall CLI Configuration Guide 16-10...
  • Page 351 Step 2 Download the ASA FirePOWER system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA FirePOWER management interface. Do not download it to disk0 on the ASA. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 352 When installation is complete, the system reboots. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start. (The show module sfr output should show all processes as Up.) Cisco ASA Series Firewall CLI Configuration Guide 16-12...
  • Page 353 For HTTP Proxy configuration, run 'configure network http-proxy' (Wait for the system to reconfigure itself.) This sensor must be managed by a Defense Center. A unique alphanumeric registration key is always required. In most cases, to register a sensor Cisco ASA Series Firewall CLI Configuration Guide 16-13...
  • Page 354 Note the ASA CLI; you can then set the ASA FirePOWER management IP address as part of setup. For a hardware module, you can complete the initial setup through the Console port. Cisco ASA Series Firewall CLI Configuration Guide 16-14...
  • Page 355 You must configure at least one of IPv4 or IPv6. Do you want to configure IPv4? (y/n) [y]: y Do you want to configure IPv6? (y/n) [n]: Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Cisco ASA Series Firewall CLI Configuration Guide 16-15...
  • Page 356 There is no other way to configure the module. For ASA 5506-X, FireSIGHT Management Center is optional. If you do not configure one, you use ASDM to configure the ASA FirePOWER policy. There is no CLI for policy configuration, you must use ASDM or FireSIGHT Management Center.
  • Page 357 You use FireSIGHT Management Center to configure the security policy on the module. For the ASA 5506-X, you can alternatively use ASDM. However, you can never use both ASDM and FireSIGHT Management Center, you must choose one or the other. If you configure a FireSIGHT Management Center for the module, you must use the configured manager.
  • Page 358 FireSIGHT Management Center. Configure the Security Policy with ASDM For ASA 5506-X, if you do not configure a FireSIGHT Management Center, you use ASDM to configure the security policy. ASA FirePOWER pages are separate from the ASA configuration pages. Use the following pages to monitor and configure the module.
  • Page 359 Procedure Create an L3/L4 class map to identify the traffic that you want to send to the module. Step 1 class-map name match parameter Example: hostname(config)# class-map firepower_class_map hostname(config-cmap)# match access-list firepower Cisco ASA Series Firewall CLI Configuration Guide 16-19...
  • Page 360 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 16-20...
  • Page 361 Step 4 Enable the interface. no shutdown Repeat for any additional interfaces. Examples The following example makes GigabitEthernet 0/5 a traffic-forwarding interface: interface gigabitethernet 0/5 no nameif traffic-forward sfr monitor-only no shutdown Cisco ASA Series Firewall CLI Configuration Guide 16-21...
  • Page 362 In multiple context mode, perform this procedure in the system execution space. Hardware module (ASA 5585-X): • hw-module module 1 {reload | reset} Software module (all other models): • sw-module module sfr {reload | reset} Cisco ASA Series Firewall CLI Configuration Guide 16-22...
  • Page 363 You can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session. In multiple context mode, session from the system execution space. Cisco ASA Series Firewall CLI Configuration Guide 16-23...
  • Page 364 Once the boot image is installed, you install the System Software package. You must place the package on an HTTP, HTTPS, or FTP server that is accessible from the ASA FirePOWER. The following procedure explains how to install the boot image and then install the System Software package. Cisco ASA Series Firewall CLI Configuration Guide 16-24...
  • Page 365 Include the noconfirm option if you do not want to respond to confirmation messages. When installation is complete, the system reboots. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start. Cisco ASA Series Firewall CLI Configuration Guide 16-25...
  • Page 366 ASA FirePOWER syslog messages start with message number 434001. Showing Module Status, page 16-27 • • Showing Module Statistics, page 16-28 • Monitoring Module Connections, page 16-28 Cisco ASA Series Firewall CLI Configuration Guide 16-26...
  • Page 367 App. Status Desc: Normal Operation App. version: 5.3.1-100 Data Plane Status: Status: DC addr: 10.89.133.202 Mgmt IP addr: 10.86.118.7 Mgmt Network mask: 255.255.252.0 Mgmt Gateway: 10.86.116.1 Mgmt web ports: Mgmt TLS enabled: true Cisco ASA Series Firewall CLI Configuration Guide 16-27...
  • Page 368 • ‘fail-close’ (rather than ‘fail-open’ which allows packets through even if the card was down). Check card status and attempt to restart services or reboot it. Cisco ASA Series Firewall CLI Configuration Guide 16-28...
