Cisco 500 Series Manuals
Manuals and User Guides for Cisco 500 Series. We have 4 Cisco 500 Series manuals available for free PDF download: Configuration Manual, Manual, Hardware Installation Manual
Cisco 500 Series Configuration Manual (1140 pages)
Security Appliance Command Line
Brand: Cisco | Category: Security System | Size: 12.22 MB
Table of contents
Table Of Contents3................................................................................................................................................................
About This Guide39................................................................................................................................................................
Document Objectives39................................................................................................................................................................
Related Documentation40................................................................................................................................................................
Document Organization40................................................................................................................................................................
Document Conventions43................................................................................................................................................................
Introduction To The Security Appliance47................................................................................................................................................................
Firewall Functional Overview47................................................................................................................................................................
Security Policy Overview48................................................................................................................................................................
Permitting Or Denying Traffic With Access Lists48................................................................................................................................................................
Applying Http, Https, Or Ftp Filtering49................................................................................................................................................................
Applying Application Inspection49................................................................................................................................................................
Vpn Functional Overview51................................................................................................................................................................
Intrusion Prevention Services Functional Overview52................................................................................................................................................................
Getting Started53................................................................................................................................................................
Getting Started With Your Platform Model53................................................................................................................................................................
Factory Default Configurations53................................................................................................................................................................
Restoring The Factory Default Configuration54................................................................................................................................................................
Asa 5505 Default Configuration54................................................................................................................................................................
Asa 5510 And Higher Default Configuration55................................................................................................................................................................
Pix 515/515e Default Configuration56................................................................................................................................................................
Accessing The Command-line Interface56................................................................................................................................................................
Setting Transparent Or Routed Firewall Mode57................................................................................................................................................................
Working With The Configuration58................................................................................................................................................................
Saving Configuration Changes58................................................................................................................................................................
Saving Configuration Changes In Single Context Mode59................................................................................................................................................................
Saving Configuration Changes In Multiple Context Mode59................................................................................................................................................................
Copying The Startup Configuration To The Running Configuration60................................................................................................................................................................
Viewing The Configuration60................................................................................................................................................................
Clearing And Removing Configuration Settings61................................................................................................................................................................
Creating Text Configuration Files Offline61................................................................................................................................................................
How The Security Appliance Classifies Packets65................................................................................................................................................................
Valid Classifier Criteria65................................................................................................................................................................
Invalid Classifier Criteria66................................................................................................................................................................
Classification Examples67................................................................................................................................................................
Cascading Security Contexts70................................................................................................................................................................
Management Access To Security Contexts71................................................................................................................................................................
System Administrator Access71................................................................................................................................................................
Context Administrator Access72................................................................................................................................................................
Enabling Or Disabling Multiple Context Mode72................................................................................................................................................................
Restoring Single Context Mode73................................................................................................................................................................
Interface Overview75................................................................................................................................................................
Configuring Switch Ports And Vlan Interfaces For The Cisco Asa 5505 Adaptive Security75................................................................................................................................................................
Understanding Asa 5505 Ports And Interfaces76................................................................................................................................................................
Maximum Active Vlan Interfaces For Your License76................................................................................................................................................................
Default Interface Configuration78................................................................................................................................................................
Vlan Mac Addresses78................................................................................................................................................................
Configuring A Switch Port As A Trunk Port85................................................................................................................................................................
Allowing Communication Between Vlan Interfaces On The Same Security Level87................................................................................................................................................................
Configuring Ethernet Settings, Redundant Interfaces, And Subinterfaces89................................................................................................................................................................
Configuring And Enabling Rj-45 Interfaces89................................................................................................................................................................
Configuring And Enabling Fiber Interfaces91................................................................................................................................................................
Configuring The Fiber Interface92................................................................................................................................................................
Configuring A Redundant Interface92................................................................................................................................................................
Redundant Interface Overview93................................................................................................................................................................
Default State Of Redundant Interfaces93................................................................................................................................................................
Adding A Redundant Interface94................................................................................................................................................................
Changing The Active Interface95................................................................................................................................................................
Configuring Vlan Subinterfaces And 802.1q Trunking95................................................................................................................................................................
Maximum Subinterfaces96................................................................................................................................................................
Preventing Untagged Packets On The Physical Interface96................................................................................................................................................................
Resource Limits100................................................................................................................................................................
Class Members102................................................................................................................................................................
Configuring A Class102................................................................................................................................................................
Configuring A Security Context105................................................................................................................................................................
Automatically Assigning Mac Addresses To Context Interfaces109................................................................................................................................................................
Changing Between Contexts And The System Execution Space110................................................................................................................................................................
Removing A Security Context110................................................................................................................................................................
Changing The Admin Context111................................................................................................................................................................
Changing The Security Context Url111................................................................................................................................................................
Reloading A Security Context112................................................................................................................................................................
Reloading By Clearing The Configuration112................................................................................................................................................................
Reloading By Removing And Re-adding The Context113................................................................................................................................................................
Monitoring Security Contexts113................................................................................................................................................................
Viewing Resource Allocation114................................................................................................................................................................
Viewing Resource Usage117................................................................................................................................................................
Monitoring Syn Attacks In Contexts118................................................................................................................................................................
Configuring Interface Parameters121................................................................................................................................................................
Interface Parameters Overview122................................................................................................................................................................
Default State Of Interfaces123................................................................................................................................................................
Default Security Level123................................................................................................................................................................
Allowing Communication Between Interfaces On The Same Security Level127................................................................................................................................................................
Configuring Basic Settings129................................................................................................................................................................
Changing The Login Password129................................................................................................................................................................
Setting The Date And Time130................................................................................................................................................................
Setting The Hostname130................................................................................................................................................................
Setting The Domain Name130................................................................................................................................................................
Setting The Time Zone And Daylight Saving Time Date Range131................................................................................................................................................................
Setting The Date And Time Using An Ntp Server132................................................................................................................................................................
Setting The Date And Time Manually132................................................................................................................................................................
Setting The Management Ip Address For A Transparent Firewall133................................................................................................................................................................
Configuring Ip Routing135................................................................................................................................................................
Configuring Static And Default Routes135................................................................................................................................................................
Configuring A Static Route136................................................................................................................................................................
Configuring A Default Static Route137................................................................................................................................................................
Configuring Static Route Tracking138................................................................................................................................................................
Defining Route Maps140................................................................................................................................................................
Configuring Ospf141................................................................................................................................................................
Ospf Overview142................................................................................................................................................................
Enabling Ospf142................................................................................................................................................................
Redistributing Routes Into Ospf143................................................................................................................................................................
Configuring Ospf Interface Parameters144................................................................................................................................................................
Configuring Ospf Area Parameters147................................................................................................................................................................
Configuring Ospf Nssa147................................................................................................................................................................
Configuring Route Summarization Between Ospf Areas149................................................................................................................................................................
Configuring Route Summarization When Redistributing Routes Into Ospf149................................................................................................................................................................
Defining Static Ospf Neighbors150................................................................................................................................................................
Generating A Default Route150................................................................................................................................................................
Configuring Route Calculation Timers151................................................................................................................................................................
Logging Neighbors Going Up Or Down151................................................................................................................................................................
Displaying Ospf Update Packet Pacing152................................................................................................................................................................
Monitoring Ospf152................................................................................................................................................................
Restarting The Ospf Process153................................................................................................................................................................
Configuring Rip153................................................................................................................................................................
Redistributing Routes Into The Rip Routing Process155................................................................................................................................................................
Configuring Rip Send/receive Version On An Interface155................................................................................................................................................................
Enabling Rip Authentication156................................................................................................................................................................
Monitoring Rip156................................................................................................................................................................
Configuring Eigrp157................................................................................................................................................................
Eigrp Routing Overview157................................................................................................................................................................
Enabling And Configuring Eigrp Routing158................................................................................................................................................................
Enabling And Configuring Eigrp Stub Routing159................................................................................................................................................................
Enabling Eigrp Authentication160................................................................................................................................................................
Defining An Eigrp Neighbor161................................................................................................................................................................
Redistributing Routes Into Eigrp161................................................................................................................................................................
Configuring The Eigrp Hello Interval And Hold Time162................................................................................................................................................................
Disabling Automatic Route Summarization162................................................................................................................................................................
Configuring Summary Aggregate Addresses163................................................................................................................................................................
Disabling Eigrp Split Horizon163................................................................................................................................................................
Changing The Interface Delay Value164................................................................................................................................................................
Monitoring Eigrp164................................................................................................................................................................
Disabling Neighbor Change And Warning Message Logging165................................................................................................................................................................
The Routing Table165................................................................................................................................................................
How The Routing Table Is Populated166................................................................................................................................................................
Backup Routes167................................................................................................................................................................
How Forwarding Decisions Are Made167................................................................................................................................................................
Dynamic Routing And Failover168................................................................................................................................................................
Configuring Dhcp, Ddns, And Wccp Services169................................................................................................................................................................
Configuring A Dhcp Server169................................................................................................................................................................
Enabling The Dhcp Server170................................................................................................................................................................
Configuring Dhcp Options171................................................................................................................................................................
Using Cisco Ip Phones With A Dhcp Server172................................................................................................................................................................
Configuring Dhcp Relay Services173................................................................................................................................................................
Configuring Dynamic Dns174................................................................................................................................................................
Example 1: Client Updates Both A And Ptr Rrs For Static Ip Addresses175................................................................................................................................................................
Example 5: Client Updates A Rr; Server Updates Ptr Rr177................................................................................................................................................................
Configuring Web Cache Services Using Wccp177................................................................................................................................................................
Wccp Interaction With Other Features178................................................................................................................................................................
Enabling Wccp Redirection178................................................................................................................................................................
Configuring Multicast Routing181................................................................................................................................................................
Multicast Routing Overview181................................................................................................................................................................
Enabling Multicast Routing182................................................................................................................................................................
Configuring Igmp Features182................................................................................................................................................................
Disabling Igmp On An Interface183................................................................................................................................................................
Configuring Group Membership183................................................................................................................................................................
Limiting The Number Of Igmp States On An Interface184................................................................................................................................................................
Modifying The Query Interval And Query Timeout184................................................................................................................................................................
Changing The Query Response Time185................................................................................................................................................................
Changing The Igmp Version185................................................................................................................................................................
Configuring Pim Features186................................................................................................................................................................
Disabling Pim On An Interface186................................................................................................................................................................
Configuring A Static Rendezvous Point Address187................................................................................................................................................................
Configuring The Designated Router Priority187................................................................................................................................................................
Configuring Pim Message Intervals188................................................................................................................................................................
Configuring A Multicast Boundary188................................................................................................................................................................
Supporting Mixed Bidirctional/sparse-mode Pim Networks189................................................................................................................................................................
For More Information About Multicast Routing190................................................................................................................................................................
Configuring Ipv6 On An Interface193................................................................................................................................................................
Configuring A Dual Ip Stack On An Interface194................................................................................................................................................................
Enforcing The Use Of Modified Eui-64 Interface Ids In Ipv6 Addresses194................................................................................................................................................................
Configuring Ipv6 Default And Static Routes195................................................................................................................................................................
Configuring Ipv6 Access Lists196................................................................................................................................................................
Configuring Ipv6 Neighbor Discovery197................................................................................................................................................................
Configuring Neighbor Solicitation Messages197................................................................................................................................................................
Configuring Router Advertisement Messages199................................................................................................................................................................
Configuring A Static Ipv6 Neighbor201................................................................................................................................................................
Verifying The Ipv6 Configuration201................................................................................................................................................................
The Show Ipv6 Route Command202................................................................................................................................................................
Configuring Aaa Servers And The Local Database203................................................................................................................................................................
Aaa Overview203................................................................................................................................................................
About Authentication204................................................................................................................................................................
About Authorization204................................................................................................................................................................
Aaa Server And Local Database Support205................................................................................................................................................................
Summary Of Support205................................................................................................................................................................
Radius Server Support206................................................................................................................................................................
Authentication Methods206................................................................................................................................................................
Sdi Server Support207................................................................................................................................................................
Sdi Version Support207................................................................................................................................................................
Ldap Server Support208................................................................................................................................................................
Sso Support For Webvpn With Http Forms208................................................................................................................................................................
Fallback Support209................................................................................................................................................................
Configuring The Local Database209................................................................................................................................................................
Identifying Aaa Server Groups And Servers211................................................................................................................................................................
Configuring An Ldap Server214................................................................................................................................................................
Authentication With Ldap214................................................................................................................................................................
Authorization With Ldap For Vpn216................................................................................................................................................................
Ldap Attribute Mapping216................................................................................................................................................................
Using Certificates And User Login Credentials218................................................................................................................................................................
Using User Login Credentials218................................................................................................................................................................
Supporting A Zone Labs Integrity Server219................................................................................................................................................................
Overview Of Integrity Server And Security Appliance Interaction219................................................................................................................................................................
Configuring Integrity Server Support220................................................................................................................................................................
Hardware Requirements222................................................................................................................................................................
Software Requirements222................................................................................................................................................................
The Failover And Stateful Failover Links223................................................................................................................................................................
Stateful Failover Link225................................................................................................................................................................
