Page 1
Cisco ASA Series Firewall CLI Configuration Guide Software Version 9.3 For the ASA 5506-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, ASA Services Module, and the Adaptive Security Virtual Appliance Released: July 24, 2014 Updated: February 18, 2015 Cisco Systems, Inc.
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Page 3
Obtaining Documentation and Submitting a Service Request, page iv Document Objectives The purpose of this guide is to help you configure the firewall features for Cisco ASA series using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios.
Page 4
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.
Page 5
A R T Service Policies and Access Control...
Page 7
Feature Matching Within a Service Policy, page 1-5 • Order in Which Multiple Feature Actions are Applied, page 1-6 • • Incompatibility of Certain Feature Actions, page 1-7 • Feature Matching for Multiple Service Policies, page 1-8 Cisco ASA Series Firewall CLI Configuration Guide...
Page 8
1 deny version 2 deny version 2c : Inspection policy map to define SIP behavior. : The sip-high inspection policy map must be referred to by an inspect sip command Cisco ASA Series Firewall CLI Configuration Guide...
Page 9
0:00:30 half-closed 0:10:00 idle 1:00:00 reset dcd 0:15:00 5 user-statistics accounting : The service-policy command applies the policy map rule set to the inside interface. : This command activates the policies. service-policy test-inside-policy interface inside Cisco ASA Series Firewall CLI Configuration Guide...
Page 10
Chapter 9, “Inspection of Database and Directory • Protocols.” Chapter 10, “Inspection for Management • Application Protocols.” Chapter 14, “ASA and Cisco Cloud Web • Security.” ASA IPS Chapter 18, “ASA IPS Module.” ASA CX Chapter 17, “ASA CX Module.”...
Page 11
Note Application inspection includes multiple inspection types, and most are mutually exclusive. For inspections that can be combined, each inspection is considered to be a separate feature. Cisco ASA Series Firewall CLI Configuration Guide...
Page 12
Certain Feature Actions, page 1-7 for more information. ASA IPS ASA CX ASA FirePOWER (ASA SFR) QoS output policing QoS standard priority queue NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent. Note Cisco ASA Series Firewall CLI Configuration Guide...
Page 13
Example 1-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured class-map ftp [it should be 21] match port tcp eq 80 class-map http match port tcp eq 80 policy-map test class ftp Cisco ASA Series Firewall CLI Configuration Guide...
Page 14
Class maps include the following types: • Layer 3/4 class maps (for through traffic and management traffic). Inspection class maps • Regular expression class maps • match commands used directly underneath an inspection policy map • Cisco ASA Series Firewall CLI Configuration Guide...
Page 15
Defaults for Service Policies The following topics describe the default settings for service policies and the Modular Policy Framework: Default Service Policy Configuration, page 1-10 • Default Class Maps (Traffic Classes), page 1-11 • Cisco ASA Series Firewall CLI Configuration Guide...
Page 17
10.1.1.0/24 to any destination address. Layer 3/4 Class Map Layer 3/4 Class Map Optionally, perform additional actions on some inspection traffic. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 1-11...
Page 18
Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map, Step 3 as described in Define Actions (Layer 3/4 Policy Map), page 1-16. Cisco ASA Series Firewall CLI Configuration Guide 1-12...
Page 19
We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect all traffic, for example using match any, the ASA performance can be impacted. Cisco ASA Series Firewall CLI Configuration Guide 1-13...
Page 20
You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports and protocols to match, any ports and protocols in the ACL are ignored. Cisco ASA Series Firewall CLI Configuration Guide 1-14...
Page 21
You can specify a management class map that can match an ACL or TCP or UDP ports. The types of actions available for a management class map in the policy map are specialized for management traffic. Features Configured with Service Policies, page 1-4. Cisco ASA Series Firewall CLI Configuration Guide 1-15...
Page 22
The CLI enters policy-map configuration mode. Example: hostname(config)# policy-map global_policy Cisco ASA Series Firewall CLI Configuration Guide 1-16...
Page 23
21 hostname(config)# class-map tcp_traffic hostname(config-cmap)# match port tcp range 1 65535 hostname(config)# class-map udp_traffic hostname(config-cmap)# match port udp range 0 65535 hostname(config)# policy-map global_policy Cisco ASA Series Firewall CLI Configuration Guide 1-17...
Page 24
The following commands disable the default global policy, and enables a new one called new_global_policy on all other ASA interfaces: hostname(config)# no service-policy global_policy global hostname(config)# service-policy new_global_policy global Cisco ASA Series Firewall CLI Configuration Guide 1-18...
Page 25
See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# police output 250000 hostname(config)# service-policy http_traffic_policy interface outside Cisco ASA Series Firewall CLI Configuration Guide 1-19...
Page 26
Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified for HTTP inspection. Connections initiated from Server B to Host B do not match the ACL in the class map, so they are not affected. Cisco ASA Series Firewall CLI Configuration Guide 1-20...
Page 27
IP address used on the outside network, 209.165.200.225. You must use the real IP address in the ACL in the class map. If you applied it to the outside interface, you would also use the real address. Cisco ASA Series Firewall CLI Configuration Guide 1-21...
Page 28
Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide 1-22...
Page 29
However, you cannot set different actions for different matches. Note: Not all inspections support inspection class maps. Cisco ASA Series Firewall CLI Configuration Guide...
Page 30
(the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class Cisco ASA Series Firewall CLI Configuration Guide...
Page 31
There are other default inspection policy maps such as _default_esmtp_map. For example, inspect Note esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown by using the show running-config all policy-map command. Cisco ASA Series Firewall CLI Configuration Guide...
Page 32
Step 6 Configures parameters that affect the inspection engine. The CLI parameters enters parameters configuration mode. For the parameters available for each application, see the appropriate inspection Example: chapter. hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide...
Page 33
If you want to perform different actions on different types of traffic, you should identify the traffic directly in the policy map. Restrictions Not all applications support inspection class maps. See the CLI help for class-map type inspect for a list of supported applications. Cisco ASA Series Firewall CLI Configuration Guide...
Page 34
The following example creates an HTTP class map that can match any of the criteria: hostname(config-cmap)# class-map type inspect http match-any monitor-http hostname(config-cmap)# match request method get hostname(config-cmap)# match request method put hostname(config-cmap)# match request method post Cisco ASA Series Firewall CLI Configuration Guide...
Page 35
Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide...
Page 36
Chapter 2 Special Actions for Application Inspections (Inspection Policy Map) Feature History for Inspection Policy Maps Cisco ASA Series Firewall CLI Configuration Guide...
Page 37
EtherType rules (Layer 2 traffic) assigned to interfaces (transparent firewall mode only)—You can apply separate rule sets in the inbound and outbound directions. EtherType rules control network access for non-IP traffic. An EtherType rule permits or denies traffic based on the EtherType. Cisco ASA Series Firewall CLI Configuration Guide...
Page 38
Rather than creating multiple inbound ACLs to restrict access, you can create a single outbound ACL that allows only the specified hosts. (See the following figure.) The outbound ACL prevents any other hosts from reaching the outside network. Cisco ASA Series Firewall CLI Configuration Guide...
Page 39
Implicit Permits For routed mode, the following types of traffic are allowed through by default: Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface. • Cisco ASA Series Firewall CLI Configuration Guide...
Page 40
This section describes information about extended access rules. Extended Access Rules for Returning Traffic, page 3-5 • Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules, • page 3-5 Management Access Rules, page 3-5 • Cisco ASA Series Firewall CLI Configuration Guide...
Page 41
ACL. Alternatively, you can use ICMP rules to control ICMP traffic to the device. Use regular extended access rules to control ICMP traffic through the device. Cisco ASA Series Firewall CLI Configuration Guide...
Page 42
IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ASA.
Page 43
Before you can create an access group, create the ACL. See the general operations configuration guide for more information. To bind an ACL to an interface or to apply it globally, use the following command: access-group access_list { {in | out} interface interface_name [per-user-override | control-plane] | global} Cisco ASA Series Firewall CLI Configuration Guide...
Page 44
To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action. Cisco ASA Series Firewall CLI Configuration Guide...
Page 45
Examples The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface: hostname(config)# icmp deny host 10.1.1.15 inside hostname(config)# icmp permit any inside Cisco ASA Series Firewall CLI Configuration Guide...
Page 46
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. Cisco ASA Series Firewall CLI Configuration Guide 3-10...
Page 47
The following example allows some EtherTypes through the ASA, but it denies all others: hostname(config)# access-list ETHER ethertype permit 0x1234 hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside Cisco ASA Series Firewall CLI Configuration Guide 3-11...
Page 48
Support for TrustSec 9.0(1) You can now use TrustSec security groups for the source and destination. You can use an identity firewall ACL with access rules. We modified the following commands: access-list extended. Cisco ASA Series Firewall CLI Configuration Guide 3-12...
Page 49
Forward referencing of objects and ACLs in for objects or ACLs that do not yet exist. access rules. We introduced the clear config-session, clear session, configure session, forward-reference, and show config-session commands. Cisco ASA Series Firewall CLI Configuration Guide 3-13...
Page 50
Chapter 3 Access Rules History for Access Rules Cisco ASA Series Firewall CLI Configuration Guide 3-14...
Page 53
Other functions of NAT include: Security—Keeping internal IP addresses hidden discourages direct attacks. • • IP routing solutions—Overlapping IP addresses are not a problem when you use NAT. Cisco ASA Series Firewall CLI Configuration Guide...
Page 54
NAT rules, and one or both can be translated/untranslated. For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. Cisco ASA Series Firewall CLI Configuration Guide...
Page 55
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that sourceA/destinationA can have a different translation than sourceA/destinationB. Cisco ASA Series Firewall CLI Configuration Guide...
Page 56
Order of NAT Rules. • Network object NAT—Automatically ordered in the NAT table. – Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules). – Cisco ASA Series Firewall CLI Configuration Guide...
Page 57
NAT rule to section 3 when you add the rule. For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) Cisco ASA Series Firewall CLI Configuration Guide...
Page 58
In transparent mode, you must choose specific source and destination interfaces. Guidelines for NAT The following topics provide detailed guidelines for implementing NAT. Firewall Mode Guidelines for NAT, page 4-7 • IPv6 NAT Guidelines, page 4-7 • Cisco ASA Series Firewall CLI Configuration Guide...
Page 59
For example, if the IPv6 prefix is a /96 prefix, then the IPv4 address is appended in the last 32-bits of the address. For example, if you map 192.168.1.0/24 to 201b::0/96, then 192.168.1.4 will Cisco ASA Series Firewall CLI Configuration Guide...