  • Page 369 Cisco ASA Series Firewall CLI Configuration Guide 16-29...
  • Page 370 ASA 9.3(2) You can run the ASA FirePOWER software module on the FirePOWER software module, including ASA 5506-X. You can manage the module using support for configuring the module in ASDM FireSIGHT Management Center, or you can use ASDM. FirePOWER 5.4.1...
  • Page 371 How the ASA CX Module Works with the ASA, page 17-2 • • ASA CX Management Access, page 17-4 • Authentication Proxy for Active Authentication, page 17-5 • Compatibility with ASA Features, page 17-5 Cisco ASA Series Firewall CLI Configuration Guide 17-1...
  • Page 372 The following figure shows the traffic flow when using the ASA CX module. In this example, the ASA CX module automatically blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA. Cisco ASA Series Firewall CLI Configuration Guide 17-2...
  • Page 373 The following figure shows the ASA GigabitEthernet 0/3 interface configured for traffic-forwarding. That interface is connected to a switch SPAN port so the ASA CX module can inspect all of the network traffic. Cisco ASA Series Firewall CLI Configuration Guide 17-3...
  • Page 374 SSH. These models run the ASA CX module as a software module. The ASA CX management interface shares the Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are supported for the ASA and ASA CX module. You must perform Cisco ASA Series Firewall CLI Configuration Guide 17-4...
  • Page 375 ASA CX-only interface. This interface is management-only. Policy Configuration and Management After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security Manager (PRSM). PRSM is both the name of the ASA CX configuration interface and the name of a separate product for configuring ASA CX devices, Cisco Prime Security Manager.
  • Page 376 (9.1(1) and earlier) Does not support NAT 64. In 9.1(2) and later, NAT 64 is supported. • Model Guidelines • Supported only on the ASA 5585-X and 5512-X through ASA 5555-X. See the Cisco ASA Compatibility Matrix for more information: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 377 Chapter 17 ASA CX Module Guidelines for ASA CX For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more • information, see the ASA 5500-X hardware guide. Monitor-Only Mode Guidelines Monitor-only mode is strictly for demonstration purposes and is not a normal operational mode for the module.
  • Page 378 Configure the Security Policy on the ASA CX Module, page 17-16. Step 5 (Optional.) Configure the Authentication Proxy Port, page 17-16 Step 6 Redirect Traffic to the ASA CX Module, page 17-16. Step 7 Cisco ASA Series Firewall CLI Configuration Guide 17-8...
  • Page 379 Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router. Proxy or DNS Server (for example) ASA gateway for Management Router Outside Inside Internet ASA CX Default Gateway Management ASA Management 0/0 ASA CX Management 1/0 Management PC Cisco ASA Series Firewall CLI Configuration Guide 17-9...
  • Page 380 ASA CX over the backplane or use ASDM to change the management IP address so you can use SSH. ASA 5545-X ASA CX Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.1 Cisco ASA Series Firewall CLI Configuration Guide 17-10...
  • Page 381 (SSDs) come pre-installed and ready to go. If you want to add the ASA CX to an existing ASA, or need to replace the SSD, you need to install the ASA CX boot software and partition the SSD according to this procedure. To physically install the SSD, see the ASA hardware guide. Cisco ASA Series Firewall CLI Configuration Guide 17-11...
  • Page 382 IP address or host name. ciscoasa# copy tftp://<TFTP SERVER>/asacx-5500x-boot-9.3.1.1-112.img disk0:/asacx-5500x-boot-9.3.1.1-112.img Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible Step 2 from the ASA CX management interface. Set the ASA CX module boot image location in ASA disk0 by entering the following command:...
  • Page 383 ASA CX services to start. (The show module cxsc output should show all processes as Up.) The following command installs the asacx-sys-9.3.1.1-112.pkg system software. asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.3.1.1-112.pkg Username: buffy Password: angelforever Verifying Downloading Extracting Cisco ASA Series Firewall CLI Configuration Guide 17-13...
  • Page 384 • (ASA 5512-X through ASA 5555-X) Open a console session to the module from the ASA CLI. In • multiple context mode, session from the system execution space. hostname# session cxsc console Cisco ASA Series Firewall CLI Configuration Guide 17-14...
  • Page 385 Enter the following command: asacx> setup Example: asacx> setup Welcome to Cisco Prime Security Manager Setup [hit Ctrl-C to abort] Default values are inside [ ] You are prompted through the setup wizard. The following example shows a typical path through the wizard;...