Active/active And Active/standby Failover226................................................................................................................................................................
Determining Which Type Of Failover To Use235................................................................................................................................................................
Regular And Stateful Failover235................................................................................................................................................................
Failover Health Monitoring236................................................................................................................................................................
Unit Health Monitoring237................................................................................................................................................................
Failover Feature/platform Matrix238................................................................................................................................................................
Failover Times By Platform238................................................................................................................................................................
Failover Configuration Limitations239................................................................................................................................................................
Configuring Active/standby Failover239................................................................................................................................................................
Configuring Lan-based Active/standby Failover241................................................................................................................................................................
Configuring Optional Active/standby Failover Settings245................................................................................................................................................................
Configuring Active/active Failover247................................................................................................................................................................
Configuring Cable-based Active/active Failover (pix 500 Series Security Appliance)247................................................................................................................................................................
Configuring Lan-based Active/active Failover249................................................................................................................................................................
Configuring Optional Active/active Failover Settings253................................................................................................................................................................
Configuring Unit Health Monitoring259................................................................................................................................................................
Configuring Failover Communication Authentication/encryption259................................................................................................................................................................
Verifying The Failover Configuration260................................................................................................................................................................
Using The Show Failover Command260................................................................................................................................................................
Viewing Monitored Interfaces268................................................................................................................................................................
Displaying The Failover Commands In The Running Configuration268................................................................................................................................................................
Testing The Failover Functionality269................................................................................................................................................................
Controlling And Monitoring Failover269................................................................................................................................................................
Disabling Failover270................................................................................................................................................................
Restoring A Failed Unit Or Failover Group270................................................................................................................................................................
Failover System Messages271................................................................................................................................................................
Remote Command Execution271................................................................................................................................................................
Changing Command Modes272................................................................................................................................................................
Security Considerations273................................................................................................................................................................
Limitations Of Remote Command Execution273................................................................................................................................................................
Monitoring The Auto Update Process275................................................................................................................................................................
Routed Mode Overview279................................................................................................................................................................
Ip Routing Support279................................................................................................................................................................
An Outside User Visits A Web Server On The Dmz281................................................................................................................................................................
An Inside User Visits A Web Server On The Dmz282................................................................................................................................................................
A Dmz User Attempts To Access An Inside Host284................................................................................................................................................................
Transparent Firewall Network285................................................................................................................................................................
Allowing Layer 3 Traffic285................................................................................................................................................................
Mac Address Vs. Route Lookups286................................................................................................................................................................
Using The Transparent Firewall In Your Network287................................................................................................................................................................
Unsupported Features In Transparent Mode288................................................................................................................................................................
An Inside User Visits A Web Server Using Nat291................................................................................................................................................................
Access List Types296................................................................................................................................................................
Access Control Entry Order296................................................................................................................................................................
Access Control Implicit Deny297................................................................................................................................................................
Ip Addresses Used For Access Lists When You Use Nat297................................................................................................................................................................
Adding An Extended Access List299................................................................................................................................................................
Extended Access List Overview299................................................................................................................................................................
Allowing Broadcast And Multicast Traffic Through The Transparent Firewall300................................................................................................................................................................
Adding An Extended Ace300................................................................................................................................................................
Adding An Ethertype Access List302................................................................................................................................................................
Ethertype Access List Overview302................................................................................................................................................................
Implicit Permit Of Ip And Arps Only303................................................................................................................................................................
Implicit And Explicit Deny Ace At The End Of An Access List303................................................................................................................................................................
Adding An Ethertype Ace304................................................................................................................................................................
Adding A Standard Access List304................................................................................................................................................................
Adding A Webtype Access List305................................................................................................................................................................
Simplifying Access Lists With Object Grouping305................................................................................................................................................................
Adding Object Groups306................................................................................................................................................................
Adding A Protocol Object Group306................................................................................................................................................................
Adding A Network Object Group307................................................................................................................................................................
Adding A Service Object Group307................................................................................................................................................................
Adding An Icmp Type Object Group308................................................................................................................................................................
Nesting Object Groups309................................................................................................................................................................
Using Object Groups With An Access List310................................................................................................................................................................
Displaying Object Groups311................................................................................................................................................................
Removing Object Groups311................................................................................................................................................................
Scheduling Extended Access List Activation312................................................................................................................................................................
Adding A Time Range312................................................................................................................................................................
Applying The Time Range To An Ace313................................................................................................................................................................
Logging Access List Activity313................................................................................................................................................................
Configuring Logging For An Access Control Entry314................................................................................................................................................................
Managing Deny Flows315................................................................................................................................................................
Nat Overview317................................................................................................................................................................
Nat In Routed Mode318................................................................................................................................................................
Nat In Transparent Mode319................................................................................................................................................................
Nat Control320................................................................................................................................................................
Nat Types322................................................................................................................................................................
Bypassing Nat When Nat Control Is Enabled326................................................................................................................................................................
Nat And Same Security Level Interfaces329................................................................................................................................................................
Order Of Nat Commands Used To Match Real Addresses330................................................................................................................................................................
Mapped Address Guidelines330................................................................................................................................................................
Dns And Nat331................................................................................................................................................................
Configuring Nat Control332................................................................................................................................................................
Configuring Dynamic Nat Or Pat339................................................................................................................................................................
Using Static Nat342................................................................................................................................................................
Using Static Pat343................................................................................................................................................................
Configuring Static Identity Nat347................................................................................................................................................................
Configuring Nat Exemption349................................................................................................................................................................
Nat Examples350................................................................................................................................................................
Overlapping Networks350................................................................................................................................................................
Redirecting Ports352................................................................................................................................................................
Permitting Or Denying Network Access355................................................................................................................................................................
Inbound And Outbound Access List Overview355................................................................................................................................................................
Applying An Access List To An Interface356................................................................................................................................................................
Applying Aaa For Network Access359................................................................................................................................................................
Aaa Performance359................................................................................................................................................................
Authentication Overview360................................................................................................................................................................
One-time Authentication360................................................................................................................................................................
Static Pat And Http361................................................................................................................................................................
Enabling Network Access Authentication361................................................................................................................................................................
Enabling Secure Authentication Of Web Clients363................................................................................................................................................................
Authenticating Directly With The Security Appliance364................................................................................................................................................................
Enabling Direct Authentication Using Http And Https364................................................................................................................................................................
Enabling Direct Authentication Using Telnet365................................................................................................................................................................
Configuring Authorization For Network Access366................................................................................................................................................................
Configuring Tacacs+ Authorization366................................................................................................................................................................
Configuring Radius Authorization368................................................................................................................................................................
Configuring A Radius Server To Send Downloadable Access Control Lists368................................................................................................................................................................
Configuring A Radius Server To Download Per-user Access Control List Names372................................................................................................................................................................
Configuring Accounting For Network Access372................................................................................................................................................................
Using Mac Addresses To Exempt Traffic From Authentication And Authorization374................................................................................................................................................................
Applying Filtering Services377................................................................................................................................................................
Filtering Overview377................................................................................................................................................................
Filtering Activex Objects378................................................................................................................................................................
Activex Filtering Overview378................................................................................................................................................................
Filtering Java Applets379................................................................................................................................................................
Filtering Urls And Ftp Requests With An External Server380................................................................................................................................................................
Url Filtering Overview380................................................................................................................................................................
Buffering The Content Server Response382................................................................................................................................................................
Caching Server Addresses382................................................................................................................................................................
Filtering Http Urls383................................................................................................................................................................
Configuring Http Filtering383................................................................................................................................................................
Exempting Traffic From Filtering384................................................................................................................................................................
Filtering Https Urls384................................................................................................................................................................
Filtering Ftp Requests385................................................................................................................................................................
Viewing Filtering Statistics And Configuration385................................................................................................................................................................
Viewing Filtering Server Statistics386................................................................................................................................................................
Viewing Buffer Configuration And Statistics387................................................................................................................................................................
Viewing Caching Statistics387................................................................................................................................................................
Viewing Filtering Configuration388................................................................................................................................................................
Using Modular Policy Framework389................................................................................................................................................................
Modular Policy Framework Overview389................................................................................................................................................................
Default Global Policy390................................................................................................................................................................
Identifying Traffic Using A Layer 3/4 Class Map390................................................................................................................................................................
Creating A Layer 3/4 Class Map For Through Traffic391................................................................................................................................................................
Creating A Layer 3/4 Class Map For Management Traffic393................................................................................................................................................................
Configuring Special Actions For Application Inspections394................................................................................................................................................................
Creating A Regular Expression394................................................................................................................................................................
Creating A Regular Expression Class Map397................................................................................................................................................................
Identifying Traffic In An Inspection Class Map398................................................................................................................................................................
Defining Actions In An Inspection Policy Map399................................................................................................................................................................
Defining Actions Using A Layer 3/4 Policy Map401................................................................................................................................................................
Layer 3/4 Policy Map Overview401................................................................................................................................................................
Policy Map Guidelines402................................................................................................................................................................
Supported Feature Types402................................................................................................................................................................
Feature Matching Guidelines Within A Policy Map403................................................................................................................................................................
Feature Matching Guidelines For Multiple Policy Maps403................................................................................................................................................................
Order In Which Multiple Feature Actions Are Applied404................................................................................................................................................................
Default Layer 3/4 Policy Map404................................................................................................................................................................
Modular Policy Framework Examples407................................................................................................................................................................
Applying Inspection And Qos Policing To Http Traffic407................................................................................................................................................................
Applying Inspection To Http Traffic Globally408................................................................................................................................................................
Applying Inspection And Connection Limits To Http Traffic To Specific Servers409................................................................................................................................................................
Applying Inspection To Http Traffic With Nat410................................................................................................................................................................
Managing The Aip Ssm And Csc Ssm411................................................................................................................................................................
Managing The Aip Ssm411................................................................................................................................................................
How The Aip Ssm Works With The Adaptive Security Appliance412................................................................................................................................................................
Operating Modes412................................................................................................................................................................
Using Virtual Sensors413................................................................................................................................................................
Aip Ssm Procedure Overview414................................................................................................................................................................
Sessioning To The Aip Ssm415................................................................................................................................................................
Configuring The Security Policy On The Aip Ssm416................................................................................................................................................................
Assigning Virtual Sensors To Security Contexts416................................................................................................................................................................
Diverting Traffic To The Aip Ssm418................................................................................................................................................................
Managing The Csc Ssm419................................................................................................................................................................
About The Csc Ssm420................................................................................................................................................................
Getting Started With The Csc Ssm422................................................................................................................................................................
Limiting Connections Through The Csc Ssm425................................................................................................................................................................
Diverting Traffic To The Csc Ssm426................................................................................................................................................................
Checking Ssm Status428................................................................................................................................................................
Transferring An Image Onto An Ssm429................................................................................................................................................................
Basic Threat Detection Overview432................................................................................................................................................................
Managing Basic Threat Statistics434................................................................................................................................................................
Configuring Scanning Threat Detection435................................................................................................................................................................
Enabling Scanning Threat Detection435................................................................................................................................................................
Managing Shunned Hosts436................................................................................................................................................................
Viewing Attackers And Targets437................................................................................................................................................................
Configuring And Viewing Threat Statistics437................................................................................................................................................................
Viewing Threat Statistics438................................................................................................................................................................
Configuring Tcp Normalization441................................................................................................................................................................
Configuring Connection Limits And Timeouts444................................................................................................................................................................
Connection Limit Overview444................................................................................................................................................................
Dead Connection Detection Overview445................................................................................................................................................................
Tcp Sequence Randomization Overview445................................................................................................................................................................
Preventing Ip Spoofing446................................................................................................................................................................
Configuring The Fragment Size447................................................................................................................................................................
Blocking Unwanted Connections447................................................................................................................................................................
Configuring Ip Audit For Basic Ips Support448................................................................................................................................................................
Qos Concepts450................................................................................................................................................................
Implementing Qos450................................................................................................................................................................
Identifying Traffic For Qos452................................................................................................................................................................
Defining A Qos Policy Map453................................................................................................................................................................
Applying Rate Limiting454................................................................................................................................................................
Activating The Service Policy455................................................................................................................................................................
Applying Low Latency Queueing456................................................................................................................................................................
Configuring Priority Queuing456................................................................................................................................................................
Reducing Queue Latency457................................................................................................................................................................
Configuring Qos457................................................................................................................................................................
Viewing Qos Configuration460................................................................................................................................................................
Viewing Qos Service Policy Configuration460................................................................................................................................................................
Viewing Qos Policy Map Configuration461................................................................................................................................................................
Viewing The Priority-queue Configuration For An Interface461................................................................................................................................................................
Viewing Qos Priority Queue Statistics463................................................................................................................................................................
Inspection Engine Overview466................................................................................................................................................................
When To Use Application Protocol Inspection466................................................................................................................................................................
Inspection Limitations467................................................................................................................................................................
Default Inspection Policy467................................................................................................................................................................
Configuring Application Inspection469................................................................................................................................................................
Ctiqbe Inspection474................................................................................................................................................................
Ctiqbe Inspection Overview474................................................................................................................................................................
Verifying And Monitoring Ctiqbe Inspection475................................................................................................................................................................
Dcerpc Inspection476................................................................................................................................................................
Dcerpc Overview476................................................................................................................................................................
Dns Inspection477................................................................................................................................................................
How Dns Application Inspection Works478................................................................................................................................................................
How Dns Rewrite Works478................................................................................................................................................................
Configuring Dns Rewrite479................................................................................................................................................................
Using The Static Command For Dns Rewrite480................................................................................................................................................................
Using The Alias Command For Dns Rewrite480................................................................................................................................................................
Dns Rewrite With Three Nat Zones481................................................................................................................................................................
Configuring Dns Rewrite With Three Nat Zones483................................................................................................................................................................
Verifying And Monitoring Dns Inspection484................................................................................................................................................................
Configuring A Dns Inspection Policy Map For Additional Inspection Control485................................................................................................................................................................
Esmtp Inspection488................................................................................................................................................................
Configuring An Esmtp Inspection Policy Map For Additional Inspection Control488................................................................................................................................................................
Configuring An Ftp Inspection Policy Map For Additional Inspection Control491................................................................................................................................................................
Verifying And Monitoring Ftp Inspection495................................................................................................................................................................
Gtp Inspection Overview495................................................................................................................................................................
Configuring A Gtp Inspection Policy Map For Additional Inspection Control496................................................................................................................................................................
Verifying And Monitoring Gtp Inspection500................................................................................................................................................................
H.323 Inspection Overview502................................................................................................................................................................
How H.323 Works502................................................................................................................................................................
Configuring An H.323 Inspection Policy Map For Additional Inspection Control503................................................................................................................................................................
Configuring H.323 And H.225 Timeout Values506................................................................................................................................................................
Verifying And Monitoring H.323 Inspection506................................................................................................................................................................
Monitoring H.245 Sessions507................................................................................................................................................................
Monitoring H.323 Ras Sessions508................................................................................................................................................................
Http Inspection Overview508................................................................................................................................................................
Configuring An Http Inspection Policy Map For Additional Inspection Control509................................................................................................................................................................
Im Inspection Overview513................................................................................................................................................................
Configuring An Instant Messaging Inspection Policy Map For Additional Inspection Control513................................................................................................................................................................
Icmp Inspection516................................................................................................................................................................
Icmp Error Inspection516................................................................................................................................................................
Mgcp Inspection Overview518................................................................................................................................................................
Configuring An Mgcp Inspection Policy Map For Additional Inspection Control520................................................................................................................................................................
Configuring Mgcp Timeout Values521................................................................................................................................................................
Verifying And Monitoring Mgcp Inspection521................................................................................................................................................................
Netbios Inspection522................................................................................................................................................................
Configuring A Netbios Inspection Policy Map For Additional Inspection Control522................................................................................................................................................................
Pptp Inspection524................................................................................................................................................................
Radius Accounting Inspection524................................................................................................................................................................
Configuring A Radius Inspection Policy Map For Additional Inspection Control525................................................................................................................................................................
Rsh Inspection525................................................................................................................................................................
Using Realplayer526................................................................................................................................................................
Configuring An Rtsp Inspection Policy Map For Additional Inspection Control527................................................................................................................................................................
Configuring A Sip Inspection Policy Map For Additional Inspection Control531................................................................................................................................................................
Configuring Sip Timeout Values534................................................................................................................................................................
Verifying And Monitoring Sip Inspection535................................................................................................................................................................
Skinny (sccp) Inspection535................................................................................................................................................................
Sccp Inspection Overview536................................................................................................................................................................
Supporting Cisco Ip Phones536................................................................................................................................................................
Verifying And Monitoring Sccp Inspection537................................................................................................................................................................
Configuring A Skinny (sccp) Inspection Policy Map For Additional Inspection Control537................................................................................................................................................................
Smtp And Extended Smtp Inspection539................................................................................................................................................................
Snmp Inspection540................................................................................................................................................................
Sql*net Inspection541................................................................................................................................................................
Sun Rpc Inspection Overview542................................................................................................................................................................
Managing Sun Rpc Services542................................................................................................................................................................
Verifying And Monitoring Sun Rpc Inspection543................................................................................................................................................................
Tftp Inspection544................................................................................................................................................................
Tls Proxy For Encrypted Voice Inspection544................................................................................................................................................................
Maximum Tls Proxy Sessions545................................................................................................................................................................
Configuring Tls Proxy546................................................................................................................................................................
Debugging Tls Proxy549................................................................................................................................................................
Ctl Client552................................................................................................................................................................
Xdmcp Inspection554................................................................................................................................................................
Configuring Arp Inspection555................................................................................................................................................................
Arp Inspection Overview555................................................................................................................................................................
Adding A Static Arp Entry556................................................................................................................................................................
Enabling Arp Inspection556................................................................................................................................................................
Customizing The Mac Address Table557................................................................................................................................................................
Mac Address Table Overview557................................................................................................................................................................
Setting The Mac Address Timeout558................................................................................................................................................................
Disabling Mac Address Learning558................................................................................................................................................................
Configuring Vpn561................................................................................................................................................................
Ipsec Overview564................................................................................................................................................................
Configuring Isakmp564................................................................................................................................................................
Configuring Isakmp Policies567................................................................................................................................................................
Enabling Isakmp On The Outside Interface568................................................................................................................................................................
Disabling Isakmp In Aggressive Mode568................................................................................................................................................................
Enabling Ipsec Over Tcp570................................................................................................................................................................
Waiting For Active Sessions To Terminate Before Rebooting571................................................................................................................................................................
Alerting Peers Before Disconnecting571................................................................................................................................................................
Creating A Certificate Group Matching Rule And Policy572................................................................................................................................................................
Using The Tunnel-group-map Default-group Command573................................................................................................................................................................
Understanding Ipsec Tunnels573................................................................................................................................................................
Understanding Transform Sets574................................................................................................................................................................
Defining Crypto Maps574................................................................................................................................................................
Changing Ipsec Sa Lifetimes584................................................................................................................................................................
Creating A Basic Ipsec Configuration584................................................................................................................................................................
Using Dynamic Crypto Maps586................................................................................................................................................................
Providing Site-to-site Redundancy588................................................................................................................................................................
Viewing An Ipsec Configuration588................................................................................................................................................................
Clearing Security Associations589................................................................................................................................................................
Clearing Crypto Map Configurations589................................................................................................................................................................
Supporting The Nokia Vpn Client590................................................................................................................................................................
Configuring L2tp Over Ipsec593................................................................................................................................................................
L2tp Overview593................................................................................................................................................................
Ipsec Transport And Tunnel Modes594................................................................................................................................................................
Configuring L2tp Over Ipsec Connections595................................................................................................................................................................
Tunnel Group Switching597................................................................................................................................................................
Viewing L2tp Over Ipsec Connection Information597................................................................................................................................................................
Using L2tp Debug Commands599................................................................................................................................................................
Enabling Ipsec Debug600................................................................................................................................................................
Getting Additional Information600................................................................................................................................................................
Setting General Ipsec Vpn Parameters603................................................................................................................................................................
Configuring Vpns In Single, Routed Mode603................................................................................................................................................................
Permitting Intra-interface Traffic604................................................................................................................................................................
Nat Considerations For Intra-interface Traffic605................................................................................................................................................................
Setting Maximum Active Ipsec Vpn Sessions605................................................................................................................................................................
Understanding Load Balancing607................................................................................................................................................................
Implementing Load Balancing608................................................................................................................................................................
Some Typical Mixed Cluster Scenarios610................................................................................................................................................................
Scenario 1: Mixed Cluster With No Webvpn Connections610................................................................................................................................................................
Configuring Load Balancing611................................................................................................................................................................
Configuring The Public And Private Interfaces For Load Balancing611................................................................................................................................................................
Configuring The Load Balancing Cluster Attributes612................................................................................................................................................................
Enabling Redirection Using A Fully-qualified Domain Name613................................................................................................................................................................
Configuring Vpn Session Limits614................................................................................................................................................................
Configuring Connection Profiles, Group Policies, And Users617................................................................................................................................................................
Overview Of Connection Profiles, Group Policies, And Users617................................................................................................................................................................
Connection Profiles618................................................................................................................................................................
General Connection Profile Connection Parameters619................................................................................................................................................................
Ipsec Tunnel-group Connection Parameters620................................................................................................................................................................
Connection Profile Connection Parameters For Clientless Ssl Vpn Sessions621................................................................................................................................................................
Configuring Connection Profiles622................................................................................................................................................................
Default Ipsec Remote Access Connection Profile Configuration622................................................................................................................................................................
Configuring Ipsec Tunnel-group General Attributes623................................................................................................................................................................
Configuring Ipsec Remote-access Connection Profiles623................................................................................................................................................................
Configuring Ipsec Remote-access Connection Profile General Attributes624................................................................................................................................................................
Enabling Ipv6 Vpn Access627................................................................................................................................................................
Configuring Ipsec Remote-access Connection Profile Ipsec Attributes628................................................................................................................................................................
Configuring Ipsec Remote-access Connection Profile Ppp Attributes630................................................................................................................................................................
Configuring Lan-to-lan Connection Profiles631................................................................................................................................................................
Default Lan-to-lan Connection Profile Configuration632................................................................................................................................................................
Specifying A Name And Type For A Lan-to-lan Connection Profile632................................................................................................................................................................
Configuring Lan-to-lan Ipsec Attributes633................................................................................................................................................................
Configuring Connection Profiles For Clientless Ssl Vpn Sessions635................................................................................................................................................................
Specifying A Connection Profile Name And Type For Clientless Ssl Vpn Sessions635................................................................................................................................................................
Configuring Tunnel-group Attributes For Clientless Ssl Vpn Sessions638................................................................................................................................................................
Customizing Login Windows For Users Of Clientless Ssl Vpn Sessions642................................................................................................................................................................
Configuring Microsoft Active Directory Settings For Password Management643................................................................................................................................................................
Using Active Directory To Force The User To Change Password At Next Logon644................................................................................................................................................................
Using Active Directory To Specify Maximum Password Age645................................................................................................................................................................
Using Active Directory To Override An Account Disabled Aaa Indicator646................................................................................................................................................................
Using Active Directory To Enforce Minimum Password Length647................................................................................................................................................................
Using Active Directory To Enforce Password Complexity648................................................................................................................................................................
Group Policies649................................................................................................................................................................
Default Group Policy650................................................................................................................................................................
Configuring Group Policies652................................................................................................................................................................
Configuring An External Group Policy652................................................................................................................................................................
Configuring An Internal Group Policy653................................................................................................................................................................
Configuring Group Policy Attributes653................................................................................................................................................................
Configuring Vpn-specific Attributes654................................................................................................................................................................
Configuring Security Attributes657................................................................................................................................................................
Configuring The Banner Message659................................................................................................................................................................
Configuring Ipsec-udp Attributes660................................................................................................................................................................
Configuring Split-tunneling Attributes660................................................................................................................................................................
Configuring Domain Attributes For Tunneling662................................................................................................................................................................
Configuring Attributes For Vpn Hardware Clients663................................................................................................................................................................
Configuring Backup Server Attributes667................................................................................................................................................................
Configuring Microsoft Internet Explorer Client Parameters668................................................................................................................................................................
Configuring Network Admission Control Parameters670................................................................................................................................................................
Configuring Address Pools673................................................................................................................................................................
Configuring Firewall Policies674................................................................................................................................................................
Configuring Client Access Rules677................................................................................................................................................................
Configuring Group-policy Attributes For Clientless Ssl Vpn Sessions678................................................................................................................................................................
Setting A User Password And Privilege Level690................................................................................................................................................................
Configuring Vpn User Attributes691................................................................................................................................................................
Configuring Clientless Ssl Vpn Access For Specific Users695................................................................................................................................................................
Configuring Ip Addresses For Vpns707................................................................................................................................................................
Configuring An Ip Address Assignment Method707................................................................................................................................................................
Configuring Dhcp Addressing709................................................................................................................................................................
Configuring Remote Access Ipsec Vpns711................................................................................................................................................................
Configuring Isakmp Policy And Enabling Isakmp On The Outside Interface713................................................................................................................................................................
Adding A User714................................................................................................................................................................
Configuring An Address Pool714................................................................................................................................................................
Creating A Dynamic Crypto Map716................................................................................................................................................................
Creating A Crypto Map Entry To Use The Dynamic Crypto Map717................................................................................................................................................................
Configuring Network Admission Control719................................................................................................................................................................
Adding, Accessing, Or Removing A Nac Policy722................................................................................................................................................................
Configuring A Nac Policy723................................................................................................................................................................
Specifying The Access Control Server Group723................................................................................................................................................................
Setting The Revalidation Timer724................................................................................................................................................................
Configuring The Default Acl For Nac724................................................................................................................................................................
Configuring Exemptions From Nac725................................................................................................................................................................
Assigning A Nac Policy To A Group Policy726................................................................................................................................................................
Changing Global Nac Framework Settings726................................................................................................................................................................
Enabling And Disabling Clientless Authentication727................................................................................................................................................................