Page 60
IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was Cisco ASA Series Firewall CLI Configuration Guide...
Page 61
If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback. • Dynamic PAT (Hide): Cisco ASA Series Firewall CLI Configuration Guide...
Page 62
The mapped object or group can contain a host, range, or subnet. – – The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. Cisco ASA Series Firewall CLI Configuration Guide 4-10...
Page 63
NAT, you can only perform port translation on the destination. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. Cisco ASA Series Firewall CLI Configuration Guide 4-11...
Page 64
The following figure shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. Figure 4-2 Dynamic NAT Security Appliance 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Cisco ASA Series Firewall CLI Configuration Guide 4-12...
Page 65
Some multimedia applications that have a data stream on one port, the control path on another port, • and are not open standard. Default Inspections and NAT Limitations, page 6-6 for more information about NAT and PAT support. Cisco ASA Series Firewall CLI Configuration Guide 4-13...
Page 66
You can also specify the keyword any for one or both of the interfaces, for example (any,outside). • Mapped IP address—Specify the network object or network object group that includes the mapped IP addresses. Cisco ASA Series Firewall CLI Configuration Guide 4-14...
Page 68
NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the applicable section using the line argument. Source addresses: • Real—Specify a network object, group, or the any keyword. – Cisco ASA Series Firewall CLI Configuration Guide 4-16...
Page 70
Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. Cisco ASA Series Firewall CLI Configuration Guide 4-18...
Page 71
If you use the same PAT pool object in two separate rules, then be sure to specify the same options for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range. Cisco ASA Series Firewall CLI Configuration Guide 4-19...
Page 72
{IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For • IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60. Cisco ASA Series Firewall CLI Configuration Guide 4-20...
Page 73
1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword. Cisco ASA Series Firewall CLI Configuration Guide 4-21...
Page 74
If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges. Cisco ASA Series Firewall CLI Configuration Guide 4-22...
Page 75
-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when Cisco ASA Series Firewall CLI Configuration Guide 4-23...
Page 76
PAT_POOL hostname(config-network-object)# range 209.165.200.225 209.165.200.254 hostname(config)# object network TELNET_SVR hostname(config-network-object)# host 209.165.201.23 hostname(config)# object service TELNET hostname(config-service-object)# service tcp destination eq 23 hostname(config)# object network SERVERS hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 4-24...
Page 77
Cisco ASA Series Firewall CLI Configuration Guide 4-25...
Page 78
The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT: hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719 Cisco ASA Series Firewall CLI Configuration Guide 4-26...
Page 79
About Static NAT with Port Address Translation When you specify the port with static NAT, you can choose to map the port and/or the IP address to the same value or to a different value. Cisco ASA Series Firewall CLI Configuration Guide 4-27...
Page 80
NAT with port translation rules that use the same mapped IP address, but different ports. For details on how to configure this example, see Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation), page 5-5. Cisco ASA Series Firewall CLI Configuration Guide 4-28...
Page 81
NAT, when the real host initiates traffic, it always uses the first mapped address. However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they will be untranslated to the single real address. Cisco ASA Series Firewall CLI Configuration Guide 4-29...
Page 83
TCP destination port, and both hosts are translated to the same IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique). Cisco ASA Series Firewall CLI Configuration Guide 4-31...
Page 84
Example hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0 Configure static NAT for the object IP addresses. You can only define a single NAT rule for a given Step 4 object. Cisco ASA Series Firewall CLI Configuration Guide 4-32...
Page 85
10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object. Cisco ASA Series Firewall CLI Configuration Guide 4-33...
Page 86
You can, however, have different quantities if desired. For more information, see Static NAT, page 4-27. (Optional.) Create service objects for the: Step 2 Source or Destination real ports • Source or Destination mapped ports • Cisco ASA Series Firewall CLI Configuration Guide 4-34...
Page 87
The order of the service objects for destination port translation is service mapped_obj real_obj. In the rare case where you specify both the source and destination ports in the object, the first service object contains the real source Cisco ASA Series Firewall CLI Configuration Guide 4-35...
Page 88
IPv6 network, and the dynamic PAT translation to an IPv4 PAT pool when accessing the IPv4 network: hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 2001:DB8:AAAA::/96 hostname(config)# object network MAPPED_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:BBBB::/96 hostname(config)# object network OUTSIDE_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:CCCC::/96 hostname(config)# object network OUTSIDE_IPv4_NW hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 4-36...
Page 89
Create or edit the network object for which you want to configure NAT. The object must be a different Step 2 one than what you use for the mapped addresses, even though the contents must be the same in each object. object network obj_name Example Cisco ASA Series Firewall CLI Configuration Guide 4-37...
Page 90
Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the • egress interface using a route lookup instead of using the interface specified in the NAT command. Determining the Egress Interface, page 5-14 for more information. Cisco ASA Series Firewall CLI Configuration Guide 4-38...
Page 92
To reactivate it, reenter the whole command without the inactive keyword. Description—Optional.) Provide a description up to 200 characters using the description keyword. • Monitoring NAT To monitor object NAT, use the following commands: show nat • Cisco ASA Series Firewall CLI Configuration Guide 4-40...
Page 93
Twice NAT 8.3(1) Twice NAT lets you identify both the source and destination address in a single rule. We modified or introduced the following commands: nat, show nat, show xlate, show nat pool. Cisco ASA Series Firewall CLI Configuration Guide 4-41...
Page 94
PAT IP address if ports are available. We did not modify any commands. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 4-42...
Page 95
We modifed the following command: nat dynamic [pat-pool mapped_object [extended]] and nat source dynamic [pat-pool mapped_object [extended]]. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 4-43...
Page 96
Because of routing issues, we do not recommend using this feature unless you know you need it; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: Only supports Cisco IPsec and AnyConnect Client.
Page 97
Engine compilation is completed; without affecting the rule matching performance. We added the nat keyword to the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit. Cisco ASA Series Firewall CLI Configuration Guide 4-45...
Page 98
Chapter 4 Network Address Translation (NAT History for NAT Cisco ASA Series Firewall CLI Configuration Guide 4-46...
Page 99
The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. Cisco ASA Series Firewall CLI Configuration Guide...
Page 100
The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. Cisco ASA Series Firewall CLI Configuration Guide...
Page 101
(inside,outside) dynamic myNatPool Create a network object for the outside web server. Step 4 hostname(config)# object network myWebServ hostname(config-network-object)# host 209.165.201.12 Configure static NAT for the web server. Step 5 hostname(config-network-object)# nat (outside,inside) static 10.1.2.20 Cisco ASA Series Firewall CLI Configuration Guide...
Page 102
Create a network object for the load balancer. Step 2 hostname(config)# object network myLBHost hostname(config-network-object)# host 10.1.2.27 Step 3 Configure static NAT for the load balancer applying the range object. hostname(config-network-object)# nat (inside,outside) static myPublicIPs Cisco ASA Series Firewall CLI Configuration Guide...
Page 103
10.1.2.28 hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp http http Create a network object for the SMTP server and configure static NAT with port translation, mapping Step 3 the SMTP port to itself. Cisco ASA Series Firewall CLI Configuration Guide...
Page 105
Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port. Cisco ASA Series Firewall CLI Configuration Guide...
Page 106
Step 6 Add a network object for the PAT address when using HTTP: hostname(config)# object network PATaddress2 hostname(config-network-object)# host 209.165.202.130 Cisco ASA Series Firewall CLI Configuration Guide...
Page 107
You can configure NAT in both routed and transparent firewall mode. This section describes typical usage for each firewall mode. NAT in Routed Mode, page 5-10 • • NAT in Transparent Mode, page 5-10 Cisco ASA Series Firewall CLI Configuration Guide...
Page 108
The following figure shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. Cisco ASA Series Firewall CLI Configuration Guide 5-10...
Page 109
This section describes how the ASA handles accepting and delivering packets with NAT. • Mapped Addresses and Routing, page 5-12 Cisco ASA Series Firewall CLI Configuration Guide 5-11...
Page 110
ASA: specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the upstream router, you can alternatively specify the downstream router IP address. Cisco ASA Series Firewall CLI Configuration Guide 5-12...
Page 111
ARP functionality. Due to internal processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet address rather than send the traffic out the source interface according to the NAT rule. (See the following figure). Cisco ASA Series Firewall CLI Configuration Guide 5-13...
Page 112
The following figure shows the egress interface selection method in routed mode. In almost all cases, a route lookup is equivalent to the NAT rule interface, but in some configurations, the two methods might differ. Cisco ASA Series Firewall CLI Configuration Guide 5-14...
Page 113
NAT to access the Internet. The below example uses interface PAT rules. To allow the VPN traffic to exit the same interface it entered, you also need to enable intra-interface communication (also known as “hairpin” networking). Cisco ASA Series Firewall CLI Configuration Guide 5-15...
Page 114
PAT rule by using an identity NAT rule between those networks. Identity NAT simply translates an address to the same address. Cisco ASA Series Firewall CLI Configuration Guide 5-16...
Page 115
10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an identity NAT rule. Identity NAT simply translates an address to the same address. Cisco ASA Series Firewall CLI Configuration Guide 5-17...
Page 116
See the following sample NAT configuration for ASA1 (Boulder): ! Enable hairpin for VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: Cisco ASA Series Firewall CLI Configuration Guide 5-18...
Page 117
ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface. Cisco ASA Series Firewall CLI Configuration Guide 5-19...
Page 118
10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside network, & perform object interface PAT when going to Internet: object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface Cisco ASA Series Firewall CLI Configuration Guide 5-20...
Page 119
DNS rewrite is actually done on the xlate entry, not the NAT rule. Thus, if there is no xlate for a • dynamic rule, rewrite cannot be done correctly. The same problem does not occur for static NAT. Cisco ASA Series Firewall CLI Configuration Guide 5-21...
Page 120
In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
Page 121
DNS Reply Modification, DNS Server, Host, and Server on Separate Networks The following figure shows a user on the inside network requesting the IP address for ftp.cisco.com, which is on the DMZ network, from an outside DNS server. The DNS server replies with the mapped address (209.165.201.10) according to the static rule between outside and DMZ even though the user is...
Page 122
DNS and NAT If the user needs to access ftp.cisco.com using the real address, then no further configuration is required. If there is also a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule.
Page 123
In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225. Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation.
Page 124
DNS_SERVER hostname(config-network-object)# host 209.165.201.15 hostname(config-network-object)# nat (outside,inside) static 2001:DB8::D1A5:C90F/128 net-to-net Step 3 Configure an IPv4 PAT pool for translating the inside IPv6 network. hostname(config)# object network IPv4_POOL hostname(config-network-object)# range 203.0.113.1 203.0.113.254 Cisco ASA Series Firewall CLI Configuration Guide 5-26...
Page 125
PTR Modification, DNS Server on Host Network ftp.cisco.com 209.165.201.10 Static Translation on Inside to: 10.1.2.56 DNS Server PTR Record Outside ftp.cisco.com Reverse DNS Query 209.165.201.10 Reverse DNS Query Modification 10.1.2.56 209.165.201.10 Inside Reverse DNS Query 10.1.2.56? User 10.1.2.27 Cisco ASA Series Firewall CLI Configuration Guide 5-27...
Page 126
Chapter 5 NAT Examples and Reference DNS and NAT Cisco ASA Series Firewall CLI Configuration Guide 5-28...
Page 129
As illustrated in the following figure, the ASA uses three databases for its basic operation: ACLs—Used for authentication and authorization of connections based on specific networks, hosts, • and services (TCP/UDP port numbers). Inspections—Contains a static, predefined set of application-level inspection functions. • Cisco ASA Series Firewall CLI Configuration Guide...
Page 130
However, the fast path relies on predictable port numbers and does not perform address translations inside a packet. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. Cisco ASA Series Firewall CLI Configuration Guide...
Page 131
For example: hostname(config)# policy-map test hostname(config-pmap)# class sip hostname(config-pmap-c)# no inspect sip sip-map1 hostname(config-pmap-c)# inspect sip sip-map2 Cisco ASA Series Firewall CLI Configuration Guide...
Page 132
They are matched according to the order in the policy map: ftp3 and then ftp2. class-map type inspect ftp match-all ftp1 match request-cmd get class-map type inspect ftp match-all ftp2 Cisco ASA Series Firewall CLI Configuration Guide...
Page 133
200 connections. For example, if an FTP client opens multiple secondary connections, the FTP inspection engine allows only 200 active connections and the 201 connection is dropped and the adaptive security appliance generates a system error message. Cisco ASA Series Firewall CLI Configuration Guide...
Page 134
No NAT support is available for RFC 1123 — name resolution through WINS. TCP/21 (Clustering) No static PAT. RFC 959 — UDP/3386 No extended PAT. — Requires a special license. UDP/2123 No NAT. Cisco ASA Series Firewall CLI Configuration Guide...
Page 135
NAT of the packets for NBNS UDP port No NAT64. ports) 137 and NBDS UDP port 138. PPTP TCP/1723 No NAT64. RFC 2637 — (Clustering) No static PAT. RADIUS 1646 No NAT64. RFC 2865 — Accounting Cisco ASA Series Firewall CLI Configuration Guide...
Page 136
TCP port 111, you need to create a new rule that matches TCP port 111 and performs Sun RPC inspection. TFTP UDP/69 No NAT64. RFC 1350 Payload IP addresses are not translated. (Clustering) No static PAT. Cisco ASA Series Firewall CLI Configuration Guide...
ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP Cisco ASA Series Firewall CLI Configuration Guide...
Page 138
SNMP inspection, enable SNMP inspection for the default class. Do not add another class that matches SNMP. Enable application inspection. Step 5 hostname(config-pmap-c)# inspect protocol The protocol is one of the following values: Cisco ASA Series Firewall CLI Configuration Guide 6-10...
Page 139
HTTP Inspection, page 7-14. If you added an HTTP inspection policy map according to Configure an HTTP Inspection Policy Map, page 7-16, identify the map name in this command. icmp ICMP Inspection, page 7-21. Cisco ASA Series Firewall CLI Configuration Guide 6-11...
Page 140
RSH Inspection, page 10-15. rtsp [map_name] RTSP Inspection, page 8-17. If you added a RTSP inspection policy map according to Configure RTSP Inspection Policy Map, page 8-19, identify the map name in this command. Cisco ASA Series Firewall CLI Configuration Guide 6-12...
Page 141
TFTP Inspection, page 7-45. waas Enables TCP option 33 parsing. Use when deploying Cisco Wide Area Application Services products. xdmcp XDMCP Inspection, page 10-17. If you are editing the default global policy (or any in-use policy) to use a different inspection...
Page 142
21 hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056 hostname(config)# class-map new_inspection hostname(config-cmap)# match access-list ftp_inspect Cisco ASA Series Firewall CLI Configuration Guide 6-14...
Page 143
Matches either expression it separates. For example, dog|cat matches dog or cat. Question mark A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose. Cisco ASA Series Firewall CLI Configuration Guide 6-15...
Page 144
Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space. Procedure Test a regular expression to make sure it matches what you think it will match. Step 1 Cisco ASA Series Firewall CLI Configuration Guide 6-16...
Page 145
(Optional) Add a description to the class map: Step 2 hostname(config-cmap)# description string Identify the regular expressions you want to include by entering the following command for each regular Step 3 expression: Cisco ASA Series Firewall CLI Configuration Guide 6-17...
Page 146
Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide 6-18...
Page 147
DNS Inspection The following sections describe DNS application inspection. DNS Inspection Actions, page 7-2 • Defaults for DNS Inspection, page 7-2 • Configure DNS Inspection, page 7-2 • • Monitoring DNS Inspection, page 7-8 Cisco ASA Series Firewall CLI Configuration Guide...
Configure DNS Inspection DNS inspection is enabled by default. You need to configure it only if you want non-default processing. If you want to customize DNS inspection, use the following process. Cisco ASA Series Firewall CLI Configuration Guide...
Page 149
Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. Cisco ASA Series Firewall CLI Configuration Guide...
Page 150
{[drop] [log]} | mask [log] | log} Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available. The drop keyword drops all packets that match. Cisco ASA Series Firewall CLI Configuration Guide...
Page 151
{[drop] [log]}—Requires a TSIG resource record to be present. You can drop a non-conforming packet, log the packet, or both. For example: hostname(config-pmap)# parameters hostname(config-pmap-p)# dns-guard hostname(config-pmap-p)# message-length maximum 1024 hostname(config-pmap-p)# nat-rewrite hostname(config-pmap-p)# protocol-enforcement Cisco ASA Series Firewall CLI Configuration Guide...
Page 152
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Step 2 Add or edit a policy map that sets the actions to take with the class map traffic. Cisco ASA Series Firewall CLI Configuration Guide...
Page 153
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide...
Page 154
Configure FTP Inspection, page 7-10 • Verifying and Monitoring FTP Inspection, page 7-14 FTP Inspection Overview The FTP application inspection inspects the FTP sessions and performs four tasks: Prepares dynamic secondary data connection • Cisco ASA Series Firewall CLI Configuration Guide...
Page 155
Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024. As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the negotiated port falls in this range, then the TCP connection is freed. Cisco ASA Series Firewall CLI Configuration Guide...
Page 156
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. Cisco ASA Series Firewall CLI Configuration Guide 7-10...
Page 157
[not] username regex {regex_name | class class_name}—Matches the FTP username • against the specified regular expression or regular expression class. Enter exit to leave class map configuration mode. Cisco ASA Series Firewall CLI Configuration Guide 7-11...
Page 158
The following example shows how to mask this banner: hostname(config)# policy-map type inspect ftp mymap hostname(config-pmap)# parameters hostname(config-pmap-p)# mask-banner hostname(config)# class-map match-all ftp-traffic hostname(config-cmap)# match port tcp eq ftp hostname(config)# policy-map ftp-policy hostname(config-pmap)# class ftp-traffic Cisco ASA Series Firewall CLI Configuration Guide 7-12...
Page 159
Otherwise, you are specifying the class you created earlier in this procedure. Configure FTP inspection. Step 4 inspect ftp [strict [ftp_policy_map]] Where: • strict implements strict FTP. You must use strict FTP to specify an FTP inspection policy map. Cisco ASA Series Firewall CLI Configuration Guide 7-13...
Page 160
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. HTTP Inspection The following sections describe the HTTP inspection engine. • HTTP Inspection Overview, page 7-15 • Configure HTTP Inspection, page 7-15 Cisco ASA Series Firewall CLI Configuration Guide 7-14...
Page 161
Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not compatible. Procedure Configure an HTTP Inspection Policy Map, page 7-16. Step 1 Configure the HTTP Inspection Service Policy, page 7-19. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 7-15...
Page 162
[not] request body {regex {regex_name | class class_name} | length gt bytes}—Matches text found in the HTTP request message body against the specified regular expression or regular expression class, or messages where the request body is greater than the specified length. Cisco ASA Series Firewall CLI Configuration Guide 7-16...
Page 163
(count) in the header. You can specify the field name explicitly or match the field name to a regular expression or regular expression class. Field names are listed in the previous bullet. Cisco ASA Series Firewall CLI Configuration Guide 7-17...
Page 164
• HTTP message that should be searched in a body match. The default is 200 bytes. A large number will have a significant impact on performance. Cisco ASA Series Firewall CLI Configuration Guide 7-18...
Page 165
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map http_class_map hostname(config-cmap)# match access-list http Cisco ASA Series Firewall CLI Configuration Guide 7-19...
Page 166
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 7-20...
Page 167
The Instant Messaging (IM) inspect engine lets you control the network usage of IM and stop leakage of confidential data, propagation of worms, and other threats to the corporate network. IM inspection is not enabled by default. You must configure it if you want IM inspection. Cisco ASA Series Firewall CLI Configuration Guide 7-21...
Page 168
If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. • match [not] protocol {im-yahoo | im-msn}—Matches a specific IM protocol, either Yahoo or MSN. Cisco ASA Series Firewall CLI Configuration Guide 7-22...
Page 169
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. Cisco ASA Series Firewall CLI Configuration Guide 7-23...
Page 170
However, the default inspect class does include the default IM ports, so you can simply edit the default global inspection policy to add IM inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy. Cisco ASA Series Firewall CLI Configuration Guide 7-24...
Page 171
If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces. service-policy policymap_name {global | interface interface_name} Cisco ASA Series Firewall CLI Configuration Guide 7-25...
Page 172
The Options field is padded so that the field ends on a 32 bit boundary. • Internet header length (IHL) in the packet changes. • • The total length of the packet changes. Cisco ASA Series Firewall CLI Configuration Guide 7-26...
Page 173
IP options inspection is enabled by default. You need to configure it only if you want to allow additional options than the default map allows. Procedure Configure an IP Options Inspection Policy Map, page 7-28. Step 1 Configure the IP Options Inspection Service Policy, page 7-28. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 7-27...
Page 174
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. class-map name match parameter Example: hostname(config)# class-map ip_options_class_map hostname(config-cmap)# match access-list ipoptions Cisco ASA Series Firewall CLI Configuration Guide 7-28...
Page 175
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 7-29...
Page 176
IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass Through inspection. Procedure Step 1 Configure an IPsec Pass Through Inspection Policy Map, page 7-31. Step 2 Configure the IPsec Pass Through Inspection Service Policy, page 7-32. Cisco ASA Series Firewall CLI Configuration Guide 7-30...
Page 178
For information on creating the inspection policy map, Configure an IPsec Pass Through Inspection Policy Map, page 7-31. Example: hostname(config-class)# no inspect ipsec-pass-thru hostname(config-class)# inspect ipsec-pass-thru ipsec-map Cisco ASA Series Firewall CLI Configuration Guide 7-32...
Page 179
Drops any packet with a routing type header. • Following is the policy map configuration: policy-map type inspect ipv6 _default_ipv6_map description Default IPV6 policy-map parameters verify-header type verify-header order match header routing-type range 0 255 drop log Cisco ASA Series Firewall CLI Configuration Guide 7-33...
Page 180
Specify the action to perform on matching packets. You can drop the packet and optionally log it, or just log it. If you do not enter an action, the packet is logged. hostname(config-pmap)# {drop [log] | log} Cisco ASA Series Firewall CLI Configuration Guide 7-34...
Page 181
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map ipv6_class_map hostname(config-cmap)# match access-list ipv6 Cisco ASA Series Firewall CLI Configuration Guide 7-35...
Page 182
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 7-36...
Page 183
Where the drop action drops the packet. The log action sends a system log message when this policy map matches traffic. Example hostname(config)# policy-map type inspect netbios netbios_map hostname(config-pmap)# parameters hostname(config-pmap-p)# protocol-violation drop log hostname(config)# policy-map netbios_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect netbios netbios_map Cisco ASA Series Firewall CLI Configuration Guide 7-37...
Page 184
Where netbios_policy_map is the optional NetBIOS inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the NetBIOS inspection policy map, see Configure a NetBIOS Inspection Policy Map for Additional Inspection Control, page 7-37. Example: hostname(config-class)# no inspect netbios Cisco ASA Series Firewall CLI Configuration Guide 7-38...
Page 185
ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay. The following sections describe the ESMTP inspection engine. • SMTP and ESMTP Inspection Overview, page 7-40 Cisco ASA Series Firewall CLI Configuration Guide 7-39...
Page 186
For unknown commands, the ASA changes all the characters in the packet to X. In this case, the • server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted. TCP stream editing. • Cisco ASA Series Firewall CLI Configuration Guide 7-40...
Page 187
998 match header line length gt 998 drop-connection log match sender-address length gt 320 drop-connection log match MIME filename length gt 255 drop-connection log match ehlo-reply-parameter others mask Cisco ASA Series Firewall CLI Configuration Guide 7-41...
Page 188
[not] ehlo-reply-parameter parameter [parameter2...]—Matches ESMTP EHLO reply • parameters. You can specify one or more of the following parameters: 8bitmime, auth, binaryname, checkpoint, dsn, etrn, others, pipelining, size, vrfy. Cisco ASA Series Firewall CLI Configuration Guide 7-42...
Page 189
{drop-connection [log] | log}—Identifies a domain name for • mail relay. You can either drop the connection and optionally log it, or log it. mask-banner—Masks the banner from the ESMTP server. • Cisco ASA Series Firewall CLI Configuration Guide 7-43...
Page 190
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 7-44...
Page 191
You can only apply one policy map to each interface. TFTP Inspection TFTP inspection is enabled by default. TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client. Cisco ASA Series Firewall CLI Configuration Guide 7-45...
Page 192
TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic. For information on enabling TFTP inspection, see Configure Application Layer Protocol Inspection, page 6-9. Cisco ASA Series Firewall CLI Configuration Guide 7-46...
Page 193
SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the ASA. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager. For information on enabling CTIQBE inspection, see...
Page 194
Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
Page 195
• H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
Page 196
TCP packet as H.225 and H.245 messages, the ASA must remember the TPKT length to process and decode the messages properly. For each connection, the ASA keeps a record that contains the TPKT length for the next expected message. Cisco ASA Series Firewall CLI Configuration Guide...
Page 197
ASN.1 coder. Limitations for H.323 Inspection H.323 inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0. It is not supported for CUCM 8.0 and higher. H.323 inspection might work with other releases and products.
Page 198
“example.com,” then any traffic that includes “example.com” does not match the class map. For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map. Cisco ASA Series Firewall CLI Configuration Guide...
Page 199
Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {drop [log] | drop-connection | reset} The drop keyword drops the packet. For media type matches, you can include the log keyword to send a system log message. Cisco ASA Series Firewall CLI Configuration Guide...
Page 200
ASA. You can add a maximum of ten endpoints per HSI group. Example The following example shows how to configure phone number filtering: hostname(config)# regex caller 1 “5551234567” hostname(config)# regex caller 2 “5552345678” Cisco ASA Series Firewall CLI Configuration Guide...
Page 201
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure. Configure H.323 inspection. Step 4 inspect h323 {h255 | ras} [h323_policy_map] Cisco ASA Series Firewall CLI Configuration Guide...
Page 202
Verifying and Monitoring H.323 Inspection The following sections describe how to display information about H.323 sessions. • Monitoring H.225 Sessions, page 8-11 • Monitoring H.245 Sessions, page 8-11 Monitoring H.323 RAS Sessions, page 8-12 • Cisco ASA Series Firewall CLI Configuration Guide 8-10...
Page 203
4-byte header. The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. Cisco ASA Series Firewall CLI Configuration Guide 8-11...
Page 204
Examples of residential gateways include cable modem/cable set-top boxes, xDSL devices, broad-band wireless devices. • Business gateways, that provide a traditional digital PBX interface or an integrated soft PBX interface to a Voice over IP network. Cisco ASA Series Firewall CLI Configuration Guide 8-12...
Page 205
A common and recommended practice is to send RTP data from a resilient IP address, such as a loopback or virtual IP address; however, the ASA requires the RTP data to come from the same address as MGCP signaling. Cisco ASA Series Firewall CLI Configuration Guide 8-13...
Page 206
The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group. Cisco ASA Series Firewall CLI Configuration Guide 8-14...
Page 207
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. Identify the L3/L4 class map you are using for MGCP inspection. Step 3 class name Example: Cisco ASA Series Firewall CLI Configuration Guide 8-15...
Page 208
The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
Page 210
SDP files as part of HTTP or RTSP messages. Packets could be fragmented and the ASA cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the ASA performs on the SDP part of the message is •...
Page 211
Inspection for Voice and Video Protocols RTSP Inspection You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT • if the Viewer and Content Manager are on the outside network and the server is on the inside network.
Page 212
Defining Actions in an Inspection Policy Map, page 2-4. Step 5 To configure parameters that affect the inspection engine, perform the following steps: To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide 8-20...
Page 213
(match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step. For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Cisco ASA Series Firewall CLI Configuration Guide 8-21...
Page 214
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 8-22...
Page 215
SIP Request URI that the ASA supports is 255. Limitations for SIP Inspection SIP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0, 8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SIP inspection might work with other releases and products.
Page 216
The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be translated. Cisco ASA Series Firewall CLI Configuration Guide 8-24...
Page 217
Configure the SIP Inspection Service Policy, page 8-29 Configure SIP Inspection Policy Map You can create a SIP inspection policy map to customize SIP inspection actions if the default inspection behavior is not sufficient for your network. Cisco ASA Series Firewall CLI Configuration Guide 8-25...
Page 218
0 to 65536. match [not] content type {sdp | regex {regex_name | class class_name}—Matches the content • type as SDP or against the specified regular expression or regular expression class. Cisco ASA Series Firewall CLI Configuration Guide 8-26...
Page 219
You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see Defining Actions in an Inspection Policy Map, page 2-4. Cisco ASA Series Firewall CLI Configuration Guide 8-27...
Page 220
• trust-verification-server ip ip_address—Identifies Trust Verification Services servers, which enable Cisco Unified IP Phones to authenticate application servers during HTTPS establishment. You can enter the command up to four times to identify four servers. SIP inspection opens pinholes to each server for each registered phone, and the phone decides which to use.
Page 221
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. Identify the L3/L4 class map you are using for SIP inspection. Step 3 class name Example: hostname(config-pmap)# class inspection_default Cisco ASA Series Firewall CLI Configuration Guide 8-29...
Page 222
This command configures the idle timeout after which a SIP control connection is closed. To configure the timeout for the SIP media connection, enter the following command: hostname(config)# timeout sip_media hh:mm:ss This command configures the idle timeout after which a SIP media connection is closed. Cisco ASA Series Firewall CLI Configuration Guide 8-30...
Page 223
The ASA also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Page 224
Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry.
Page 225
Example: hostname(config-pmap)# match message-id 0x181 hostname(config-pmap)# match message-id range 0x200 0xffff Cisco ASA Series Firewall CLI Configuration Guide 8-33...
Page 226
The default ASA configuration includes SCCP inspection on the default port applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy. Cisco ASA Series Firewall CLI Configuration Guide 8-34...
Page 227
If you are editing the default global policy (or any in-use policy) to use a different SCCP Note inspection policy map, you must remove the SCCP inspection with the no inspect skinny command, and then re-add it with the new SCCP inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 8-35...
Page 228
There are two active Skinny sessions set up across the ASA. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager.
Page 229
You can now configure Trust Verification Services servers NAT66, CUCM 10.5, and model 8831 phones. in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5. We added the trust-verification-server parameter command. Cisco ASA Series Firewall CLI Configuration Guide 8-37...
Page 230
Chapter 8 Inspection for Voice and Video Protocols History for Voice and Video Protocol Inspection Cisco ASA Series Firewall CLI Configuration Guide 8-38...
Page 231
During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST Cisco ASA Series Firewall CLI Configuration Guide...
Page 232
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a)) SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet. Cisco ASA Series Firewall CLI Configuration Guide...
Page 233
Dynamic ACLs are always added on the ingress direction and not on egress; therefore, this inspection engine does not support outbound ACLs. To view the dynamic ACLs configured for the ASA, use the show asp table classify domain permit command. Cisco ASA Series Firewall CLI Configuration Guide...
Page 234
To display the information about the Sun RPC service table configuration, enter the show running-config sunrpc-server command. The following is sample output from the show running-config sunrpc-server command: hostname(config)# show running-config sunrpc-server Cisco ASA Series Firewall CLI Configuration Guide...
Page 235
In this output, port 647 corresponds to the mountd daemon running over UDP. The mountd process would more commonly be using port 32780. The mountd process running over TCP uses port 650 in this example. Cisco ASA Series Firewall CLI Configuration Guide...
Page 236
Chapter 9 Inspection of Database and Directory Protocols Sun RPC Inspection Cisco ASA Series Firewall CLI Configuration Guide...
Page 237
The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection. Cisco ASA Series Firewall CLI Configuration Guide 10-1...
Page 238
(Optional) To add a description to the policy map, enter the following command: Step 2 hostname(config-pmap)# description string To configure parameters that affect the inspection engine, perform the following steps: Step 3 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide 10-2...
Page 239
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 10-3...
Page 240
You can only apply one policy map to each interface. GTP Inspection The following sections describe the GTP inspection engine. GTP inspection requires a special license. Note Cisco ASA Series Firewall CLI Configuration Guide 10-4...
Page 241
GTP data connection (with a “j” flag set) is not replicated to the standby unit. This occurs because the active unit does not replicate embryonic connections to the standby unit. Cisco ASA Series Firewall CLI Configuration Guide 10-5...
Page 242
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map. Procedure Create a GTP inspection policy map: Step 1 hostname(config)# policy-map type inspect gtp policy_map_name hostname(config-pmap)# Cisco ASA Series Firewall CLI Configuration Guide 10-6...
Page 243
GTP tunnels allowed to be active on • the ASA. The default is 500. New requests will be dropped once the number of tunnels specified by this command is reached. Cisco ASA Series Firewall CLI Configuration Guide 10-7...
Page 244
GTP inspection map to permit responses from the GSN pool to the SGSN. hostname(config)# object-group network gsnpool32 hostname(config-network)# network-object 192.168.100.0 255.255.255.0 hostname(config)# object-group network sgsn32 hostname(config-network)# network-object host 192.168.50.100 Cisco ASA Series Firewall CLI Configuration Guide 10-8...
Page 245
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. Step 3 Identify the L3/L4 class map you are using for GTP inspection. class name Cisco ASA Series Firewall CLI Configuration Guide 10-9...
Page 246
The following is sample output from the show service-policy inspect gtp statistics command: hostname# show service-policy inspect gtp statistics GPRS GTP Statistics: version_not_support msg_too_short unknown_msg unexpected_sig_msg unexpected_data_msg ie_duplicated mandatory_ie_missing mandatory_ie_incorrect optional_ie_incorrect ie_unknown ie_out_of_order ie_unexpected total_forwarded total_dropped signalling_msg_dropped data_msg_dropped Cisco ASA Series Firewall CLI Configuration Guide 10-10...
Page 247
MS user. RADIUS Accounting Inspection The following sections describe the RADIUS Accounting inspection engine. • RADIUS Accounting Inspection Overview, page 10-12 • Configure RADIUS Accounting Inspection, page 10-12 Cisco ASA Series Firewall CLI Configuration Guide 10-11...
Page 248
Configure the RADIUS Accounting Inspection Service Policy, page 10-14. Step 2 Configure a RADIUS Accounting Inspection Policy Map You must create a RADIUS accounting inspection policy map to configure the attributes needed for the inspection. Cisco ASA Series Firewall CLI Configuration Guide 10-12...
Page 249
00:00:00. The default is one hour. Example policy-map type inspect radius-accounting radius-acct-pmap parameters send response enable gprs validate-attribute 31 host 10.2.2.2 key 123456789 host 10.1.1.1 key 12345 class-map type management radius-class Cisco ASA Series Firewall CLI Configuration Guide 10-13...
Page 250
Where radius_accounting_policy_map is the RADIUS accounting inspection policy map you created in Configure a RADIUS Accounting Inspection Policy Map, page 10-12. Example: hostname(config-class)# no inspect radius-accounting hostname(config-class)# inspect radius-accounting radius-class-map Cisco ASA Series Firewall CLI Configuration Guide 10-14...
Page 251
Use the snmp-map map_name command to create the map and enter SNMP map configuration mode, then the deny version version command to identify the versions to disallow. The version can be 1, 2, 2c, or 3. Cisco ASA Series Firewall CLI Configuration Guide 10-15...
Page 252
If you are editing the default global policy (or any in-use policy) to use a different inspection Note policy map, you must remove the SNMP inspection with the no inspect snmp command, and then re-add it with the new inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 10-16...
Page 253
When XDMCP is used, the display is negotiated using IP addresses, which the ASA can NAT if needed. XDCMP inspection does not support PAT. For information on enabling XDMCP inspection, see Configure Application Layer Protocol Inspection, page 6-9. Cisco ASA Series Firewall CLI Configuration Guide 10-17...
Page 254
Chapter 10 Inspection for Management Application Protocols XDMCP Inspection Cisco ASA Series Firewall CLI Configuration Guide 10-18...
Page 255
A R T Connection Settings and Quality of Service...
Page 257
Whenever idle times are exceeded, DCD probes both sides of the connection to see if both sides agree the connection is valid. The show service-policy command includes counters to show the amount of activity from DCD. Cisco ASA Series Firewall CLI Configuration Guide 11-1...
Page 258
You also use these rules to customize TCP Normalizer, change TCP sequence randomization, decrement time-to-live on packets, and implement TCP Intercept, Dead Connection Detection, or TCP State Bypass. Cisco ASA Series Firewall CLI Configuration Guide 11-2...
Page 259
1 minute. The default is 2 minutes. The SIP media timer is used used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout. Cisco ASA Series Firewall CLI Configuration Guide 11-3...
Page 260
Wikipedia for details on SYN cookies). When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. The component that performs the proxy is called TCP Intercept. Cisco ASA Series Firewall CLI Configuration Guide 11-4...
Page 261
Set the embryonic connection limits. Step 3 set connection embryonic-conn-max n—The maximum number of simultaneous embryonic • connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. Cisco ASA Series Firewall CLI Configuration Guide 11-5...
Page 263
TCP packet sending out, it is an invalid ACK. – Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK. Cisco ASA Series Firewall CLI Configuration Guide 11-7...
Page 264
{allow | clear}—Set the action for packets with the URG flag. You can allow the • packet, or clear the flag and allow the packet. The default is to clear the flag. Cisco ASA Series Firewall CLI Configuration Guide 11-8...
Page 265
For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands: hostname(config)# tcp-map tmap hostname(config-tcp-map)# urgent-flag allow hostname(config-tcp-map)# class-map urg-class hostname(config-cmap)# match port tcp range ftp-data telnet Cisco ASA Series Firewall CLI Configuration Guide 11-9...
Page 266
ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through Cisco ASA Series Firewall CLI Configuration Guide 11-10...
Page 267
TCP normalization—The TCP normalizer is disabled. • Service module functionality—You cannot use TCP state bypass and any application running on an • any type of service module, such as IPS or CX. Stateful failover • Cisco ASA Series Firewall CLI Configuration Guide 11-11...
Page 268
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 11-12...
Page 269
Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class Step 2 map. policy-map name class name Example: hostname(config)# policy-map global_policy hostname(config-pmap)# class preserve-sq-no Cisco ASA Series Firewall CLI Configuration Guide 11-13...
Page 270
However, you can enter the commands on one line, and if you enter them separately, they are shown in the configuration as one command. Cisco ASA Series Firewall CLI Configuration Guide 11-14...
Page 271
{enable | disable}—Whether to enable or disable TCP sequence number randomization. Randomization is enabled by default. Example: hostname(config-pmap-c)# set connection conn-max 256 random-sequence-number disable Step 4 Set connection timeouts and Dead Connection Detection (DCD). Cisco ASA Series Firewall CLI Configuration Guide 11-15...
Page 272
50 burst-size 6 Customize TCP Normalizer behavior by applying a TCP map. Step 6 set connection advanced-options tcp-map-name Example: hostname(config-pmap-c)# set connection advanced-options tcp_map1 Implement TCP State Bypass. Step 7 set connection advanced-options tcp-state-bypass Cisco ASA Series Firewall CLI Configuration Guide 11-16...
Page 273
The detail keyword shows history sampling data. The ASA samples the number of attacks 30 times during the rate interval, so for the default 30 minute period, statistics are collected every 60 seconds. Cisco ASA Series Firewall CLI Configuration Guide 11-17...
Page 274
30 seconds timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection. We modified the following commands: set connection timeout half-closed, timeout half-closed. Cisco ASA Series Firewall CLI Configuration Guide 11-18...
Page 275
This section describes the QoS features available on the ASA. Supported QoS Features, page 12-2 • What is a Token Bucket?, page 12-2 • Policing, page 12-2 • Priority Queuing, page 12-3 • DSCP (DiffServ) Preservation, page 12-3 • Cisco ASA Series Firewall CLI Configuration Guide 12-1...
Page 276
When traffic exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic allowed. Cisco ASA Series Firewall CLI Configuration Guide 12-2...
Page 277
Supported in routed firewall mode only. Does not support transparent firewall mode. IPv6 Guidelines Does not support IPv6. Model Guidelines (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 • interface. (ASASM) Only policing is supported. • Cisco ASA Series Firewall CLI Configuration Guide 12-3...
Page 278
VPN, you might use 160 bytes. We recommend 256 bytes if you do not know what size to use. Delay—The delay depends on your application. For example, the recommended maximum delay for • VoIP is 200 ms. We recommend 500 ms if you do not know what delay to use. Cisco ASA Series Firewall CLI Configuration Guide 12-4...
Page 279
(Mbps or Kbps) Kbps 0.125 __________ # of bytes/ms ÷ ___________ __________ __________ __________ # of bytes/ms Maximum packet Delay (ms) TX ring limit from Step 1 size (bytes) (# of packets) Cisco ASA Series Firewall CLI Configuration Guide 12-5...
Page 280
The upper limit of the range of values for the tx-ring-limit command is determined dynamically at run time. To view this limit, enter tx-ring-limit ? on the command line. The key determinants are the memory needed to support the queues and the memory available on the device. Cisco ASA Series Firewall CLI Configuration Guide 12-6...
Page 281
Identify Traffic (Layer 3/4 Class Maps), page 1-13 for more information. Create a class map to identify the traffic for which you want to perform policing. Step 3 Cisco ASA Series Firewall CLI Configuration Guide 12-7...
Page 282
56000 10500 The options are: conform-burst argument—Specifies the maximum number of instantaneous bytes allowed in a • sustained burst before throttling to the conforming rate value, between 1000 and 512000000 bytes. Cisco ASA Series Firewall CLI Configuration Guide 12-8...
Page 284
“Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco ASA Series Firewall CLI Configuration Guide 12-10...
Page 285
LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: hostname(config)# access-list host-over-l2l extended permit ip any host 192.168.10.10 hostname(config)# class-map host-specific hostname(config-cmap)# match access-list host-over-l2l Cisco ASA Series Firewall CLI Configuration Guide 12-11...
Page 286
56000 10500 hostname(config-pmap-c)# class TG1-voice hostname(config-pmap-c)# priority hostname(config-pmap-c)# class TG1-best-effort hostname(config-pmap-c)# police output 200000 37500 hostname(config-pmap-c)# class class-default hostname(config-pmap-c)# police output 1000000 37500 hostname(config-pmap-c)# service-policy qos global Cisco ASA Series Firewall CLI Configuration Guide 12-12...
Page 287
Ten Gigabit Ethernet support for a standard 8.2(3)/8.4(1) We added support for a standard priority queue on Ten priority queue on the ASA 5585-X Gigabit Ethernet interfaces for the ASA 5585-X. Cisco ASA Series Firewall CLI Configuration Guide 12-13...
Page 288
Chapter 12 Quality of Service History for QoS Cisco ASA Series Firewall CLI Configuration Guide 12-14...
Page 289
What You Can Test Using Ping When you ping a device, a packet is sent to the device and the device returns a reply. This process enables network devices to discover, identify, and test each other. Cisco ASA Series Firewall CLI Configuration Guide 13-1...
Page 290
ICMP rules, all ICMP access is allowed. In this case, no action is required. However, if you do implement ICMP rules, ensure that you include at least the following on each interface, replacing “inside” with the name of an interface on your device. Cisco ASA Series Firewall CLI Configuration Guide 13-2...
Page 291
Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) However, you can also add parameters to control some aspects of the ping. Following are your basic options: Cisco ASA Series Firewall CLI Configuration Guide 13-3...
Page 292
Telnet or SSH sessions and sends them to those sessions, and enables logging. Instead of logging monitor debug, you can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command. Cisco ASA Series Firewall CLI Configuration Guide 13-4...
Page 293
Step 1 levels, and IP addresses. The diagram should also include any directly connected routers and a host on the other side of the router from which you will ping the ASA. Cisco ASA Series Firewall CLI Configuration Guide 13-5...
Page 294
Ping Failure at the ASA Interface Ping Router Host If the ping reply does not return to the router, then a switch loop or redundant IP addresses might exist (see the following figure). Cisco ASA Series Firewall CLI Configuration Guide 13-6...
Page 295
NAT failed (305005 or 305006). If the ping is from an outside host to an inside host, and you do not have a static translation, you get message 106010. Figure 13-5 Ping Failure Because the ASA is Not Translating Addresses Ping Security Router Router Host Host Appliance Cisco ASA Series Firewall CLI Configuration Guide 13-7...
Page 296
If you are editing an existing service policy (such as the default global policy called global_policy), you Step 4 can skip this step. Otherwise, activate the policy map on one or more interfaces. service-policy policymap_name {global | interface interface_name} Example: hostname(config)# service-policy global_policy global Cisco ASA Series Firewall CLI Configuration Guide 13-8...
Page 297
No response was received for the probe within the timeout period. nn msec For each node, the round-trip time (in milliseconds) for the specified number of probes. ICMP network unreachable. ICMP host unreachable. ICMP unreachable. ICMP administratively prohibited. Unknown ICMP error. Cisco ASA Series Firewall CLI Configuration Guide 13-9...
Page 298
Besides verifying your configuration, you can use the tracer to debug unexpected behavior, such as packets being denied when they should be allowed. Cisco ASA Series Firewall CLI Configuration Guide 13-10...
Page 299
Trustsec. You can specify a security group name or a tag number. • fqdn fqdn-string—The fully qualified domain name of the destination host, IPv4 only. • dport—The destination port for TCP/UDP traces. Do not include this value for ICMP or raw IP traces. Cisco ASA Series Firewall CLI Configuration Guide 13-11...
Page 300
Shows free and used memory. show blocks • Shows memory block information based on block size. show cpu • Shows CPU utilization. show process • Shows system process information. Following are some useful variants: Cisco ASA Series Firewall CLI Configuration Guide 13-12...
Page 301
Monitoring Connections To view current connections with information about source, destination, protocol, and so forth, use the show conn all detail command. Cisco ASA Series Firewall CLI Configuration Guide 13-13...
Page 302
Chapter 13 Troubleshooting Connections and Resources Monitoring Connections Cisco ASA Series Firewall CLI Configuration Guide 13-14...
Page 305
HTTPS traffic to the Cloud Web Security proxy servers based on service policy rules. The Cloud Web Security proxy servers then scan the content and allow, block, or send a warning about the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware.
Page 306
In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security then applies the configured action for the rule, allowing or blocking the traffic, or warning the user. With warnings, the user has the option to continue on to the web site. Cisco ASA Series Firewall CLI Configuration Guide 14-2...
Page 307
ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter notation. For example, if you specify “Cisco\\Boulder1,” the ASA modifies the group name to be “Cisco\Boulder1” with only one backslash (\) when sending the group name to Cloud Web Security.
Page 308
Many combinations of keys, groups, and policy rules are possible. Failover from Primary to Backup Proxy Server When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web Security proxy server and backup proxy server.
Page 309
ASA and Cisco Cloud Web Security Guidelines for Cloud Web Security On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify the number of users that the ASA handles. Then log into ScanCenter and generate your authentication keys.
Page 310
Security proxy servers do not become unreachable in the Active/Active failover scenario. Procedure Step 1 Enter ScanSafe general-options configuration mode. In multiple context mode, do this in the system context. scansafe general-options Example Cisco ASA Series Firewall CLI Configuration Guide 14-6...
Page 311
192.168.43.10 hostname(cfg-scansafe)# server backup fqdn server.example.com When you subscribe to the Cisco Cloud Web Security service, you are assigned primary and backup Cloud Web Security proxy servers. Enter their IP addresses (ip), or fully-qualified domain names (fqdn), on these commands.
Page 312
Example hostname(config)# class-map type inspect scansafe match-any whitelist1 Specify the whitelisted users and groups. Step 2 match [not] {[user username] [group groupname]} Cisco ASA Series Firewall CLI Configuration Guide 14-8...
Page 313
The match not keyword specifies that the user or group should be filtered using Cloud Web Security. For example, if you whitelist the group “cisco,” but you want to scan traffic from users “johncrichton” and “aerynsun,” which are members of that group, you can specify match not for those users. Repeat this command to add as many users and groups as needed.
Page 314
FQDN network objects might be useful in exempting traffic to specific servers. You can also use identity firewall user arguments and Cisco Trustsec security groups to help identify traffic. Note that Trustsec security group information is not sent to Cloud Web Security; you cannot define policy based on security group.
Page 315
If you are editing the default global policy (or any in-use policy) to use a different ScanSafe Note inspection policy map, you must remove the ScanSafe inspection with the no inspect scansafe command, and then re-add it with the new inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 14-11...
Page 316
The following example configures two classes: one for HTTP and one for HTTPS. Each ACL exempts traffic to www.cisco.com and to tools.cisco.com, and to the DMZ network, for both HTTP and HTTPS. All other traffic is sent to Cloud Web Security, except for traffic from several whitelisted users and groups.
Page 317
CISCO\\Engineering Where: user-group—Specifies a group name defined in the AD server. • object-group-user—The name of a local object created by the object-group user command. This • group can include multiple groups. Cisco ASA Series Firewall CLI Configuration Guide 14-13...
Page 318
After you configure the ASA service policy rules, launch the ScanCenter Portal to configure Web content scanning, filtering, malware protection services, and reports. Go to: https://scancenter.scansafe.com/portal/admin/login.jsp. For more information, see the Cisco ScanSafe Cloud Web Security Configuration Guides: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h Monitoring Cloud Web Security...
Page 319
Active Directory Integration Example for Identity Firewall, page 14-17 Cloud Web Security Example with Identity Firewall The following example shows a complete configuration for Cisco Cloud Web Security in single context mode, including the optional configuration for identity firewall. Configure Cloud Web Security on the ASA.
Page 320
Cisco ASA Series Firewall CLI Configuration Guide 14-16...
Page 321
Running the last command should show the status as “UP.” For the AD_Agent to monitor logon/logoff events, you need to ensure that these are logged on all DCs that are actively being monitored. To do this, choose: Cisco ASA Series Firewall CLI Configuration Guide 14-17...
Page 322
The following example shows how to manually start the download of the database from the Active Directory Agent if you think the user database is out of sync with Active Directory: hostname(config)# user-identity update active-user-database Cisco ASA Series Firewall CLI Configuration Guide 14-18...
Page 323
Cloud Web Security 9.0(1) This feature was introduced. Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. We introduced or modified the following commands:...
Page 324
Chapter 14 ASA and Cisco Cloud Web Security History for Cisco Cloud Web Security Cisco ASA Series Firewall CLI Configuration Guide 14-20...
Page 325
ACL statistics are enabled by default. • Scanning threat detection, which determines when a host is performing a scan. You can optionally shun any hosts determined to be a scanning threat. Cisco ASA Series Firewall CLI Configuration Guide 15-1...
Page 326
The threat-detection statistics host command affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. The threat-detection statistics port command, however, has modest impact. Cisco ASA Series Firewall CLI Configuration Guide 15-2...
Page 327
Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is • allowed through the ASA and that creates a flow is affected by scanning threat detection. Cisco ASA Series Firewall CLI Configuration Guide 15-3...
Page 328
Basic threat detection statistics are enabled by default, and might be the only threat detection service that you need. Use the following procedure if you want to implement additional threat detection services. Cisco ASA Series Firewall CLI Configuration Guide 15-4...
Page 329
You can configure up to three different rate intervals for each event type. Configure Advanced Threat Detection Statistics You can configure the ASA to collect extensive statistics. By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps. Cisco ASA Series Firewall CLI Configuration Guide 15-5...
Page 330
Protect Servers from a SYN Flood DoS Attack (TCP Intercept), page 11-4). threat-detection statistics tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec] Example: hostname(config)# threat-detection statistics tcp-intercept rate-interval 60 burst-rate 800 average-rate 600 Cisco ASA Series Firewall CLI Configuration Guide 15-6...
Page 332
You can clear statistics using the clear threat-detection rate command. The following is sample output from the show threat-detection rate command: hostname# show threat-detection rate Average(eps) Current(eps) Trigger Total events 10-min ACL drop: Cisco ASA Series Firewall CLI Configuration Guide 15-8...
Page 333
[rate-1 | rate-2 | rate-3] | tcp-intercept [all] detail]] statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647. Following rows explain optional keywords. Cisco ASA Series Firewall CLI Configuration Guide 15-9...
Page 334
The following is sample output from the show threat-detection statistics host command: hostname# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0 1-hour Sent byte: 2938 10580308 Cisco ASA Series Firewall CLI Configuration Guide 15-10...
Page 335
HOST_PORT_CLOSE. Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout. Cisco ASA Series Firewall CLI Configuration Guide 15-11...
Page 336
Monitoring Shunned Hosts, Attackers, and Targets To monitor and manage shunned hosts and attackers and targets, use the following commands: show threat-detection shun • Displays the hosts that are currently shunned. For example: Cisco ASA Series Firewall CLI Configuration Guide 15-12...
Page 338
The following commands were modified: threat-detection statistics port number-of-rates, threat-detection statistics protocol number-of-rates. Improved memory usage 8.3(1) The memory usage for threat detection was improved. The following command was introduced: show threat-detection memory. Cisco ASA Series Firewall CLI Configuration Guide 15-14...
Page 341
VMware server. (FireSIGHT Management Center is also known as Defense Center.) For ASA FirePOWER running on ASA 5506-X devices, you can optionally configure the device using ASDM rather than FireSIGHT Management Center. How the ASA FirePOWER Module Works with the ASA, page 16-2 •...
Page 342
The following figure shows the traffic flow when using the ASA FirePOWER module in inline mode. In this example, the module blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA. Cisco ASA Series Firewall CLI Configuration Guide 16-2...
Page 343
ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline tap monitor-only mode for some contexts, and regular inline mode for others. The following figure shows the traffic flow when operating in inline tap mode. Cisco ASA Series Firewall CLI Configuration Guide 16-3...
Page 344
Figure 16-3 ASA FirePOWER Passive Monitor-Only, Traffic-Forwarding Mode Switch Main System Gig 1/1 inside outside Firewall Decryption Policy Gig 1/3 SPAN Port Forwarded Traffic ASA FirePOWER inspection ASA FirePOWER Cisco ASA Series Firewall CLI Configuration Guide 16-4...
Page 345
After you perform initial configuration, configure the ASA FirePOWER security policy using FireSIGHT Management Center (for all models) or ASDM (for 5506-X) . Then configure the ASA policy for sending traffic to the ASA FirePOWER module using ASDM or Cisco Security Manager. Cisco ASA Series Firewall CLI Configuration Guide...
Page 346
Management Center. Do not use different ASA-interface-based zone definitions for devices in the cluster. Model Guidelines For ASA model software and hardware compatibility with the ASA FirePOWER module, see Cisco • Compatibility. Cisco ASA Series Firewall CLI Configuration Guide 16-6...
Page 347
ASA FirePOWER (SFR) Module Defaults for ASA FirePOWER For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more • information, see the ASA 5500-X hardware guide. (The SSD is standard on the 5506-X.)
Page 348
ASA Management 0/0 and ASA FirePOWER Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router. Cisco ASA Series Firewall CLI Configuration Guide 16-8...
Page 349
ASA Management 0/0 not used (for example) ASA 5506-X and 5512-X through ASA 5555-X (Software Module) These models run the ASA FirePOWER module as a software module, and the ASA FirePOWER management interface shares the Management 0/0 interface with the ASA (Management 1/1 on 5506-X) .
Page 350
ASA FirePOWER address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the ASA FirePOWER address can be on any network, for example, the ASA inside network. Cisco ASA Series Firewall CLI Configuration Guide 16-10...
Page 351
Step 2 Download the ASA FirePOWER system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA FirePOWER management interface. Do not download it to disk0 on the ASA. Cisco ASA Series Firewall CLI Configuration Guide...
Page 352
When installation is complete, the system reboots. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start. (The show module sfr output should show all processes as Up.) Cisco ASA Series Firewall CLI Configuration Guide 16-12...
Page 353
For HTTP Proxy configuration, run 'configure network http-proxy' (Wait for the system to reconfigure itself.) This sensor must be managed by a Defense Center. A unique alphanumeric registration key is always required. In most cases, to register a sensor Cisco ASA Series Firewall CLI Configuration Guide 16-13...
Page 354
Note the ASA CLI; you can then set the ASA FirePOWER management IP address as part of setup. For a hardware module, you can complete the initial setup through the Console port. Cisco ASA Series Firewall CLI Configuration Guide 16-14...
Page 355
You must configure at least one of IPv4 or IPv6. Do you want to configure IPv4? (y/n) [y]: y Do you want to configure IPv6? (y/n) [n]: Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Cisco ASA Series Firewall CLI Configuration Guide 16-15...
Page 356
There is no other way to configure the module. For ASA 5506-X, FireSIGHT Management Center is optional. If you do not configure one, you use ASDM to configure the ASA FirePOWER policy. There is no CLI for policy configuration, you must use ASDM or FireSIGHT Management Center.
Page 357
You use FireSIGHT Management Center to configure the security policy on the module. For the ASA 5506-X, you can alternatively use ASDM. However, you can never use both ASDM and FireSIGHT Management Center, you must choose one or the other. If you configure a FireSIGHT Management Center for the module, you must use the configured manager.
Page 358
FireSIGHT Management Center. Configure the Security Policy with ASDM For ASA 5506-X, if you do not configure a FireSIGHT Management Center, you use ASDM to configure the security policy. ASA FirePOWER pages are separate from the ASA configuration pages. Use the following pages to monitor and configure the module.
Page 359
Procedure Create an L3/L4 class map to identify the traffic that you want to send to the module. Step 1 class-map name match parameter Example: hostname(config)# class-map firepower_class_map hostname(config-cmap)# match access-list firepower Cisco ASA Series Firewall CLI Configuration Guide 16-19...
Page 360
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 16-20...
Page 361
Step 4 Enable the interface. no shutdown Repeat for any additional interfaces. Examples The following example makes GigabitEthernet 0/5 a traffic-forwarding interface: interface gigabitethernet 0/5 no nameif traffic-forward sfr monitor-only no shutdown Cisco ASA Series Firewall CLI Configuration Guide 16-21...
Page 362
In multiple context mode, perform this procedure in the system execution space. Hardware module (ASA 5585-X): • hw-module module 1 {reload | reset} Software module (all other models): • sw-module module sfr {reload | reset} Cisco ASA Series Firewall CLI Configuration Guide 16-22...
Page 363
You can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session. In multiple context mode, session from the system execution space. Cisco ASA Series Firewall CLI Configuration Guide 16-23...
Page 364
Once the boot image is installed, you install the System Software package. You must place the package on an HTTP, HTTPS, or FTP server that is accessible from the ASA FirePOWER. The following procedure explains how to install the boot image and then install the System Software package. Cisco ASA Series Firewall CLI Configuration Guide 16-24...
Page 365
Include the noconfirm option if you do not want to respond to confirmation messages. When installation is complete, the system reboots. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start. Cisco ASA Series Firewall CLI Configuration Guide 16-25...
Page 367
App. Status Desc: Normal Operation App. version: 5.3.1-100 Data Plane Status: Status: DC addr: 10.89.133.202 Mgmt IP addr: 10.86.118.7 Mgmt Network mask: 255.255.252.0 Mgmt Gateway: 10.86.116.1 Mgmt web ports: Mgmt TLS enabled: true Cisco ASA Series Firewall CLI Configuration Guide 16-27...
Page 368
• ‘fail-close’ (rather than ‘fail-open’ which allows packets through even if the card was down). Check card status and attempt to restart services or reboot it. Cisco ASA Series Firewall CLI Configuration Guide 16-28...
Page 369
Cisco ASA Series Firewall CLI Configuration Guide 16-29...
Page 370
ASA 9.3(2) You can run the ASA FirePOWER software module on the FirePOWER software module, including ASA 5506-X. You can manage the module using support for configuring the module in ASDM FireSIGHT Management Center, or you can use ASDM. FirePOWER 5.4.1...
Page 371
How the ASA CX Module Works with the ASA, page 17-2 • • ASA CX Management Access, page 17-4 • Authentication Proxy for Active Authentication, page 17-5 • Compatibility with ASA Features, page 17-5 Cisco ASA Series Firewall CLI Configuration Guide 17-1...
Page 372
The following figure shows the traffic flow when using the ASA CX module. In this example, the ASA CX module automatically blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA. Cisco ASA Series Firewall CLI Configuration Guide 17-2...
Page 373
The following figure shows the ASA GigabitEthernet 0/3 interface configured for traffic-forwarding. That interface is connected to a switch SPAN port so the ASA CX module can inspect all of the network traffic. Cisco ASA Series Firewall CLI Configuration Guide 17-3...
Page 374
SSH. These models run the ASA CX module as a software module. The ASA CX management interface shares the Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are supported for the ASA and ASA CX module. You must perform Cisco ASA Series Firewall CLI Configuration Guide 17-4...
Page 375
ASA CX-only interface. This interface is management-only. Policy Configuration and Management After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security Manager (PRSM). PRSM is both the name of the ASA CX configuration interface and the name of a separate product for configuring ASA CX devices, Cisco Prime Security Manager.
Page 376
(9.1(1) and earlier) Does not support NAT 64. In 9.1(2) and later, NAT 64 is supported. • Model Guidelines • Supported only on the ASA 5585-X and 5512-X through ASA 5555-X. See the Cisco ASA Compatibility Matrix for more information: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Cisco ASA Series Firewall CLI Configuration Guide...
Page 377
Chapter 17 ASA CX Module Guidelines for ASA CX For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more • information, see the ASA 5500-X hardware guide. Monitor-Only Mode Guidelines Monitor-only mode is strictly for demonstration purposes and is not a normal operational mode for the module.
Page 378
Configure the Security Policy on the ASA CX Module, page 17-16. Step 5 (Optional.) Configure the Authentication Proxy Port, page 17-16 Step 6 Redirect Traffic to the ASA CX Module, page 17-16. Step 7 Cisco ASA Series Firewall CLI Configuration Guide 17-8...
Page 379
Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router. Proxy or DNS Server (for example) ASA gateway for Management Router Outside Inside Internet ASA CX Default Gateway Management ASA Management 0/0 ASA CX Management 1/0 Management PC Cisco ASA Series Firewall CLI Configuration Guide 17-9...
Page 380
ASA CX over the backplane or use ASDM to change the management IP address so you can use SSH. ASA 5545-X ASA CX Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.1 Cisco ASA Series Firewall CLI Configuration Guide 17-10...
Page 381
(SSDs) come pre-installed and ready to go. If you want to add the ASA CX to an existing ASA, or need to replace the SSD, you need to install the ASA CX boot software and partition the SSD according to this procedure. To physically install the SSD, see the ASA hardware guide. Cisco ASA Series Firewall CLI Configuration Guide 17-11...
Page 382
IP address or host name. ciscoasa# copy tftp://<TFTP SERVER>/asacx-5500x-boot-9.3.1.1-112.img disk0:/asacx-5500x-boot-9.3.1.1-112.img Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible Step 2 from the ASA CX management interface. Set the ASA CX module boot image location in ASA disk0 by entering the following command:...
Page 383
ASA CX services to start. (The show module cxsc output should show all processes as Up.) The following command installs the asacx-sys-9.3.1.1-112.pkg system software. asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.3.1.1-112.pkg Username: buffy Password: angelforever Verifying Downloading Extracting Cisco ASA Series Firewall CLI Configuration Guide 17-13...
Page 384
• (ASA 5512-X through ASA 5555-X) Open a console session to the module from the ASA CLI. In • multiple context mode, session from the system execution space. hostname# session cxsc console Cisco ASA Series Firewall CLI Configuration Guide 17-14...
Page 385
Enter the following command: asacx> setup Example: asacx> setup Welcome to Cisco Prime Security Manager Setup [hit Ctrl-C to abort] Default values are inside [ ] You are prompted through the setup wizard. The following example shows a typical path through the wizard;...
Page 386
PRSM is both the name of the ASA CX configuration interface and the name of a separate product for configuring ASA CX devices, Cisco Prime Security Manager. The method for accessing the configuration interface, and how to use it, are the same. For details on using PRSM to configure your ASA CX security policy, see the ASA CX/PRSM user guide or online help.
Page 387
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 1-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 17-17...
Page 388
For demonstration purposes only, you can configure traffic-forwarding interfaces, where all traffic is forwarded directly to the ASA CX module. For normal ASA CX operation, see Create the ASA CX Service Policy, page 17-17. Cisco ASA Series Firewall CLI Configuration Guide 17-18...
Page 389
Shut Down the Module, page 17-20 • • (ASA 5512-X through ASA 5555-X) Uninstall a Software Module Image, page 17-21 • (ASA 5512-X through ASA 5555-X) Session to the Module From the ASA, page 17-21 Cisco ASA Series Firewall CLI Configuration Guide 17-19...
Page 390
If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the Note module before reloading the ASA. Hardware module (ASA 5585-X): • hw-module module 1 shutdown • Software module (ASA 5512-X through ASA 5555-X): sw-module module cxsc shutdown Cisco ASA Series Firewall CLI Configuration Guide 17-20...
Page 391
ASA, the ASA CX console session is still active; you can never exit to the ASA prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session cxsc command instead of the console command when facing this situation. Cisco ASA Series Firewall CLI Configuration Guide 17-21...
Page 392
The following is sample output from the show service-policy command showing the ASA CX policy and the current statistics as well as the module status when the authentication proxy is disabled: hostname# show service-policy cxsc Global policy: Service-policy: global_policy Cisco ASA Series Firewall CLI Configuration Guide 17-22...
Page 393
ASA receives a packet from CXSC without a Policy ID TLV. This TLV must be present in non-control packets if it does not have the Standby Active bit set in the actions field. Cisco ASA Series Firewall CLI Configuration Guide 17-23...
Page 394
Step 3 if traffic is being redirected on the correct configured port.You can check the configured port using the show running-config cxsc command or the show asp table classify domain cxsc-auth-proxy command. Cisco ASA Series Firewall CLI Configuration Guide 17-24...
Page 395
Cisco ASA Series Firewall CLI Configuration Guide 17-25...
Page 396
The traffic-forwarding interface sends all traffic directly to the ASA CX module, bypassing the ASA. We modified or introduced the following commands: cxsc {fail-close | fail-open} monitor-only, traffic-forward cxsc monitor-only. Cisco ASA Series Firewall CLI Configuration Guide 17-26...
Page 397
Because control traffic cannot be filtered using an access-list or match, these options are not available in the system execution space. We modified the following command: capture interface asa_dataplane. Cisco ASA Series Firewall CLI Configuration Guide 17-27...
Page 398
Chapter 17 ASA CX Module History for the ASA CX Module Cisco ASA Series Firewall CLI Configuration Guide 17-28...
Page 399
This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware module or a software module, depending on your ASA model. For a list of supported ASA IPS modules per ASA model, see the Cisco ASA Compatibility Matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Information About the ASA IPS Module, page 18-1 •...
Page 400
No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the ASA IPS module. This mode is the most secure because every Cisco ASA Series Firewall CLI Configuration Guide 18-2...
Page 401
See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported. Figure 18-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor. Cisco ASA Series Firewall CLI Configuration Guide 18-3...
Page 402
See the following information about the management interface: ASA 5585-X—The IPS management interface is a separate external Gigabit Ethernet interface. – Cisco ASA Series Firewall CLI Configuration Guide 18-4...
Page 403
No support. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Model Support • See the Cisco ASA Compatibility Matrix for information about which models support which modules: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Additional Guidelines • ASDM 7.3(2) and later is not compatible with IPS 7.3(2) or earlier. To manage IPS, connect to its IP address directly in your browser.
Page 404
ASA IPS module and then configuration of the ASA to send traffic to the ASA IPS module. To configure the ASA IPS module, perform the following steps: Cable the ASA IPS management interface. See Connecting the ASA IPS Management Interface, Step 1 page 18-7. Cisco ASA Series Firewall CLI Configuration Guide 18-6...
Page 405
ASA Management 0/0 and IPS Management 1/0 interfaces, and the ASA inside network. Be sure to also add a route on the ASA to reach the Management network through the inside router. Cisco ASA Series Firewall CLI Configuration Guide 18-7...
Page 406
These models run the IPS module as a software module, and the IPS management interface shares the Management 0/0 interface with the ASA. ASA 5545-X IPS Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.1 Cisco ASA Series Firewall CLI Configuration Guide 18-8...
Page 407
ASA interfaces. If the name is not configured, then the IPS address can be on any network, for example, the ASA inside network. What to Do Next Configure basic network settings. See Configuring Basic IPS Module Network Settings, page 18-11. • Cisco ASA Series Firewall CLI Configuration Guide 18-9...
Page 408
Purpose Telnet session. Accesses the module using Telnet. You are prompted for the username and password. The default username is cisco, and the default password is cisco. For a hardware module (for example, the ASA 5585-X): The first time you log in to the module, you are prompted to change Note the default password.
Page 409
Existing ASA with new IPS installation—Download the IPS software from Cisco.com to a TFTP • server. If you have a Cisco.com login, you can obtain the software from the following website: http://www.cisco.com/cisco/software/navigator.html?mdfid=282164240 Copy the software to the ASA: hostname# copy tftp://server/file_path disk0:/file_path For other download server types, see the general operations configuration guide.
Page 410
Connect to the IPS management interface using SSH. If you did not change it, the default • management IP address is 192.168.1.2. The default username is cisco, and the default password is cisco. See Information About Management Access, page 18-4 for more information about the management interface.
Page 411
You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use Note different sensors for different traffic flows. Prerequisites For more information about configuring contexts, see the general operations configuration guide. Cisco ASA Series Firewall CLI Configuration Guide 18-13...
Page 412
Changes to the context so you can configure the IPS security policy changeto context context_name as described in Diverting Traffic to the ASA IPS module, page 18-15. Example: hostname# changeto context customer1 hostname/customer1# Cisco ASA Series Firewall CLI Configuration Guide 18-14...
Page 413
This section identifies traffic to divert from the ASA to the ASA IPS module. Prerequisites In multiple context mode, perform these steps in each context execution space. To change to a context, enter the changeto context context_name command. Cisco ASA Series Firewall CLI Configuration Guide 18-15...
Page 414
ASA IPS module. If you enter a name that does not yet exist on the ASA IPS module, you get an error, and the command is rejected. Cisco ASA Series Firewall CLI Configuration Guide 18-16...
Page 415
TFTP server (for a hardware module), or from the local disk (software module). Do not use the upgrade command within the module software to install the image. Note Cisco ASA Series Firewall CLI Configuration Guide 18-17...
Page 416
Image URL [tftp://127.0.0.1/myimage]: In multiple context mode, enter this command in the system tftp://10.1.1.1/ids-newimg execution space. Port IP Address [127.0.0.2]: 10.1.2.10 Port Mask [255.255.255.254]: 255.255.255.0 Gateway IP Address [1.1.2.10]: 10.1.2.254 VLAN ID [0]: 100 Cisco ASA Series Firewall CLI Configuration Guide 18-18...
Page 417
For a hardware module (for example, the ASA Shuts down the module. 5585-X): hw-module module 1 shutdown For a software module (for example, the ASA 5545-X): sw-module module ips shutdown Example: hostname# hw-module module 1 shutdown Cisco ASA Series Firewall CLI Configuration Guide 18-19...
Page 418
Resetting the Password You can reset the module password to the default. For the user cisco, the default password is cisco. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting.
Page 419
The following is sample output from the show module details command, which provides additional information for an ASA with an SSC installed: hostname# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Card-5 Hardware version: 0.1 Cisco ASA Series Firewall CLI Configuration Guide 18-21...
Page 420
AIP SSM in inline mode, and allows all traffic through if the AIP SSM fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used. hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0 hostname(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 18-22...
Page 421
-60 for the ASA 5585-X. You can only install the ASA IPS SSP with a matching-level SSP; for example, SSP-10 and ASA IPS SSP-10. The ASA 5585-X is not supported in Version 8.3. Note Cisco ASA Series Firewall CLI Configuration Guide 18-23...
Page 422
We introduced support for the ASA IPS SSP software 5512-X through ASA 5555-X module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. We introduced or modified the following commands: session, show module, sw-module. Cisco ASA Series Firewall CLI Configuration Guide 18-24...
Need help?
Do you have a question about the ASA 5506-X and is the answer not in the manual?
Questions and answers