  • Page 386 PRSM is both the name of the ASA CX configuration interface and the name of a separate product for configuring ASA CX devices, Cisco Prime Security Manager. The method for accessing the configuration interface, and how to use it, are the same. For details on using PRSM to configure your ASA CX security policy, see the ASA CX/PRSM user guide or online help.
  • Page 387 For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 17-17...
  • Page 388 For demonstration purposes only, you can configure traffic-forwarding interfaces, where all traffic is forwarded directly to the ASA CX module. For normal ASA CX operation, see Create the ASA CX Service Policy, page 17-17. Cisco ASA Series Firewall CLI Configuration Guide 17-18...
  • Page 389 Shut Down the Module, page 17-20 • • (ASA 5512-X through ASA 5555-X) Uninstall a Software Module Image, page 17-21 • (ASA 5512-X through ASA 5555-X) Session to the Module From the ASA, page 17-21 Cisco ASA Series Firewall CLI Configuration Guide 17-19...
  • Page 390 If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the Note module before reloading the ASA. Hardware module (ASA 5585-X): • hw-module module 1 shutdown • Software module (ASA 5512-X through ASA 5555-X): sw-module module cxsc shutdown Cisco ASA Series Firewall CLI Configuration Guide 17-20...
  • Page 391 ASA, the ASA CX console session is still active; you can never exit to the ASA prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session cxsc command instead of the console command when facing this situation. Cisco ASA Series Firewall CLI Configuration Guide 17-21...
  • Page 392 The following is sample output from the show service-policy command showing the ASA CX policy and the current statistics as well as the module status when the authentication proxy is disabled: hostname# show service-policy cxsc Global policy: Service-policy: global_policy Cisco ASA Series Firewall CLI Configuration Guide 17-22...
  • Page 393 ASA receives a packet from CXSC without a Policy ID TLV. This TLV must be present in non-control packets if it does not have the Standby Active bit set in the actions field. Cisco ASA Series Firewall CLI Configuration Guide 17-23...
  • Page 394 Step 3 if traffic is being redirected on the correct configured port.You can check the configured port using the show running-config cxsc command or the show asp table classify domain cxsc-auth-proxy command. Cisco ASA Series Firewall CLI Configuration Guide 17-24...
  • Page 395 Cisco ASA Series Firewall CLI Configuration Guide 17-25...
  • Page 396 The traffic-forwarding interface sends all traffic directly to the ASA CX module, bypassing the ASA. We modified or introduced the following commands: cxsc {fail-close | fail-open} monitor-only, traffic-forward cxsc monitor-only. Cisco ASA Series Firewall CLI Configuration Guide 17-26...
  • Page 397 Because control traffic cannot be filtered using an access-list or match, these options are not available in the system execution space. We modified the following command: capture interface asa_dataplane. Cisco ASA Series Firewall CLI Configuration Guide 17-27...
  • Page 398 Chapter 17 ASA CX Module History for the ASA CX Module Cisco ASA Series Firewall CLI Configuration Guide 17-28...
  • Page 399 This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware module or a software module, depending on your ASA model. For a list of supported ASA IPS modules per ASA model, see the Cisco ASA Compatibility Matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Information About the ASA IPS Module, page 18-1 •...
  • Page 400 No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the ASA IPS module. This mode is the most secure because every Cisco ASA Series Firewall CLI Configuration Guide 18-2...
  • Page 401 See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported. Figure 18-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor. Cisco ASA Series Firewall CLI Configuration Guide 18-3...
  • Page 402 See the following information about the management interface: ASA 5585-X—The IPS management interface is a separate external Gigabit Ethernet interface. – Cisco ASA Series Firewall CLI Configuration Guide 18-4...
  • Page 403 No support. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Model Support • See the Cisco ASA Compatibility Matrix for information about which models support which modules: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Additional Guidelines • ASDM 7.3(2) and later is not compatible with IPS 7.3(2) or earlier. To manage IPS, connect to its IP address directly in your browser.
  • Page 404 ASA IPS module and then configuration of the ASA to send traffic to the ASA IPS module. To configure the ASA IPS module, perform the following steps: Cable the ASA IPS management interface. See Connecting the ASA IPS Management Interface, Step 1 page 18-7. Cisco ASA Series Firewall CLI Configuration Guide 18-6...
  • Page 405 ASA Management 0/0 and IPS Management 1/0 interfaces, and the ASA inside network. Be sure to also add a route on the ASA to reach the Management network through the inside router. Cisco ASA Series Firewall CLI Configuration Guide 18-7...