Changing The Login Credentials Used For Clientless Authentication727................................................................................................................................................................
Changing Nac Framework Session Attributes728................................................................................................................................................................
Configuring Easy Vpn Services On The Asa731................................................................................................................................................................
Specifying The Primary And Secondary Servers733................................................................................................................................................................
Specifying The Mode733................................................................................................................................................................
Configuring Automatic Xauth Authentication734................................................................................................................................................................
Configuring Ipsec Over Tcp734................................................................................................................................................................
Comparing Tunneling Options735................................................................................................................................................................
Specifying The Tunnel Group Or Trustpoint736................................................................................................................................................................
Specifying The Tunnel Group736................................................................................................................................................................
Specifying The Trustpoint737................................................................................................................................................................
Configuring Split Tunneling738................................................................................................................................................................
Configuring Device Pass-through738................................................................................................................................................................
Configuring Remote Management739................................................................................................................................................................
Guidelines For Configuring The Easy Vpn Server739................................................................................................................................................................
Group Policy And User Attributes Pushed To The Client740................................................................................................................................................................
Authentication Options742................................................................................................................................................................
Configuring The Pppoe Client743................................................................................................................................................................
Pppoe Client Overview743................................................................................................................................................................
Configuring The Pppoe Client Username And Password744................................................................................................................................................................
Enabling Pppoe745................................................................................................................................................................
Using Pppoe With A Fixed Ip Address745................................................................................................................................................................
Monitoring And Debugging The Pppoe Client746................................................................................................................................................................
Clearing The Configuration747................................................................................................................................................................
Using Related Commands747................................................................................................................................................................
Configuring Lan-to-lan Ipsec Vpns749................................................................................................................................................................
Configuring An Acl752................................................................................................................................................................
Creating A Crypto Map And Applying It To An Interface754................................................................................................................................................................
Observing Clientless Ssl Vpn Security Precautions758................................................................................................................................................................
Understanding Features Not Supported In Clientless Ssl Vpn759................................................................................................................................................................
Using Ssl To Access The Central Site759................................................................................................................................................................
Configuring Clientless Ssl Vpn And Asdm Ports760................................................................................................................................................................
Configuring Support For Proxy Servers760................................................................................................................................................................
Configuring Ssl/tls Encryption Protocols761................................................................................................................................................................
Using Single Sign-on With Clientless Ssl Vpn764................................................................................................................................................................
Configuring Sso With Http Basic Or Ntlm Authentication764................................................................................................................................................................
Configuring Sso Authentication Using Siteminder765................................................................................................................................................................
Configuring Sso Authentication Using Saml Browser Post Profile768................................................................................................................................................................
Configuring Sso With The Http Form Protocol770................................................................................................................................................................
Creating And Applying Clientless Ssl Vpn Resources777................................................................................................................................................................
Using The Security Appliance Authentication Server777................................................................................................................................................................
Configuring Browser Access To Client-server Plug-ins779................................................................................................................................................................
About Installing Browser Plug-ins780................................................................................................................................................................
Preparing The Security Appliance For A Plug-in781................................................................................................................................................................
Providing Access To Plug-ins Redistributed By Cisco781................................................................................................................................................................
Preparing The Citrix Metraframe Server For Clientless Ssl Vpn Access784................................................................................................................................................................
Creating And Installing The Citrix Plug-in784................................................................................................................................................................
Providing A Bookmark And Optional Sso Support For Citrix Sessions785................................................................................................................................................................
Viewing The Plug-ins Installed On The Security Appliance786................................................................................................................................................................
Configuring Application Access786................................................................................................................................................................
Why Port Forwarding787................................................................................................................................................................
Port Forwarding Restrictions787................................................................................................................................................................
Adding Applications To Be Eligible For Port Forwarding788................................................................................................................................................................
Assigning A Port Forwarding List789................................................................................................................................................................
Automating Port Forwarding789................................................................................................................................................................
Enabling And Disabling Port Forwarding790................................................................................................................................................................
Configuring Smart Tunnel Access790................................................................................................................................................................
About Smart Tunnels791................................................................................................................................................................
Why Smart Tunnels791................................................................................................................................................................
Adding Applications To Be Eligible For Smart Tunnel Access792................................................................................................................................................................
Assigning A Smart Tunnel List794................................................................................................................................................................
Automating Smart Tunnel Access794................................................................................................................................................................
Enabling And Disabling Smart Tunnel Access795................................................................................................................................................................
Application Access User Notes795................................................................................................................................................................
Recovering From Hosts File Errors When Using Application Access796................................................................................................................................................................
Configuring File Access799................................................................................................................................................................
Adding Support For File Access799................................................................................................................................................................
Using Clientless Ssl Vpn With Pdas801................................................................................................................................................................
Using E-mail Over Clientless Ssl Vpn801................................................................................................................................................................
Configuring E-mail Proxies802................................................................................................................................................................
E-mail Proxy Certificate Authentication802................................................................................................................................................................
Configuring Web E-mail: Ms Outlook Web Access803................................................................................................................................................................
Optimizing Clientless Ssl Vpn Performance803................................................................................................................................................................
Configuring Content Transformation804................................................................................................................................................................
Configuring A Certificate For Signing Rewritten Java Content804................................................................................................................................................................
Using Proxy Bypass805................................................................................................................................................................
Configuring Application Profile Customization Framework805................................................................................................................................................................
Apcf Syntax806................................................................................................................................................................
Apcf Example807................................................................................................................................................................
Clientless Ssl Vpn End User Setup808................................................................................................................................................................
Defining The End User Interface809................................................................................................................................................................
Viewing The Clientless Ssl Vpn Home Page810................................................................................................................................................................
Viewing The Clientless Ssl Vpn Application Access Panel811................................................................................................................................................................
Viewing The Floating Toolbar812................................................................................................................................................................
Customizing Clientless Ssl Vpn Pages812................................................................................................................................................................
How Customization Works813................................................................................................................................................................
Exporting A Customization Template813................................................................................................................................................................
Editing The Customization Template814................................................................................................................................................................
Importing A Customization Object819................................................................................................................................................................
Applying Customizations To Connection Profiles, Group Policies And Users820................................................................................................................................................................
Customizing Help821................................................................................................................................................................
Customizing A Help File Provided By Cisco822................................................................................................................................................................
Creating Help Files For Languages Not Provided By Cisco822................................................................................................................................................................
Importing A Help File To Flash Memory823................................................................................................................................................................
Exporting A Previously Imported Help File From Flash Memory823................................................................................................................................................................
Communicating Security Tips824................................................................................................................................................................
Configuring Remote Systems To Use Clientless Ssl Vpn Features824................................................................................................................................................................
Translating The Language Of User Messages829................................................................................................................................................................
Referencing The Language In A Customization Object832................................................................................................................................................................
Changing A Group Policy Or User Attributes To Use The Customization Object834................................................................................................................................................................
Capturing Data834................................................................................................................................................................
Using A Browser To Display Capture Data835................................................................................................................................................................
Configuring Anyconnect Vpn Client Connections837................................................................................................................................................................
Remote Pc System Requirements838................................................................................................................................................................
Installing The Anyconnect Ssl Vpn Client838................................................................................................................................................................
Installing The Anyconnect Client838................................................................................................................................................................
Enabling Anyconnect Client Connections839................................................................................................................................................................
Enabling Permanent Client Installation841................................................................................................................................................................
Configuring Dtls841................................................................................................................................................................
Ensuring Reliable Dtls Connections Through Third-party Firewalls842................................................................................................................................................................
Prompting Remote Users842................................................................................................................................................................
Enabling Anyconnect Client Profile Downloads843................................................................................................................................................................
Enabling Additional Anyconnect Client Features845................................................................................................................................................................
Enabling Start Before Logon846................................................................................................................................................................
Translating Languages For Anyconnect User Messages846................................................................................................................................................................
Configuring Advanced Ssl Vpn Features849................................................................................................................................................................
Enabling Rekey849................................................................................................................................................................
Enabling Keepalive850................................................................................................................................................................
Using Compression851................................................................................................................................................................
Adjusting Mtu Size851................................................................................................................................................................
Viewing Ssl Vpn Sessions852................................................................................................................................................................
Logging Off Svc Sessions852................................................................................................................................................................
Updating Ssl Vpn Client Images853................................................................................................................................................................
Configuring Certificates855................................................................................................................................................................
About Public Key Cryptography855................................................................................................................................................................
Certificate Scalability856................................................................................................................................................................
About Key Pairs856................................................................................................................................................................
About Trustpoints857................................................................................................................................................................
About Revocation Checking857................................................................................................................................................................
About Ocsp858................................................................................................................................................................
Supported Ca Servers859................................................................................................................................................................
Certificate Configuration859................................................................................................................................................................
Configuring Key Pairs860................................................................................................................................................................
Generating Key Pairs860................................................................................................................................................................
Removing Key Pairs861................................................................................................................................................................
Configuring Trustpoints861................................................................................................................................................................
Obtaining Certificates863................................................................................................................................................................
Obtaining Certificates With Scep863................................................................................................................................................................
Obtaining Certificates Manually865................................................................................................................................................................
Configuring Crls For A Trustpoint867................................................................................................................................................................
Exporting And Importing Trustpoints868................................................................................................................................................................
Exporting A Trustpoint Configuration869................................................................................................................................................................
Importing A Trustpoint Configuration869................................................................................................................................................................
The Local Ca870................................................................................................................................................................
Configuring The Local Ca Server871................................................................................................................................................................
The Default Local Ca Server871................................................................................................................................................................
Customizing The Local Ca Server873................................................................................................................................................................
Certificate Characteristics874................................................................................................................................................................
Defining Storage For Local Ca Files876................................................................................................................................................................
Default Flash Memory Data Storage876................................................................................................................................................................
Setting Up External Local Ca File Storage877................................................................................................................................................................
Crl Storage877................................................................................................................................................................
Crl Downloading878................................................................................................................................................................
Enrolling Local Ca Users878................................................................................................................................................................
Setting Up Enrollment Parameters879................................................................................................................................................................
Enrollment Requirements880................................................................................................................................................................
Starting And Stopping The Local Ca Server881................................................................................................................................................................
Enabling The Local Ca Server881................................................................................................................................................................
Debugging The Local Ca Server882................................................................................................................................................................
Disabling The Local Ca Server882................................................................................................................................................................
Adding And Enrolling Users883................................................................................................................................................................
Renewing Users884................................................................................................................................................................
Revoking Certificates And Removing Or Restoring Users884................................................................................................................................................................
Revocation Checking885................................................................................................................................................................
Displaying Local Ca Server Information885................................................................................................................................................................
Display The Local Ca Certificate886................................................................................................................................................................
Display The Crl886................................................................................................................................................................
Display The User Database887................................................................................................................................................................
Local Ca Server Maintenance And Backup Procedures888................................................................................................................................................................
Maintaining The Local Ca User Database888................................................................................................................................................................
Local Ca Certificate Rollover889................................................................................................................................................................
Archiving The Local Ca Server Certificate And Keypair889................................................................................................................................................................
Managing System Access893................................................................................................................................................................
Allowing Telnet Access893................................................................................................................................................................
Allowing Ssh Access894................................................................................................................................................................
Configuring Ssh Access894................................................................................................................................................................
Using An Ssh Client895................................................................................................................................................................
Allowing Https Access For Asdm895................................................................................................................................................................
Enabling Https Access896................................................................................................................................................................
Accessing Asdm From Your Pc896................................................................................................................................................................
Configuring Aaa For System Administrators897................................................................................................................................................................
Configuring Authentication For Cli And Asdm Access897................................................................................................................................................................
Configuring Authentication To Access Privileged Exec Mode (the Enable Command)898................................................................................................................................................................
Configuring Authentication For The Enable Command898................................................................................................................................................................
Authenticating Users Using The Login Command899................................................................................................................................................................
Limiting User Cli And Asdm Access With Management Authorization899................................................................................................................................................................
Configuring Command Authorization900................................................................................................................................................................
Command Authorization Overview901................................................................................................................................................................
Configuring Local Command Authorization902................................................................................................................................................................
Configuring Tacacs+ Command Authorization905................................................................................................................................................................
Configuring Command Accounting909................................................................................................................................................................
Viewing The Current Logged-in User909................................................................................................................................................................
Recovering From A Lockout910................................................................................................................................................................
Configuring A Login Banner911................................................................................................................................................................
Managing Software, Licenses, And Configurations913................................................................................................................................................................
Obtaining An Activation Key913................................................................................................................................................................
Entering A New Activation Key914................................................................................................................................................................
Downloading Software Or Configuration Files To Flash Memory915................................................................................................................................................................
Downloading A File To A Specific Location915................................................................................................................................................................
Downloading A File To The Startup Or Running Configuration916................................................................................................................................................................
Configuring The Application Image And Asdm Image To Boot917................................................................................................................................................................
Configuring The File To Boot As The Startup Configuration918................................................................................................................................................................
Performing Zero Downtime Upgrades For Failover Pairs918................................................................................................................................................................
Upgrading An Active/standby Failover Configuration919................................................................................................................................................................
Upgrading And Active/active Failover Configuration919................................................................................................................................................................
Backing Up Configuration Files920................................................................................................................................................................
Backing Up The Single Mode Configuration Or Multiple Mode System Configuration920................................................................................................................................................................
Backing Up A Context Configuration In Flash Memory921................................................................................................................................................................
Backing Up A Context Configuration Within A Context921................................................................................................................................................................
Using A Script To Back Up And Restore Files922................................................................................................................................................................
Running The Script923................................................................................................................................................................
Sample Script923................................................................................................................................................................
Configuring Auto Update Support931................................................................................................................................................................
Configuring Communication With An Auto Update Server932................................................................................................................................................................
Configuring Client Updates As An Auto Update Server934................................................................................................................................................................
Viewing Auto Update Status935................................................................................................................................................................
Monitoring The Security Appliance937................................................................................................................................................................
Using Snmp937................................................................................................................................................................
Enabling Snmp939................................................................................................................................................................
Configuring And Managing Logs941................................................................................................................................................................
Logging Overview941................................................................................................................................................................
Enabling And Disabling Logging942................................................................................................................................................................
Enabling Logging To All Configured Output Destinations942................................................................................................................................................................
Configuring Log Output Destinations943................................................................................................................................................................
Sending System Log Messages To A Syslog Server943................................................................................................................................................................
Sending System Log Messages To The Console Port944................................................................................................................................................................
Sending System Log Messages To An E-mail Address945................................................................................................................................................................
Sending System Log Messages To Asdm946................................................................................................................................................................
Sending System Log Messages To A Telnet Or Ssh Session948................................................................................................................................................................
Sending System Log Messages To The Log Buffer949................................................................................................................................................................
Filtering System Log Messages951................................................................................................................................................................
Message Filtering Overview951................................................................................................................................................................
Filtering System Log Messages By Class952................................................................................................................................................................
Filtering System Log Messages With Custom Message Lists954................................................................................................................................................................
Customizing The Log Configuration955................................................................................................................................................................
Configuring The Logging Queue955................................................................................................................................................................
Including The Date And Time In System Log Messages956................................................................................................................................................................
Including The Device Id In System Log Messages956................................................................................................................................................................
Generating System Log Messages In Emblem Format957................................................................................................................................................................
Disabling A System Log Message957................................................................................................................................................................
Changing The Severity Level Of A System Log Message958................................................................................................................................................................
Changing The Amount Of Internal Flash Memory Available For Logs959................................................................................................................................................................
Understanding System Log Messages960................................................................................................................................................................
System Log Message Format960................................................................................................................................................................
Testing Your Configuration961................................................................................................................................................................
Troubleshooting The Security Appliance961................................................................................................................................................................
Enabling Icmp Debug Messages And System Log Messages961................................................................................................................................................................
Pinging Security Appliance Interfaces962................................................................................................................................................................
Pinging Through The Security Appliance964................................................................................................................................................................
Disabling The Test Configuration965................................................................................................................................................................
Packet Tracer966................................................................................................................................................................
Reloading The Security Appliance966................................................................................................................................................................
Recovering Passwords For The Asa 5500 Series Adaptive Security Appliance967................................................................................................................................................................
Recovering Passwords For The Pix 500 Series Security Appliance968................................................................................................................................................................
Disabling Password Recovery969................................................................................................................................................................
Resetting The Password On The Ssm Hardware Module970................................................................................................................................................................
Using The Rom Monitor To Load A Software Image970................................................................................................................................................................
Erasing The Flash File System972................................................................................................................................................................
Other Troubleshooting Tools972................................................................................................................................................................
Common Problems973................................................................................................................................................................
Viewing The Crash Dump973................................................................................................................................................................
Cisco Vpn Client Support987................................................................................................................................................................
Cisco Secure Desktop Support987................................................................................................................................................................
Cryptographic Standards988................................................................................................................................................................
Example 1: System Configuration990................................................................................................................................................................
Example 1: Admin Context Configuration992................................................................................................................................................................
Example 1: Customer A Context Configuration992................................................................................................................................................................
Example 1: Customer C Context Configuration993................................................................................................................................................................
Example 2: Single Mode Firewall Using Same Security Level994................................................................................................................................................................
Example 3: Department 1 Context Configuration998................................................................................................................................................................
Example 3: Department 2 Context Configuration999................................................................................................................................................................
Example 4: Multiple Mode, Transparent Firewall With Outside Access1000................................................................................................................................................................
Example 4: System Configuration1001................................................................................................................................................................
Example 4: Admin Context Configuration1002................................................................................................................................................................
Example 4: Customer A Context Configuration1003................................................................................................................................................................
Example 4: Customer B Context Configuration1003................................................................................................................................................................
Example 4: Customer C Context Configuration1004................................................................................................................................................................
Example 5: Clientless Ssl Vpn Configuration1004................................................................................................................................................................
Example 6: Ipv6 Configuration1006................................................................................................................................................................
Example 7: Cable-based Active/standby Failover (routed Mode)1008................................................................................................................................................................
Example 8: Lan-based Active/standby Failover (routed Mode)1009................................................................................................................................................................
Example 8: Primary Unit Configuration1009................................................................................................................................................................
Example 8: Secondary Unit Configuration1010................................................................................................................................................................
Example 9: Lan-based Active/active Failover (routed Mode)1010................................................................................................................................................................
Example 9: Primary Unit Configuration1011................................................................................................................................................................
Example 9: Primary System Configuration1011................................................................................................................................................................
Example 9: Primary Admin Context Configuration1012................................................................................................................................................................
Example 9: Primary Ctx1 Context Configuration1013................................................................................................................................................................
Example 9: Secondary Unit Configuration1013................................................................................................................................................................
Example 11: Primary Unit Configuration1016................................................................................................................................................................
Example 11: Secondary Unit Configuration1017................................................................................................................................................................
Example 12: Primary Unit Configuration1018................................................................................................................................................................
Example 12: Primary System Configuration1019................................................................................................................................................................
Example 12: Primary Admin Context Configuration1019................................................................................................................................................................
Example 12: Primary Ctx1 Context Configuration1020................................................................................................................................................................
Example 12: Secondary Unit Configuration1020................................................................................................................................................................
Example 13: Dual Isp Support Using Static Route Tracking1021................................................................................................................................................................
Example 14: Asa 5505 Base License1022................................................................................................................................................................
Example 15: Primary Unit Configuration1024................................................................................................................................................................
Example 15: Secondary Unit Configuration1026................................................................................................................................................................
Using The Command-line Interface1027................................................................................................................................................................
Firewall Mode And Security Context Mode1027................................................................................................................................................................
Command Modes And Prompts1028................................................................................................................................................................
Command Completion1030................................................................................................................................................................
Command Help1030................................................................................................................................................................
Automatic Text Entries1033................................................................................................................................................................
Line Order1033................................................................................................................................................................
Ipv6 Address Types1040................................................................................................................................................................
Unicast Addresses1040................................................................................................................................................................
Multicast Address1042................................................................................................................................................................
Anycast Address1043................................................................................................................................................................
Required Addresses1044................................................................................................................................................................
Ipv6 Address Prefixes1044................................................................................................................................................................
Protocols And Applications1045................................................................................................................................................................
Tcp And Udp Ports1045................................................................................................................................................................
Local Ports And Protocols1048................................................................................................................................................................
Icmp Types1049................................................................................................................................................................
Understanding Policy Enforcement Of Permissions And Attributes1052................................................................................................................................................................
Reviewing The Ldap Directory Structure And Configuration Procedure1053................................................................................................................................................................
Organizing The Security Appliance Ldap Schema1053................................................................................................................................................................
Searching The Hierarchy1054................................................................................................................................................................
Binding The Security Appliance To The Ldap Server1055................................................................................................................................................................
Defining The Security Appliance Ldap Schema1055................................................................................................................................................................
Cisco-av-pair Attribute Syntax1063................................................................................................................................................................
Example Security Appliance Authorization Schema1065................................................................................................................................................................
Loading The Schema In The Ldap Server1067................................................................................................................................................................
Defining User Permissions1067................................................................................................................................................................
Example User File1068................................................................................................................................................................
Reviewing Examples Of Active Directory Configurations1068................................................................................................................................................................
Example 2: Configuring Ldap Authentication With Microsoft Active Directory1070................................................................................................................................................................
Example 3: Ldap Authentication And Ldap Authorization With Microsoft Active Directory1072................................................................................................................................................................
Security Appliance Tacacs+ Attributes1090................................................................................................................................................................
L O S S A R Y1093................................................................................................................................................................
Advertisement
Cisco 500 Series Configuration Manual (989 pages)
Security Appliance Command Line
Table of contents
Table Of Contents4................................................................................................................................................................
About This Guide33................................................................................................................................................................
Related Documentation34................................................................................................................................................................
Document Conventions37................................................................................................................................................................
Documentation Feedback38................................................................................................................................................................
Intrusion Prevention Services Functional Overview49................................................................................................................................................................
Security Context Overview50................................................................................................................................................................
Chapter 2 Getting Started51................................................................................................................................................................
Getting Started With Your Platform Model51................................................................................................................................................................
Factory Default Configurations51................................................................................................................................................................
Restoring The Factory Default Configuration52................................................................................................................................................................
Asa 5505 Default Configuration52................................................................................................................................................................
Asa 5510 And Higher Default Configuration53................................................................................................................................................................
Pix 515/515e Default Configuration54................................................................................................................................................................
Accessing The Command-line Interface54................................................................................................................................................................
Setting Transparent Or Routed Firewall Mode55................................................................................................................................................................
Working With The Configuration56................................................................................................................................................................
Saving Configuration Changes56................................................................................................................................................................
Saving Configuration Changes In Single Context Mode57................................................................................................................................................................
Saving Configuration Changes In Multiple Context Mode57................................................................................................................................................................
Copying The Startup Configuration To The Running Configuration58................................................................................................................................................................
Viewing The Configuration58................................................................................................................................................................
Clearing And Removing Configuration Settings59................................................................................................................................................................
Creating Text Configuration Files Offline59................................................................................................................................................................
Chapter 3 Enabling Multiple Context Mode62................................................................................................................................................................
Unsupported Features62................................................................................................................................................................
Context Configuration Files62................................................................................................................................................................
Context Configurations62................................................................................................................................................................
System Configuration62................................................................................................................................................................
Admin Context Configuration62................................................................................................................................................................
How The Security Appliance Classifies Packets63................................................................................................................................................................
Valid Classifier Criteria63................................................................................................................................................................
Invalid Classifier Criteria64................................................................................................................................................................
Classification Examples65................................................................................................................................................................
Cascading Security Contexts68................................................................................................................................................................
Management Access To Security Contexts69................................................................................................................................................................
System Administrator Access69................................................................................................................................................................
Context Administrator Access70................................................................................................................................................................
Enabling Or Disabling Multiple Context Mode70................................................................................................................................................................
Backing Up The Single Mode Configuration70................................................................................................................................................................
Enabling Multiple Context Mode70................................................................................................................................................................
Restoring Single Context Mode71................................................................................................................................................................
Configuring Switch Ports And Vlan Interfaces For The Cisco Asa 5505 Adaptive Security Appliance73................................................................................................................................................................
Interface Overview73................................................................................................................................................................
Understanding Asa 5505 Ports And Interfaces74................................................................................................................................................................
Maximum Active Vlan Interfaces For Your License74................................................................................................................................................................
Default Interface Configuration75................................................................................................................................................................
Vlan Mac Addresses76................................................................................................................................................................
Power Over Ethernet76................................................................................................................................................................
Monitoring Traffic Using Span76................................................................................................................................................................
Security Level Overview77................................................................................................................................................................
Configuring Vlan Interfaces77................................................................................................................................................................
Configuring Switch Ports As Access Ports81................................................................................................................................................................
Configuring A Switch Port As A Trunk Port83................................................................................................................................................................
Allowing Communication Between Vlan Interfaces On The Same Security Level85................................................................................................................................................................
Chapter 5 Configuring Ethernet Settings And Subinterfaces87................................................................................................................................................................
Configuring And Enabling Rj-45 Interfaces87................................................................................................................................................................
Configuring And Enabling Fiber Interfaces88................................................................................................................................................................
Configuring And Enabling Subinterfaces89................................................................................................................................................................
Chapter 6 Adding And Managing Security Contexts92................................................................................................................................................................
Configuring Resource Management92................................................................................................................................................................
Resource Limits92................................................................................................................................................................
Default Class93................................................................................................................................................................
Class Members94................................................................................................................................................................
Configuring A Class94................................................................................................................................................................
Configuring A Security Context97................................................................................................................................................................
Automatically Assigning Mac Addresses To Context Interfaces101................................................................................................................................................................
Changing Between Contexts And The System Execution Space101................................................................................................................................................................
Managing Security Contexts102................................................................................................................................................................
Removing A Security Context102................................................................................................................................................................
Changing The Admin Context103................................................................................................................................................................
Changing The Security Context Url103................................................................................................................................................................
Reloading A Security Context104................................................................................................................................................................
Reloading By Clearing The Configuration104................................................................................................................................................................
Reloading By Removing And Re-adding The Context105................................................................................................................................................................
Viewing Context Information105................................................................................................................................................................
Viewing Resource Allocation106................................................................................................................................................................
Viewing Resource Usage109................................................................................................................................................................
Monitoring Syn Attacks In Contexts110................................................................................................................................................................
Chapter 7 Configuring Interface Parameters113................................................................................................................................................................
Configuring The Interface114................................................................................................................................................................
Allowing Communication Between Interfaces On The Same Security Level118................................................................................................................................................................
Changing The Login Password119................................................................................................................................................................
Changing The Enable Password119................................................................................................................................................................
Setting The Hostname120................................................................................................................................................................
Setting The Domain Name120................................................................................................................................................................
Setting The Date And Time120................................................................................................................................................................
Chapter 8
Configuring Basic Setting120................................................................................................................................................................
Setting The Time Zone And Daylight Saving Time Date Range121................................................................................................................................................................
Setting The Date And Time Using An Ntp Server122................................................................................................................................................................
Setting The Date And Time Manually122................................................................................................................................................................
Setting The Management Ip Address For A Transparent Firewall123................................................................................................................................................................
Chapter 9 Configuring Ip Routing125................................................................................................................................................................
Configuring Static And Default Routes125................................................................................................................................................................
Configuring A Static Route126................................................................................................................................................................
Configuring A Default Route127................................................................................................................................................................
Configuring Static Route Tracking127................................................................................................................................................................
Defining Route Maps130................................................................................................................................................................
Configuring Ospf131................................................................................................................................................................
Ospf Overview132................................................................................................................................................................
Enabling Ospf132................................................................................................................................................................
Redistributing Routes Into Ospf133................................................................................................................................................................
Configuring Ospf Interface Parameters134................................................................................................................................................................
Configuring Ospf Area Parameters136................................................................................................................................................................
Configuring Ospf Nssa137................................................................................................................................................................
Configuring Route Summarization Between Ospf Areas138................................................................................................................................................................
Configuring Route Summarization When Redistributing Routes Into Ospf138................................................................................................................................................................
Defining Static Ospf Neighbors139................................................................................................................................................................
Generating A Default Route140................................................................................................................................................................
Configuring Route Calculation Timers140................................................................................................................................................................
Logging Neighbors Going Up Or Down141................................................................................................................................................................
Displaying Ospf Update Packet Pacing141................................................................................................................................................................
Monitoring Ospf142................................................................................................................................................................
Restarting The Ospf Process142................................................................................................................................................................
Configuring Rip143................................................................................................................................................................
Enabling And Configuring Rip143................................................................................................................................................................
Redistributing Routes Into The Rip Routing Process144................................................................................................................................................................
Configuring Rip Send/receive Version On An Interface145................................................................................................................................................................
Enabling Rip Authentication145................................................................................................................................................................
Monitoring Rip146................................................................................................................................................................
The Routing Table146................................................................................................................................................................
Displaying The Routing Table146................................................................................................................................................................
How The Routing Table Is Populated147................................................................................................................................................................
Backup Routes148................................................................................................................................................................
How Forwarding Decisions Are Made148................................................................................................................................................................
Configuring A Dhcp Server151................................................................................................................................................................
Enabling The Dhcp Server152................................................................................................................................................................
C H A P T E R 10 Configuring Dhcp, Ddns, And Wccp Services152................................................................................................................................................................
Configuring Dhcp Options153................................................................................................................................................................
Using Cisco Ip Phones With A Dhcp Server154................................................................................................................................................................
Configuring Dhcp Relay Services155................................................................................................................................................................
Configuring Dynamic Dns156................................................................................................................................................................
Example 1: Client Updates Both A And Ptr Rrs For Static Ip Addresses156................................................................................................................................................................
Client And Updates Both Rrs158................................................................................................................................................................
Honors Client Request And Updates Both A And Ptr Rr158................................................................................................................................................................
Example 5: Client Updates A Rr; Server Updates Ptr Rr159................................................................................................................................................................
Configuring Web Cache Services Using Wccp159................................................................................................................................................................
Wccp Feature Support159................................................................................................................................................................
Wccp Interaction With Other Features160................................................................................................................................................................
Enabling Wccp Redirection160................................................................................................................................................................
Configuring Multicast Routing163................................................................................................................................................................
Multicast Routing Overview163................................................................................................................................................................
Enabling Multicast Routing164................................................................................................................................................................
C H A P T E R 11 Configuring Multicast Routing164................................................................................................................................................................
Disabling Igmp On An Interface165................................................................................................................................................................
Configuring Group Membership165................................................................................................................................................................
Configuring A Statically Joined Group165................................................................................................................................................................
Controlling Access To Multicast Groups165................................................................................................................................................................
Limiting The Number Of Igmp States On An Interface166................................................................................................................................................................
Modifying The Query Interval And Query Timeout166................................................................................................................................................................
Changing The Query Response Time167................................................................................................................................................................
Changing The Igmp Version167................................................................................................................................................................
Configuring Stub Multicast Routing167................................................................................................................................................................
Configuring A Static Multicast Route167................................................................................................................................................................
Disabling Pim On An Interface168................................................................................................................................................................
Configuring Pim Features168................................................................................................................................................................
Configuring A Static Rendezvous Point Address169................................................................................................................................................................
Configuring The Designated Router Priority169................................................................................................................................................................
Filtering Pim Register Messages169................................................................................................................................................................
Configuring Pim Message Intervals169................................................................................................................................................................
Configuring A Multicast Boundary170................................................................................................................................................................
Filtering Pim Neighbors170................................................................................................................................................................
Supporting Mixed Bidirctional/sparse-mode Pim Networks171................................................................................................................................................................
For More Information About Multicast Routing171................................................................................................................................................................
Chapter 12 Configuring Ipv6173................................................................................................................................................................
Ipv6-enabled Commands173................................................................................................................................................................
Configuring Ipv6 On An Interface175................................................................................................................................................................
Configuring A Dual Ip Stack On An Interface176................................................................................................................................................................
Enforcing The Use Of Modified Eui-64 Interface Ids In Ipv6 Addresses176................................................................................................................................................................
Configuring Ipv6 Duplicate Address Detection176................................................................................................................................................................
Configuring Ipv6 Default And Static Routes177................................................................................................................................................................
Configuring Ipv6 Access Lists178................................................................................................................................................................
Configuring Ipv6 Neighbor Discovery179................................................................................................................................................................
Configuring Neighbor Solicitation Messages179................................................................................................................................................................
Configuring Router Advertisement Messages181................................................................................................................................................................
Configuring A Static Ipv6 Neighbor183................................................................................................................................................................
Verifying The Ipv6 Configuration183................................................................................................................................................................
The Show Ipv6 Interface Command183................................................................................................................................................................
The Show Ipv6 Route Command184................................................................................................................................................................
Configuring Aaa Servers And The Local Database185................................................................................................................................................................
Aaa Overview185................................................................................................................................................................
About Authentication185................................................................................................................................................................
About Authorization186................................................................................................................................................................
About Accounting186................................................................................................................................................................
Aaa Server And Local Database Support186................................................................................................................................................................
C H A P T E R 13 Configuring Aaa Servers And The Local Database186................................................................................................................................................................
Summary Of Support187................................................................................................................................................................
Radius Server Support187................................................................................................................................................................
Authentication Methods188................................................................................................................................................................
Attribute Support188................................................................................................................................................................
Radius Authorization Functions188................................................................................................................................................................
Tacacs+ Server Support188................................................................................................................................................................
Sdi Server Support188................................................................................................................................................................
Sdi Version Support189................................................................................................................................................................
Two-step Authentication Process189................................................................................................................................................................
Sdi Primary And Replica Servers189................................................................................................................................................................
Nt Server Support189................................................................................................................................................................
Kerberos Server Support189................................................................................................................................................................
Ldap Server Support190................................................................................................................................................................
Authentication With Ldap190................................................................................................................................................................
Authorization With Ldap For Vpn191................................................................................................................................................................
Ldap Attribute Mapping192................................................................................................................................................................
Sso Support For Webvpn With Http Forms193................................................................................................................................................................
Local Database Support193................................................................................................................................................................
User Profiles194................................................................................................................................................................
Fallback Support194................................................................................................................................................................
Configuring The Local Database194................................................................................................................................................................
Identifying Aaa Server Groups And Servers196................................................................................................................................................................
Using Certificates And User Login Credentials199................................................................................................................................................................
Using User Login Credentials199................................................................................................................................................................
Using Certificates200................................................................................................................................................................
Supporting A Zone Labs Integrity Server200................................................................................................................................................................
Overview Of Integrity Server And Security Appliance Interaction201................................................................................................................................................................
Configuring Integrity Server Support201................................................................................................................................................................
Understanding Failover203................................................................................................................................................................
Chapter 14
Configuring Failover204................................................................................................................................................................
The Failover And Stateful Failover Links205................................................................................................................................................................
Stateful Failover Link207................................................................................................................................................................
Active/active And Active/standby Failover208................................................................................................................................................................
Active/active Failover211................................................................................................................................................................
Determining Which Type Of Failover To Use216................................................................................................................................................................
Failover Health Monitoring217................................................................................................................................................................
Interface Monitoring218................................................................................................................................................................
Failover Feature/platform Matrix219................................................................................................................................................................
Failover Configuration Limitations220................................................................................................................................................................
Configuring Lan-based Active/standby Failover222................................................................................................................................................................
Configuring Optional Active/standby Failover Settings225................................................................................................................................................................
Configuring Active/active Failover228................................................................................................................................................................
Configuring Lan-based Active/active Failover230................................................................................................................................................................
Configuring Optional Active/active Failover Settings234................................................................................................................................................................
Configuring Unit Health Monitoring238................................................................................................................................................................
Verifying The Failover Configuration239................................................................................................................................................................
Viewing Monitored Interfaces247................................................................................................................................................................
Testing The Failover Functionality248................................................................................................................................................................
Disabling Failover249................................................................................................................................................................
Failover System Messages250................................................................................................................................................................
Routed Mode Overview253................................................................................................................................................................
Chapter 15
Firewall Mode Overview254................................................................................................................................................................
An Inside User Visits A Web Server255................................................................................................................................................................
An Outside User Visits A Web Server On The Dmz256................................................................................................................................................................
An Inside User Visits A Web Server On The Dmz257................................................................................................................................................................
An Outside User Attempts To Access An Inside Host258................................................................................................................................................................
A Dmz User Attempts To Access An Inside Host259................................................................................................................................................................
Transparent Firewall Network260................................................................................................................................................................
Mac Address Lookups261................................................................................................................................................................
Unsupported Features In Transparent Mode262................................................................................................................................................................
How Data Moves Through The Transparent Firewall263................................................................................................................................................................
An Outside User Visits A Web Server On The Inside Network265................................................................................................................................................................
Access List Overview269................................................................................................................................................................
Access List Types270................................................................................................................................................................
C H A P T E R 16 Identifying Traffic With Access Lists271................................................................................................................................................................
Adding An Extended Access List273................................................................................................................................................................
Allowing Special Ip Traffic Through The Transparent Firewall274................................................................................................................................................................
Adding An Ethertype Access List276................................................................................................................................................................
Adding A Standard Access List277................................................................................................................................................................
Adding A Webtype Access List278................................................................................................................................................................
Adding Object Groups279................................................................................................................................................................
Adding A Network Object Group280................................................................................................................................................................
Adding An Icmp Type Object Group281................................................................................................................................................................
Nesting Object Groups282................................................................................................................................................................
Using Object Groups With An Access List283................................................................................................................................................................
Displaying Object Groups284................................................................................................................................................................
Scheduling Extended Access List Activation285................................................................................................................................................................
Applying The Time Range To An Ace286................................................................................................................................................................
Configuring Logging For An Access Control Entry287................................................................................................................................................................
Managing Deny Flows288................................................................................................................................................................
Nat Overview291................................................................................................................................................................
Introduction To Nat292................................................................................................................................................................
Chapter 17
Applying Nat293................................................................................................................................................................
Nat Types295................................................................................................................................................................
Static Nat297................................................................................................................................................................
Bypassing Nat When Nat Control Is Enabled299................................................................................................................................................................
Nat And Same Security Level Interfaces302................................................................................................................................................................
Order Of Nat Commands Used To Match Real Addresses303................................................................................................................................................................
Configuring Nat Control305................................................................................................................................................................
Using Dynamic Nat And Pat306................................................................................................................................................................
Configuring Dynamic Nat Or Pat312................................................................................................................................................................
Using Static Nat315................................................................................................................................................................
Using Static Pat316................................................................................................................................................................
Bypassing Nat318................................................................................................................................................................
Configuring Static Identity Nat319................................................................................................................................................................
Configuring Nat Exemption321................................................................................................................................................................
Nat Examples322................................................................................................................................................................
Overlapping Networks323................................................................................................................................................................
Redirecting Ports324................................................................................................................................................................
C H A P T E R 18 Permitting Or Denying Network Access328................................................................................................................................................................
Applying An Access List To An Interface331................................................................................................................................................................
Aaa Performance333................................................................................................................................................................
Chapter 19
Applying Aaa For Network Acces334................................................................................................................................................................
Static Pat And Http335................................................................................................................................................................
Enabling Secure Authentication Of Web Clients337................................................................................................................................................................
Configuring Radius Authorization339................................................................................................................................................................
Configuring A Radius Server To Download Per-user Access Control List Names343................................................................................................................................................................
Configuring Accounting For Network Access344................................................................................................................................................................
Using Mac Addresses To Exempt Traffic From Authentication And Authorization345................................................................................................................................................................
Filtering Overview347................................................................................................................................................................
C H A P T E R 20 Applying Filtering Services348................................................................................................................................................................
Filtering Java Applets349................................................................................................................................................................
Url Filtering Overview350................................................................................................................................................................
Buffering The Content Server Response351................................................................................................................................................................
Caching Server Addresses352................................................................................................................................................................
Enabling Filtering Of Long Http Urls353................................................................................................................................................................
Filtering Https Urls354................................................................................................................................................................
Viewing Filtering Statistics And Configuration355................................................................................................................................................................
Viewing Buffer Configuration And Statistics356................................................................................................................................................................
Viewing Caching Statistics357................................................................................................................................................................
Modular Policy Framework Overview359................................................................................................................................................................
Chapter 21
Using Modular Policy Framework360................................................................................................................................................................
Creating A Layer 3/4 Class Map For Through Traffic361................................................................................................................................................................
Creating A Layer 3/4 Class Map For Management Traffic363................................................................................................................................................................
Creating A Regular Expression364................................................................................................................................................................
Creating A Regular Expression Class Map366................................................................................................................................................................
Identifying Traffic In An Inspection Class Map367................................................................................................................................................................
Defining Actions In An Inspection Policy Map368................................................................................................................................................................
Defining Actions Using A Layer 3/4 Policy Map371................................................................................................................................................................
Default Layer 3/4 Policy Map372................................................................................................................................................................
Adding A Layer 3/4 Policy Map373................................................................................................................................................................
Applying A Layer 3/4 Policy To An Interface Using A Service Policy375................................................................................................................................................................
Applying Inspection And Qos Policing To Http Traffic376................................................................................................................................................................
Applying Inspection And Connection Limits To Http Traffic To Specific Servers377................................................................................................................................................................
Applying Inspection To Http Traffic With Nat378................................................................................................................................................................
Managing The Aip Ssm379................................................................................................................................................................
Chapter 22
Managing Aip Ssm And Csc Ssm380................................................................................................................................................................
Sessioning To The Aip Ssm And Running Setup382................................................................................................................................................................
Managing The Csc Ssm383................................................................................................................................................................
Getting Started With The Csc Ssm385................................................................................................................................................................
Determining What Traffic To Scan387................................................................................................................................................................
Limiting Connections Through The Csc Ssm389................................................................................................................................................................
Checking Ssm Status391................................................................................................................................................................
Transferring An Image Onto An Ssm392................................................................................................................................................................
Configuring Tcp Normalization395................................................................................................................................................................
Chapter 23
Preventing Network Attack396................................................................................................................................................................
Configuring Connection Limits And Timeouts398................................................................................................................................................................
Preventing Ip Spoofing399................................................................................................................................................................
Configuring The Fragment Size400................................................................................................................................................................
Configuring Ip Audit For Basic Ips Support401................................................................................................................................................................
Overview403................................................................................................................................................................
Chapter 24
Applying Qo Policie404................................................................................................................................................................
Identifying Traffic For Qos406................................................................................................................................................................
Defining A Qos Policy Map407................................................................................................................................................................
Applying Rate Limiting408................................................................................................................................................................
Activating The Service Policy409................................................................................................................................................................
Applying Low Latency Queueing410................................................................................................................................................................
Reducing Queue Latency411................................................................................................................................................................
Viewing Qos Configuration414................................................................................................................................................................
Viewing Qos Policy Map Configuration415................................................................................................................................................................
Viewing Qos Statistics416................................................................................................................................................................
Viewing Qos Priority Queue Statistics417................................................................................................................................................................
C H A P T E R 25 Configuring Application Layer Protocol Inspection420................................................................................................................................................................
Default Inspection Policy421................................................................................................................................................................
Configuring Application Inspection423................................................................................................................................................................
Ctiqbe Inspection427................................................................................................................................................................
Limitations And Restrictions428................................................................................................................................................................
Dcerpc Inspection429................................................................................................................................................................
Configuring A Dcerpc Inspection Policy Map For Additional Inspection Control430................................................................................................................................................................
Dns Inspection431................................................................................................................................................................
How Dns Rewrite Works432................................................................................................................................................................
Configuring Dns Rewrite433................................................................................................................................................................
Using The Alias Command For Dns Rewrite434................................................................................................................................................................
Dns Rewrite With Three Nat Zones435................................................................................................................................................................
Configuring Dns Rewrite With Three Nat Zones437................................................................................................................................................................
Verifying And Monitoring Dns Inspection438................................................................................................................................................................
Esmtp Inspection442................................................................................................................................................................
Ftp Inspection443................................................................................................................................................................
Ftp Inspection Overview444................................................................................................................................................................
Configuring An Ftp Inspection Policy Map For Additional Inspection Control445................................................................................................................................................................
Verifying And Monitoring Ftp Inspection448................................................................................................................................................................
Gtp Inspection449................................................................................................................................................................
Configuring A Gtp Inspection Policy Map For Additional Inspection Control450................................................................................................................................................................
Verifying And Monitoring Gtp Inspection454................................................................................................................................................................
H.323 Inspection455................................................................................................................................................................
Configuring H.323 And H.225 Timeout Values459................................................................................................................................................................
Monitoring H.245 Sessions460................................................................................................................................................................
Monitoring H.323 Ras Sessions461................................................................................................................................................................
Configuring An Http Inspection Policy Map For Additional Inspection Control462................................................................................................................................................................
Instant Messaging Inspection465................................................................................................................................................................
Im Inspection Overview466................................................................................................................................................................
Icmp Inspection469................................................................................................................................................................
Mgcp Inspection470................................................................................................................................................................
Mgcp Inspection Overview471................................................................................................................................................................
Configuring An Mgcp Inspection Policy Map For Additional Inspection Control472................................................................................................................................................................
Configuring Mgcp Timeout Values474................................................................................................................................................................
Configuring A Netbios Inspection Policy Map For Additional Inspection Control475................................................................................................................................................................
Pptp Inspection476................................................................................................................................................................
Radius Accounting Inspection477................................................................................................................................................................
Rsh Inspection478................................................................................................................................................................
Restrictions And Limitations479................................................................................................................................................................
Sip Instant Messaging480................................................................................................................................................................
Configuring A Sip Inspection Policy Map For Additional Inspection Control481................................................................................................................................................................
Configuring Sip Timeout Values484................................................................................................................................................................
Verifying And Monitoring Sip Inspection485................................................................................................................................................................
Sccp Inspection Overview486................................................................................................................................................................
Verifying And Monitoring Sccp Inspection487................................................................................................................................................................
Smtp And Extended Smtp Inspection489................................................................................................................................................................
Snmp Inspection490................................................................................................................................................................
Sql*net Inspection491................................................................................................................................................................
Sun Rpc Inspection Overview492................................................................................................................................................................
Verifying And Monitoring Sun Rpc Inspection493................................................................................................................................................................
Tftp Inspection494................................................................................................................................................................
Configuring Arp Inspection495................................................................................................................................................................
C H A P T E R 26 Configuring Arp Inspection And Bridging Parameters496................................................................................................................................................................
Customizing The Mac Address Table497................................................................................................................................................................
Setting The Mac Address Timeout498................................................................................................................................................................
Tunneling Overview503................................................................................................................................................................
Chapter 27
Configuring Ipsec And Isakmp504................................................................................................................................................................
Configuring Isakmp Policies507................................................................................................................................................................
Enabling Isakmp On The Outside Interface508................................................................................................................................................................
Enabling Ipsec Over Nat-t509................................................................................................................................................................
Enabling Ipsec Over Tcp510................................................................................................................................................................
Waiting For Active Sessions To Terminate Before Rebooting511................................................................................................................................................................
Creating A Certificate Group Matching Rule And Policy512................................................................................................................................................................
Using The Tunnel-group-map Default-group Command513................................................................................................................................................................
Understanding Transform Sets514................................................................................................................................................................
Applying Crypto Maps To Interfaces522................................................................................................................................................................
Changing Ipsec Sa Lifetimes524................................................................................................................................................................
Using Dynamic Crypto Maps526................................................................................................................................................................
Providing Site-to-site Redundancy528................................................................................................................................................................
Clearing Security Associations529................................................................................................................................................................
Supporting The Nokia Vpn Client530................................................................................................................................................................
L2tp Overview533................................................................................................................................................................
Ipsec Transport And Tunnel Modes534................................................................................................................................................................
Chapter 28
Configuring L2tp Over Ipsec535................................................................................................................................................................
Tunnel Group Switching537................................................................................................................................................................
Using L2tp Debug Commands539................................................................................................................................................................
Enabling Ipsec Debug540................................................................................................................................................................
Configuring Vpns In Single, Routed Mode543................................................................................................................................................................
C H A P T E R 29 Setting General Ipsec Vpn Parameters544................................................................................................................................................................
Nat Considerations For Intra-interface Traffic545................................................................................................................................................................
Understanding Load Balancing547................................................................................................................................................................
Implementing Load Balancing548................................................................................................................................................................
Eligible Platforms549................................................................................................................................................................
Some Typical Mixed Cluster Scenarios550................................................................................................................................................................
Configuring Load Balancing551................................................................................................................................................................
Configuring The Load Balancing Cluster Attributes552................................................................................................................................................................
Configuring Vpn Session Limits553................................................................................................................................................................
Overview Of Tunnel Groups, Group Policies, And Users555................................................................................................................................................................
C H A P T E R 30 Configuring Tunnel Groups, Group Policies, And Users556................................................................................................................................................................
Ipsec Tunnel-group Connection Parameters557................................................................................................................................................................
Webvpn Tunnel-group Connection Parameters558................................................................................................................................................................
Configuring Tunnel Groups559................................................................................................................................................................
Configuring Ipsec Tunnel-group General Attributes560................................................................................................................................................................
Configuring Ipsec Remote-access Tunnel Group Ipsec Attributes564................................................................................................................................................................
Configuring Ipsec Remote-access Tunnel Group Ppp Attributes566................................................................................................................................................................
Configuring Lan-to-lan Tunnel Groups567................................................................................................................................................................
Configuring Lan-to-lan Tunnel Group General Attributes568................................................................................................................................................................
Configuring Webvpn Tunnel Groups570................................................................................................................................................................
Configuring Webvpn Tunnel-group General Attributes571................................................................................................................................................................
Configuring Webvpn Tunnel-group Webvpn Attributes574................................................................................................................................................................
Customizing Login Windows For Webvpn Users577................................................................................................................................................................
Configuring Microsoft Active Directory Settings For Password Management578................................................................................................................................................................
Using Active Directory To Specify Maximum Password Age580................................................................................................................................................................
Using Active Directory To Override An Account Disabled Aaa Indicator581................................................................................................................................................................
Using Active Directory To Enforce Minimum Password Length582................................................................................................................................................................
Using Active Directory To Enforce Password Complexity583................................................................................................................................................................
Group Policies584................................................................................................................................................................
Default Group Policy585................................................................................................................................................................
Configuring Group Policies587................................................................................................................................................................
Configuring An Internal Group Policy588................................................................................................................................................................
Configuring Vpn-specific Attributes589................................................................................................................................................................
Configuring Security Attributes592................................................................................................................................................................
Configuring The Banner Message594................................................................................................................................................................
Configuring Split-tunneling Attributes595................................................................................................................................................................
Configuring Domain Attributes For Tunneling596................................................................................................................................................................
Configuring Attributes For Vpn Hardware Clients598................................................................................................................................................................
Configuring Backup Server Attributes601................................................................................................................................................................
Configuring Microsoft Internet Explorer Client Parameters602................................................................................................................................................................
Configuring Network Admission Control Parameters604................................................................................................................................................................
Configuring Address Pools607................................................................................................................................................................
Configuring Firewall Policies608................................................................................................................................................................
Configuring Client Access Rules611................................................................................................................................................................
Configuring Group-policy Webvpn Attributes612................................................................................................................................................................
Configuring User Attributes623................................................................................................................................................................
Viewing The Username Configuration624................................................................................................................................................................
Configuring Webvpn For Specific Users629................................................................................................................................................................
Configuring An Ip Address Assignment Method643................................................................................................................................................................
Chapter 31
Configuring Ip Addresse For Vpn644................................................................................................................................................................
Configuring Dhcp Addressing645................................................................................................................................................................
Summary Of The Configuration647................................................................................................................................................................
C H A P T E R 32 Configuring Remote Access Ipsec Vpns648................................................................................................................................................................
Configuring Isakmp Policy And Enabling Isakmp On The Outside Interface649................................................................................................................................................................
Configuring An Address Pool650................................................................................................................................................................
Defining A Tunnel Group651................................................................................................................................................................
Creating A Dynamic Crypto Map652................................................................................................................................................................
Creating A Crypto Map Entry To Use The Dynamic Crypto Map653................................................................................................................................................................
Uses, Requirements, And Limitations655................................................................................................................................................................
C H A P T E R 33 Configuring Network Admission Control656................................................................................................................................................................
Configuring The Default Acl For Nac657................................................................................................................................................................
Configuring Exemptions From Nac658................................................................................................................................................................
Changing Advanced Settings659................................................................................................................................................................
Changing The Login Credentials Used For Clientless Authentication660................................................................................................................................................................
Configuring Nac Session Attributes661................................................................................................................................................................
Setting The Query-for-posture-changes Timer663................................................................................................................................................................
Specifying The Client/server Role Of The Cisco Asa 5505666................................................................................................................................................................
Specifying The Primary And Secondary Servers667................................................................................................................................................................
Configuring Automatic Xauth Authentication668................................................................................................................................................................
Comparing Tunneling Options669................................................................................................................................................................
Specifying The Tunnel Group Or Trustpoint670................................................................................................................................................................
Specifying The Trustpoint671................................................................................................................................................................
Configuring Split Tunneling672................................................................................................................................................................
Configuring Remote Management673................................................................................................................................................................
Group Policy And User Attributes Pushed To The Client674................................................................................................................................................................
Authentication Options676................................................................................................................................................................
Pppoe Client Overview677................................................................................................................................................................
Chapter 35
Configuring The Pppoe Client678................................................................................................................................................................
Enabling Pppoe679................................................................................................................................................................
Monitoring And Debugging The Pppoe Client680................................................................................................................................................................
Clearing The Configuration681................................................................................................................................................................
C H A P T E R 36 Configuring Lan-to-lan Ipsec Vpns684................................................................................................................................................................
Creating A Transform Set686................................................................................................................................................................
Creating A Crypto Map And Applying It To An Interface688................................................................................................................................................................
Getting Started With Webvpn691................................................................................................................................................................
Chapter 37
Configuring Webvpn692................................................................................................................................................................
Using Ssl To Access The Central Site693................................................................................................................................................................
Setting Webvpn Http/https Proxy694................................................................................................................................................................
Enabling Cookies On Browsers For Webvpn695................................................................................................................................................................
Configuring Sso With Http Basic Or Ntlm Authentication696................................................................................................................................................................
Configuring Sso Authentication Using Siteminder697................................................................................................................................................................
Configuring Sso With The Http Form Protocol699................................................................................................................................................................
Authenticating With Digital Certificates704................................................................................................................................................................
Creating Port Forwarding, Url, And Access Lists In Global Configuration Mode705................................................................................................................................................................
Configuring Webvpn Tunnel Group Attributes706................................................................................................................................................................
Configuring Application Access707................................................................................................................................................................
Recovering From Hosts File Errors When Using Application Access708................................................................................................................................................................
Stopping Application Access Improperly709................................................................................................................................................................
Configuring File Access711................................................................................................................................................................
Configuring Access To Citrix Metaframe Services713................................................................................................................................................................
Using Webvpn With Pdas714................................................................................................................................................................
Using E-mail Over Webvpn715................................................................................................................................................................
E-mail Proxy Certificate Authentication716................................................................................................................................................................
Optimizing Webvpn Performance717................................................................................................................................................................
Configuring A Certificate For Signing Rewritten Java Content718................................................................................................................................................................
Configuring Application Profile Customization Framework719................................................................................................................................................................
Apcf Example721................................................................................................................................................................
Viewing The Webvpn Home Page722................................................................................................................................................................
Viewing The Floating Toolbar723................................................................................................................................................................
Customizing Webvpn Pages724................................................................................................................................................................
Customizing The Webvpn Login Page725................................................................................................................................................................
Customizing The Webvpn Logout Page726................................................................................................................................................................
Customizing The Webvpn Home Page727................................................................................................................................................................
Customizing The Application Access Window729................................................................................................................................................................
Customizing The Prompt Dialogs730................................................................................................................................................................
Applying Customizations To Tunnel Groups, Groups And Users731................................................................................................................................................................
Requiring Usernames And Passwords732................................................................................................................................................................
Communicating Security Tips733................................................................................................................................................................
Capturing Webvpn Data739................................................................................................................................................................
Creating A Capture File740................................................................................................................................................................
Installing Svc743................................................................................................................................................................
Chapter 38
Configuring Ssl Vpn Client744................................................................................................................................................................
Enabling Svc745................................................................................................................................................................
Enabling Permanent Svc Installation746................................................................................................................................................................
Enabling Rekey747................................................................................................................................................................
Enabling Keepalive748................................................................................................................................................................
Viewing Svc Sessions749................................................................................................................................................................
Logging Off Svc Sessions750................................................................................................................................................................
Public Key Cryptography751................................................................................................................................................................
C H A P T E R 39 Configuring Certificates752................................................................................................................................................................
About Trustpoints753................................................................................................................................................................
About Ocsp754................................................................................................................................................................
Supported Ca Servers755................................................................................................................................................................
Configuring Key Pairs756................................................................................................................................................................
Removing Key Pairs757................................................................................................................................................................
Obtaining Certificates759................................................................................................................................................................
Obtaining Certificates Manually761................................................................................................................................................................
Configuring Crls For A Trustpoint763................................................................................................................................................................
Exporting And Importing Trustpoints764................................................................................................................................................................
Exporting A Trustpoint Configuration765................................................................................................................................................................
Allowing Telnet Access769................................................................................................................................................................
Chapter 40
Managing System Acces770................................................................................................................................................................
Using An Ssh Client771................................................................................................................................................................
Configuring Aaa For System Administrators772................................................................................................................................................................
Configuring Authentication For Cli Access773................................................................................................................................................................
Configuring Authentication For The Enable Command774................................................................................................................................................................
Configuring Command Authorization775................................................................................................................................................................
Configuring Tacacs+ Command Authorization778................................................................................................................................................................
Configuring Command Accounting782................................................................................................................................................................
Recovering From A Lockout783................................................................................................................................................................
Configuring A Login Banner784................................................................................................................................................................
Managing Licenses785................................................................................................................................................................
C H A P T E R 41 Managing Software, Licenses, And Configurations786................................................................................................................................................................
Downloading Software Or Configuration Files To Flash Memory787................................................................................................................................................................
Downloading A File To The Startup Or Running Configuration788................................................................................................................................................................
Configuring The Application Image And Asdm Image To Boot789................................................................................................................................................................
Performing Zero Downtime Upgrades For Failover Pairs790................................................................................................................................................................
Upgrading And Active/active Failover Configuration791................................................................................................................................................................
Backing Up Configuration Files792................................................................................................................................................................
Backing Up A Context Configuration Within A Context793................................................................................................................................................................
Configuring Client Updates As An Auto Update Server795................................................................................................................................................................
Viewing Auto Update Status796................................................................................................................................................................
Using Snmp799................................................................................................................................................................
C H A P T E R 42 Monitoring The Security Appliance800................................................................................................................................................................
Enabling Snmp801................................................................................................................................................................
Configuring And Managing Logs803................................................................................................................................................................
Enabling And Disabling Logging804................................................................................................................................................................
Configuring Log Output Destinations805................................................................................................................................................................
Sending System Log Messages To The Console Port806................................................................................................................................................................
Sending System Log Messages To An E-mail Address807................................................................................................................................................................
Sending System Log Messages To Asdm808................................................................................................................................................................
Sending System Log Messages To A Telnet Or Ssh Session809................................................................................................................................................................
Sending System Log Messages To The Log Buffer810................................................................................................................................................................
Filtering System Log Messages812................................................................................................................................................................
Message Filtering Overview813................................................................................................................................................................
Filtering System Log Messages With Custom Message Lists815................................................................................................................................................................
Customizing The Log Configuration816................................................................................................................................................................
Configuring The Logging Queue817................................................................................................................................................................
Generating System Log Messages In Emblem Format818................................................................................................................................................................
Changing The Severity Level Of A System Log Message819................................................................................................................................................................
Changing The Amount Of Internal Flash Memory Available For Logs820................................................................................................................................................................
Understanding System Log Messages821................................................................................................................................................................
Testing Your Configuration823................................................................................................................................................................
C H A P T E R 43 Troubleshooting The Security Appliance824................................................................................................................................................................
Pinging Through The Security Appliance826................................................................................................................................................................
Disabling The Test Configuration827................................................................................................................................................................
Traceroute828................................................................................................................................................................
Performing Password Recovery For The Asa 5500 Series Adaptive Security Appliance829................................................................................................................................................................
Password Recovery For The Pix 500 Series Security Appliance830................................................................................................................................................................
Disabling Password Recovery831................................................................................................................................................................
Other Troubleshooting Tools832................................................................................................................................................................
Supported Platforms And Feature Licenses837................................................................................................................................................................
A P P E N D I X A Feature Licenses And Specifications838................................................................................................................................................................
Security Services Module Support845................................................................................................................................................................
Vpn Specifications846................................................................................................................................................................
Cisco Vpn Client Support847................................................................................................................................................................
Cryptographic Standards848................................................................................................................................................................
Example 1: Multiple Mode Firewall With Outside Access849................................................................................................................................................................
Appendix B
Sample Configuration850................................................................................................................................................................
Example 1: Admin Context Configuration852................................................................................................................................................................
Example 1: Customer C Context Configuration853................................................................................................................................................................
Example 2: Single Mode Firewall Using Same Security Level854................................................................................................................................................................
Example 3: Shared Resources For Multiple Contexts856................................................................................................................................................................
Example 3: System Configuration857................................................................................................................................................................
Example 3: Department 1 Context Configuration858................................................................................................................................................................
Example 3: Department 2 Context Configuration859................................................................................................................................................................
Example 4: Multiple Mode, Transparent Firewall With Outside Access860................................................................................................................................................................
Example 4: System Configuration861................................................................................................................................................................
Example 4: Admin Context Configuration862................................................................................................................................................................
Example 4: Customer A Context Configuration863................................................................................................................................................................
Example 4: Customer C Context Configuration864................................................................................................................................................................
Example 6: Ipv6 Configuration866................................................................................................................................................................
Example 7: Cable-based Active/standby Failover (routed Mode)868................................................................................................................................................................
Example 8: Lan-based Active/standby Failover (routed Mode)869................................................................................................................................................................
Example 8: Secondary Unit Configuration870................................................................................................................................................................
Example 9: Primary Unit Configuration871................................................................................................................................................................
Example 9: Primary Admin Context Configuration872................................................................................................................................................................
Example 9: Primary Ctx1 Context Configuration873................................................................................................................................................................
Example 10: Cable-based Active/standby Failover (transparent Mode)874................................................................................................................................................................
Example 11: Lan-based Active/standby Failover (transparent Mode)876................................................................................................................................................................
Example 11: Secondary Unit Configuration877................................................................................................................................................................
Example 12: Lan-based Active/active Failover (transparent Mode)878................................................................................................................................................................
Example 12: Primary System Configuration879................................................................................................................................................................
Example 12: Primary Ctx1 Context Configuration880................................................................................................................................................................
Example 14: Dual Isp Support Using Static Route Tracking881................................................................................................................................................................
Example 14: Asa 5505 Base License882................................................................................................................................................................
Example 15: Asa 5505 Security Plus License With Failover And Dual-isp Backup884................................................................................................................................................................
Example 15: Secondary Unit Configuration886................................................................................................................................................................
Local Ports And Protocols895................................................................................................................................................................
Ipv6 Addresses899................................................................................................................................................................
Icmp Types909................................................................................................................................................................
Selecting Ldap, Radius, Or Local Authentication And Authorization911................................................................................................................................................................
A P P E N D I X E Configuring An External Server For Authorization And Authentication912................................................................................................................................................................
Reviewing The Ldap Directory Structure And Configuration Procedure913................................................................................................................................................................
Searching The Hierarchy914................................................................................................................................................................
Binding The Security Appliance To The Ldap Server915................................................................................................................................................................
Cisco -av-pair Attribute Syntax924................................................................................................................................................................
Example Security Appliance Authorization Schema925................................................................................................................................................................
Loading The Schema In The Ldap Server928................................................................................................................................................................
Reviewing Examples Of Active Directory Configurations929................................................................................................................................................................
Example 2: Configuring Ldap Authentication With Microsoft Active Directory930................................................................................................................................................................
Example 3: Ldap Authentication And Ldap Authorization With Microsoft Active Directory932................................................................................................................................................................
Configuring An External Radius Server934................................................................................................................................................................
Security Appliance Radius Authorization Attributes935................................................................................................................................................................
Adding Comments C968................................................................................................................................................................
Passwords C980................................................................................................................................................................
Private Networks D981................................................................................................................................................................
Cisco 500 Series Manual (4 pages)
Cisco Systems Security Appliances Upsell Guide
Brand: Cisco | Category: Network Router | Size: 0.42 MB
Advertisement
Cisco 500 Series Hardware Installation Manual (2 pages)
Cisco Systems Universal Broadband Router Installation Guide
Brand: Cisco | Category: Network Router | Size: 0.23 MB