  • Page 406 These models run the IPS module as a software module, and the IPS management interface shares the Management 0/0 interface with the ASA. ASA 5545-X IPS Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.1 Cisco ASA Series Firewall CLI Configuration Guide 18-8...
  • Page 407 ASA interfaces. If the name is not configured, then the IPS address can be on any network, for example, the ASA inside network. What to Do Next Configure basic network settings. See Configuring Basic IPS Module Network Settings, page 18-11. • Cisco ASA Series Firewall CLI Configuration Guide 18-9...
  • Page 408 Purpose Telnet session. Accesses the module using Telnet. You are prompted for the username and password. The default username is cisco, and the default password is cisco. For a hardware module (for example, the ASA 5585-X): The first time you log in to the module, you are prompted to change Note the default password.
  • Page 409 Existing ASA with new IPS installation—Download the IPS software from Cisco.com to a TFTP • server. If you have a Cisco.com login, you can obtain the software from the following website: http://www.cisco.com/cisco/software/navigator.html?mdfid=282164240 Copy the software to the ASA: hostname# copy tftp://server/file_path disk0:/file_path For other download server types, see the general operations configuration guide.
  • Page 410 Connect to the IPS management interface using SSH. If you did not change it, the default • management IP address is 192.168.1.2. The default username is cisco, and the default password is cisco. See Information About Management Access, page 18-4 for more information about the management interface.
  • Page 411 You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use Note different sensors for different traffic flows. Prerequisites For more information about configuring contexts, see the general operations configuration guide. Cisco ASA Series Firewall CLI Configuration Guide 18-13...
  • Page 412 Changes to the context so you can configure the IPS security policy changeto context context_name as described in Diverting Traffic to the ASA IPS module, page 18-15. Example: hostname# changeto context customer1 hostname/customer1# Cisco ASA Series Firewall CLI Configuration Guide 18-14...
  • Page 413 This section identifies traffic to divert from the ASA to the ASA IPS module. Prerequisites In multiple context mode, perform these steps in each context execution space. To change to a context, enter the changeto context context_name command. Cisco ASA Series Firewall CLI Configuration Guide 18-15...
  • Page 414 ASA IPS module. If you enter a name that does not yet exist on the ASA IPS module, you get an error, and the command is rejected. Cisco ASA Series Firewall CLI Configuration Guide 18-16...
  • Page 415 TFTP server (for a hardware module), or from the local disk (software module). Do not use the upgrade command within the module software to install the image. Note Cisco ASA Series Firewall CLI Configuration Guide 18-17...
  • Page 416 Image URL [tftp://127.0.0.1/myimage]: In multiple context mode, enter this command in the system tftp://10.1.1.1/ids-newimg execution space. Port IP Address [127.0.0.2]: 10.1.2.10 Port Mask [255.255.255.254]: 255.255.255.0 Gateway IP Address [1.1.2.10]: 10.1.2.254 VLAN ID [0]: 100 Cisco ASA Series Firewall CLI Configuration Guide 18-18...
  • Page 417 For a hardware module (for example, the ASA Shuts down the module. 5585-X): hw-module module 1 shutdown For a software module (for example, the ASA 5545-X): sw-module module ips shutdown Example: hostname# hw-module module 1 shutdown Cisco ASA Series Firewall CLI Configuration Guide 18-19...
  • Page 418 Resetting the Password You can reset the module password to the default. For the user cisco, the default password is cisco. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting.
  • Page 419 The following is sample output from the show module details command, which provides additional information for an ASA with an SSC installed: hostname# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Card-5 Hardware version: 0.1 Cisco ASA Series Firewall CLI Configuration Guide 18-21...
  • Page 420 AIP SSM in inline mode, and allows all traffic through if the AIP SSM fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used. hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0 hostname(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 18-22...
  • Page 421 -60 for the ASA 5585-X. You can only install the ASA IPS SSP with a matching-level SSP; for example, SSP-10 and ASA IPS SSP-10. The ASA 5585-X is not supported in Version 8.3. Note Cisco ASA Series Firewall CLI Configuration Guide 18-23...
  • Page 422 We introduced support for the ASA IPS SSP software 5512-X through ASA 5555-X module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. We introduced or modified the following commands: session, show module, sw-module. Cisco ASA Series Firewall CLI Configuration Guide 18-24...

Comments to this Manuals

Symbols: 0
Latest comments: