manualshive.com logo in svg

Cisco 500 Series, Configuration Manual

The Frigidaire 500 Series offers top-of-the-line performance and convenience for your kitchen. To ensure proper usage and maintenance, we provide a comprehensive Use And Care Manual for free download. Obtain your manual from manualshive.com and unlock the full potential of your Frigidaire 500 Series appliance effortlessly.

Share
Download
background image

 

37-13

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Chapter 37      Configuring Clientless SSL VPN

  Getting Started

Detailed Tasks: Configuring SSO with 

SAML Post Profile

This section presents specific steps for configuring the security appliance to support SSO authentication 
with SAML Post Profile. To configure SSO with SAML-V1.1-POST, perform the following steps:

Step 1

In webvpn configuration mode, enter the 

sso-server

 command with the 

type

 option to create an SSO 

server. For example, to create an SSO server named Sample of type SAML-V1.1-POST, enter the 
following:

hostname(config)#

 webvpn

hostname(config-webvpn)# 

sso-server sample type SAML-V1.1-post

hostname(config-webvpn-sso-saml)#

Note

The security appliance currently supports only the Browser Post Profile type of SAML SSO Server.

Step 2

Enter the 

assertion-consumer-url 

command in webvpn-sso-saml configuration mode to specify the 

authentication URL of the SSO server. For example, to send authentication requests to the URL 
http://www.Example.com/webvpn, enter the following:

hostname(config-webvpn-sso-saml)# 

assertion-consumer-url http://www.sample.com/webvpn

hostname(config-webvpn-sso-saml)#

Step 3

Specify a unique string that identifies the security appliance itself when it generates assertions. 
Typically, this issuer name is the hostname for the security appliance as follows:

hostname(config-webvpn-sso-saml)# 

issuer myasa

hostname(config-webvpn-sso-saml)#

Step 4

Specify the identification certificate for signing the assertion with the 

trust-point 

command. An 

example follows:

hostname(config)# 

tunnel-group 209.165.200.225 type IPSec_L2L

hostname(config)# 

tunnel-group 209.165.200.225 ipsec-attributes

hostname(config-tunnel-ipsec)# 

trust-point mytrustpoint

Optionally, you can configure the number of seconds before a failed SSO authentication attempt times 
out using the 

request-timeout

 command in webvpn-sso-saml configuration mode. The default number 

of seconds is 5 seconds and the possible range is 1 to 30 seconds. To change the number of seconds 
before a request times out to 8, for example, enter the following:

hostname(config-webvpn-sso-saml)# 

request-timeout 8

hostname(config-webvpn-sso-saml)#

Step 5

Optionally, you can configure the number of times the security appliance retries a failed SSO 
authentication attempt before the authentication times-out using the 

max-retry-attempts 

command in 

webvpn-sso-saml configuration mode. The default is 3 retry attempts and the possible range is 1 to 5 
attempts. To configure the number of retries to be 4, for example, enter the following:

hostname(config-webvpn-sso-saml)# 

max-retry-attempts 4

hostname(config-webvpn-sso-saml)#

Step 6

After you configure the SSO server, you must specify SSO authentication for either a group or user. To 
specify SSO for a group, assign an SSO server to a group policy using the

 sso-server value 

command 

in group-policy-webvpn configuration mode. To specify SSO for a user, assign an SSO server to a user 
policy using the same command, 

sso-server value

, but in username-webvpn configuration mode. For 

example, to assign the SSO server named Example to the user named Anyuser, enter the following:

hostname(config)# 

username Anyuser attributes

hostname(config-username)# 

webvpn

Summary of Contents for 500 Series

Page 1: ...1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8 0 1 Customer Order Number N A Online only Text Part Number OL 12172 03 ...

Page 2: ...SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Cisco Security Appliance Command Line Configuration Guide Copyright 2007 Cisco Systems Inc All rights reserved C...

Page 3: ...ity Policy Overview 1 2 Permitting or Denying Traffic with Access Lists 1 2 Applying NAT 1 2 Using AAA for Through Traffic 1 2 Applying HTTP HTTPS or FTP Filtering 1 3 Applying Application Inspection 1 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1 3 Sending Traffic to the Content Security and Control Security Services Module 1 3 Applying QoS Policies 1 3 Ap...

Page 4: ...ion to the Running Configuration 2 8 Viewing the Configuration 2 8 Clearing and Removing Configuration Settings 2 9 Creating Text Configuration Files Offline 2 9 C H A P T E R 3 Enabling Multiple Context Mode 3 1 Security Context Overview 3 1 Common Uses for Security Contexts 3 1 Unsupported Features 3 2 Context Configuration Files 3 2 Context Configurations 3 2 System Configuration 3 2 Admin Cont...

Page 5: ...rnet Settings Redundant Interfaces and Subinterfaces 5 1 Configuring and Enabling RJ 45 Interfaces 5 1 RJ 45 Interface Overview 5 1 Default State of Physical Interfaces 5 2 Connector Types 5 2 Auto MDI MDIX Feature 5 2 Configuring the RJ 45 Interface 5 2 Configuring and Enabling Fiber Interfaces 5 3 Default State of Physical Interfaces 5 3 Configuring the Fiber Interface 5 4 Configuring a Redundan...

Page 6: ...a Security Context 6 14 Reloading by Clearing the Configuration 6 14 Reloading by Removing and Re adding the Context 6 15 Monitoring Security Contexts 6 15 Viewing Context Information 6 15 Viewing Resource Allocation 6 16 Viewing Resource Usage 6 19 Monitoring SYN Attacks in Contexts 6 20 C H A P T E R 7 Configuring Interface Parameters 7 1 Security Level Overview 7 1 Configuring Interface Paramet...

Page 7: ...face Parameters 9 10 Configuring OSPF Area Parameters 9 13 Configuring OSPF NSSA 9 13 Configuring Route Summarization Between OSPF Areas 9 15 Configuring Route Summarization When Redistributing Routes into OSPF 9 15 Defining Static OSPF Neighbors 9 16 Generating a Default Route 9 16 Configuring Route Calculation Timers 9 17 Logging Neighbors Going Up or Down 9 17 Displaying OSPF Update Packet Paci...

Page 8: ...vices 10 1 Configuring a DHCP Server 10 1 Enabling the DHCP Server 10 2 Configuring DHCP Options 10 3 Using Cisco IP Phones with a DHCP Server 10 4 Configuring DHCP Relay Services 10 5 Configuring Dynamic DNS 10 6 Example 1 Client Updates Both A and PTR RRs for Static IP Addresses 10 7 Example 2 Client Updates Both A and PTR RRs DHCP Server Honors Client Update Request FQDN Provided Through Config...

Page 9: ...1 18 Configuring a Static Rendezvous Point Address 11 19 Configuring the Designated Router Priority 11 19 Filtering PIM Register Messages 11 19 Configuring PIM Message Intervals 11 20 Configuring a Multicast Boundary 11 20 Filtering PIM Neighbors 11 20 Supporting Mixed Bidirctional Sparse Mode PIM Networks 11 21 For More Information about Multicast Routing 11 22 C H A P T E R 12 Configuring IPv6 1...

Page 10: ... 13 5 SDI Version Support 13 5 Two step Authentication Process 13 5 SDI Primary and Replica Servers 13 5 NT Server Support 13 5 Kerberos Server Support 13 5 LDAP Server Support 13 6 SSO Support for WebVPN with HTTP Forms 13 6 Local Database Support 13 6 User Profiles 13 6 Fallback Support 13 7 Configuring the Local Database 13 7 Identifying AAA Server Groups and Servers 13 9 Configuring an LDAP Se...

Page 11: ... 18 Failover Times by Platform 14 18 Configuring Failover 14 19 Failover Configuration Limitations 14 19 Configuring Active Standby Failover 14 19 Prerequisites 14 20 Configuring Cable Based Active Standby Failover PIX 500 Series Security Appliance Only 14 20 Configuring LAN Based Active Standby Failover 14 21 Configuring Optional Active Standby Failover Settings 14 25 Configuring Active Active Fa...

Page 12: ...e Process 14 55 P A R T 2 Configuring the Firewall C H A P T E R 15 Firewall Mode Overview 15 1 Routed Mode Overview 15 1 IP Routing Support 15 1 How Data Moves Through the Security Appliance in Routed Firewall Mode 15 1 An Inside User Visits a Web Server 15 2 An Outside User Visits a Web Server on the DMZ 15 3 An Inside User Visits a Web Server on the DMZ 15 4 An Outside User Attempts to Access a...

Page 13: ...the Transparent Firewall 16 6 Adding an Extended ACE 16 6 Adding an EtherType Access List 16 8 EtherType Access List Overview 16 8 Supported EtherTypes 16 8 Implicit Permit of IP and ARPs Only 16 9 Implicit and Explicit Deny ACE at the End of an Access List 16 9 IPv6 Unsupported 16 9 Using Extended and EtherType Access Lists on the Same Interface 16 9 Allowing MPLS 16 9 Adding an EtherType ACE 16 ...

Page 14: ...NAT Control 17 4 NAT Types 17 6 Dynamic NAT 17 6 PAT 17 8 Static NAT 17 8 Static PAT 17 9 Bypassing NAT When NAT Control is Enabled 17 10 Policy NAT 17 10 NAT and Same Security Level Interfaces 17 13 Order of NAT Commands Used to Match Real Addresses 17 14 Mapped Address Guidelines 17 14 DNS and NAT 17 15 Configuring NAT Control 17 16 Using Dynamic NAT and PAT 17 17 Dynamic NAT and PAT Implementat...

Page 15: ...sing HTTP and HTTPS 19 6 Enabling Direct Authentication Using Telnet 19 7 Configuring Authorization for Network Access 19 8 Configuring TACACS Authorization 19 8 Configuring RADIUS Authorization 19 10 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19 10 Configuring a RADIUS Server to Download Per User Access Control List Names 19 14 Configuring Accounting for Network Access ...

Page 16: ...g Special Actions for Application Inspections 21 6 Creating a Regular Expression 21 6 Creating a Regular Expression Class Map 21 9 Identifying Traffic in an Inspection Class Map 21 10 Defining Actions in an Inspection Policy Map 21 11 Defining Actions Using a Layer 3 4 Policy Map 21 13 Layer 3 4 Policy Map Overview 21 13 Policy Map Guidelines 21 14 Supported Feature Types 21 14 Feature Directional...

Page 17: ... 22 15 Diverting Traffic to the CSC SSM 22 16 Checking SSM Status 22 18 Transferring an Image onto an SSM 22 19 C H A P T E R 23 Preventing Network Attacks 23 1 Configuring Threat Detection 23 1 Configuring Basic Threat Detection 23 1 Basic Threat Detection Overview 23 2 Configuring Basic Threat Detection 23 2 Managing Basic Threat Statistics 23 4 Configuring Scanning Threat Detection 23 5 Enablin...

Page 18: ...ng 24 8 Configuring Priority Queuing 24 8 Sizing the Priority Queue 24 8 Reducing Queue Latency 24 9 Configuring QoS 24 9 Viewing QoS Configuration 24 12 Viewing QoS Service Policy Configuration 24 12 Viewing QoS Policy Map Configuration 24 13 Viewing the Priority Queue Configuration for an Interface 24 13 Viewing QoS Statistics 24 14 Viewing QoS Police Statistics 24 14 Viewing QoS Priority Statis...

Page 19: ...ection Control 25 21 ESMTP Inspection 25 24 Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25 24 FTP Inspection 25 26 FTP Inspection Overview 25 26 Using the strict Option 25 26 Configuring an FTP Inspection Policy Map for Additional Inspection Control 25 27 Verifying and Monitoring FTP Inspection 25 31 GTP Inspection 25 31 GTP Inspection Overview 25 31 Configuring a ...

Page 20: ...g Inspection 25 60 Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25 61 RSH Inspection 25 61 RTSP Inspection 25 61 RTSP Inspection Overview 25 61 Using RealPlayer 25 62 Restrictions and Limitations 25 62 Configuring an RTSP Inspection Policy Map for Additional Inspection Control 25 63 SIP Inspection 25 65 SIP Inspection Overview 25 65 SIP Instant Messaging 25 66 Confi...

Page 21: ...ng Parameters 26 1 Configuring ARP Inspection 26 1 ARP Inspection Overview 26 1 Adding a Static ARP Entry 26 2 Enabling ARP Inspection 26 2 Customizing the MAC Address Table 26 3 MAC Address Table Overview 26 3 Adding a Static MAC Address 26 3 Setting the MAC Address Timeout 26 4 Disabling MAC Address Learning 26 4 Viewing the MAC Address Table 26 4 P A R T 3 Configuring VPN C H A P T E R 27 Confi...

Page 22: ...onfiguration 27 22 Using Dynamic Crypto Maps 27 24 Providing Site to Site Redundancy 27 26 Viewing an IPSec Configuration 27 26 Clearing Security Associations 27 27 Clearing Crypto Map Configurations 27 27 Supporting the Nokia VPN Client 27 28 C H A P T E R 28 Configuring L2TP over IPSec 28 1 L2TP Overview 28 1 IPSec Transport and Tunnel Modes 28 2 Configuring L2TP over IPSec Connections 28 3 Tunn...

Page 23: ... Group Connection Parameters 30 4 Connection Profile Connection Parameters for Clientless SSL VPN Sessions 30 5 Configuring Connection Profiles 30 6 Default IPSec Remote Access Connection Profile Configuration 30 6 Configuring IPSec Tunnel Group General Attributes 30 7 Configuring IPSec Remote Access Connection Profiles 30 7 Specifying a Name and Type for the IPSec Remote Access Connection Profile...

Page 24: ...ng Group Policy Attributes 30 37 Configuring WINS and DNS Servers 30 37 Configuring VPN Specific Attributes 30 38 Configuring Security Attributes 30 41 Configuring the Banner Message 30 43 Configuring IPSec UDP Attributes 30 44 Configuring Split Tunneling Attributes 30 44 Configuring Domain Attributes for Tunneling 30 46 Configuring Attributes for VPN Hardware Clients 30 47 Configuring Backup Serv...

Page 25: ... 6 Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32 7 C H A P T E R 33 Configuring Network Admission Control 33 1 Overview 33 1 Uses Requirements and Limitations 33 2 Viewing the NAC Policies on the Security Appliance 33 2 Adding Accessing or Removing a NAC Policy 33 4 Configuring a NAC Policy 33 5 Specifying the Access Control Server Group 33 5 Setting the Query for Posture Changes Ti...

Page 26: ...Guidelines for Configuring the Easy VPN Server 34 9 Group Policy and User Attributes Pushed to the Client 34 10 Authentication Options 34 12 C H A P T E R 35 Configuring the PPPoE Client 35 1 PPPoE Client Overview 35 1 Configuring the PPPoE Client Username and Password 35 2 Enabling PPPoE 35 3 Using PPPoE with a Fixed IP Address 35 3 Monitoring and Debugging the PPPoE Client 35 4 Clearing the Conf...

Page 27: ...Authenticating with Digital Certificates 37 20 Creating and Applying Clientless SSL VPN Resources 37 21 Assigning Users to Group Policies 37 21 Using the Security Appliance Authentication Server 37 21 Using a RADIUS Server 37 21 Configuring Connection Profile Attributes for Clientless SSL VPN 37 21 Configuring Group Policy and User Attributes for Clientless SSL VPN 37 22 Configuring Browser Access...

Page 28: ...0 Configuring File Access 37 43 Adding Support for File Access 37 43 Using Clientless SSL VPN with PDAs 37 45 Using E Mail over Clientless SSL VPN 37 45 Configuring E mail Proxies 37 46 E mail Proxy Certificate Authentication 37 46 Configuring Web E mail MS Outlook Web Access 37 47 Optimizing Clientless SSL VPN Performance 37 47 Configuring Caching 37 47 Configuring Content Transformation 37 48 Co...

Page 29: ...Customization Object 37 76 Changing a Group Policy or User Attributes to Use the Customization Object 37 78 Capturing Data 37 78 Creating a Capture File 37 78 Using a Browser to Display Capture Data 37 79 C H A P T E R 38 Configuring AnyConnect VPN Client Connections 38 1 Installing the AnyConnect SSL VPN Client 38 2 Remote PC System Requirements 38 2 Installing the AnyConnect Client 38 2 Enabling...

Page 30: ...on 39 5 Preparing for Certificates 39 5 Configuring Key Pairs 39 6 Generating Key Pairs 39 6 Removing Key Pairs 39 7 Configuring Trustpoints 39 7 Obtaining Certificates 39 9 Obtaining Certificates with SCEP 39 9 Obtaining Certificates Manually 39 11 Configuring CRLs for a Trustpoint 39 13 Exporting and Importing Trustpoints 39 14 Exporting a Trustpoint Configuration 39 15 Importing a Trustpoint Co...

Page 31: ...l CA Configuration 39 31 Display Certificate Database 39 31 Display the Local CA Certificate 39 32 Display the CRL 39 32 Display the User Database 39 33 Local CA Server Maintenance and Backup Procedures 39 34 Maintaining the Local CA User Database 39 34 Maintaining the Local CA Certificate Database 39 34 Local CA Certificate Rollover 39 35 Archiving the Local CA Server Certificate and Keypair 39 3...

Page 32: ...Obtaining an Activation Key 41 1 Entering a New Activation Key 41 2 Viewing Files in Flash Memory 41 2 Downloading Software or Configuration Files to Flash Memory 41 3 Downloading a File to a Specific Location 41 3 Downloading a File to the Startup or Running Configuration 41 4 Configuring the Application Image and ASDM Image to Boot 41 5 Configuring the File to Boot as the Startup Configuration 4...

Page 33: ...og Server 42 7 Sending System Log Messages to the Console Port 42 8 Sending System Log Messages to an E mail Address 42 9 Sending System Log Messages to ASDM 42 10 Sending System Log Messages to a Telnet or SSH Session 42 12 Sending System Log Messages to the Log Buffer 42 13 Filtering System Log Messages 42 15 Message Filtering Overview 42 15 Filtering System Log Messages by Class 42 16 Filtering...

Page 34: ...Recovery 43 9 Resetting the Password on the SSM Hardware Module 43 10 Using the ROM Monitor to Load a Software Image 43 10 Erasing the Flash File System 43 12 Other Troubleshooting Tools 43 12 Viewing Debug Messages 43 12 Capturing Packets 43 12 Viewing the Crash Dump 43 13 Common Problems 43 13 P A R T 5 Reference A P P E N D I X A Feature Licenses and Specifications A 1 Supported Platforms and F...

Page 35: ...lover Routed Mode B 20 Example 8 LAN Based Active Standby Failover Routed Mode B 21 Example 8 Primary Unit Configuration B 21 Example 8 Secondary Unit Configuration B 22 Example 9 LAN Based Active Active Failover Routed Mode B 22 Example 9 Primary Unit Configuration B 23 Example 9 Primary System Configuration B 23 Example 9 Primary admin Context Configuration B 24 Example 9 Primary ctx1 Context Co...

Page 36: ...nd Output C 4 Command Output Paging C 5 Adding Comments C 6 Text Configuration Files C 6 How Commands Correspond with Lines in the Text File C 6 Command Specific Configuration Mode Commands C 6 Automatic Text Entries C 7 Line Order C 7 Commands Not Included in the Text Configuration C 7 Passwords C 7 Multiple Security Context Files C 7 A P P E N D I X D Addresses Protocols and Ports D 1 IPv4 Addre...

Page 37: ...ecurity Appliance LDAP Schema E 5 Cisco AV Pair Attribute Syntax E 13 Example Security Appliance Authorization Schema E 15 Loading the Schema in the LDAP Server E 17 Defining User Permissions E 17 Example User File E 18 Reviewing Examples of Active Directory Configurations E 18 Example 1 Configuring LDAP Authorization with Microsoft Active Directory ASA PIX E 18 Example 2 Configuring LDAP Authenti...

Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...

Page 39: ...e security appliance by using ASDM a web based GUI application ASDM includes configuration wizards to guide you through some common configuration scenarios and online Help for less common scenarios For more information see http www cisco com univercd cc td doc product netsec secmgmt asdm index htm This guide applies to the Cisco PIX 500 series security appliances PIX 515E PIX 525 and PIX 535 and t...

Page 40: ...e Security Appliance Provides a high level overview of the security appliance Chapter 2 Getting Started Describes how to access the command line interface configure the firewall mode and work with the configuration Chapter 3 Enabling Multiple Context Mode Describes how to use security contexts and enable multiple context mode Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA...

Page 41: ...ccess Chapter 20 Applying Filtering Services Describes ways to filter web traffic to reduce security risks or prevent inappropriate use Chapter 21 Using Modular Policy Framework Describes how to use the Modular Policy Framework to create security policies for TCP general connection settings inspection and QoS Chapter 22 Managing the AIP SSM and CSC SSM Describes how to configure the security appli...

Page 42: ...ing LAN to LAN IPSec VPNs Describes how to build a LAN to LAN VPN connection Chapter 37 Configuring Clientless SSL VPN Describes how to establish a secure remote access VPN tunnel to a security appliance using a web browser Chapter 38 Configuring AnyConnect VPN Client Connections Describes how to install and configure the SSL VPN Client Chapter 39 Configuring Certificates Describes how to configur...

Page 43: ...pport and Security Guidelines For information on obtaining documentation obtaining support providing documentation feedback security guidelines and also recommended aliases and general Cisco documents see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Appendix B...

Page 44: ...xliv Cisco Security Appliance Command Line Configuration Guide OL 12172 03 About This Guide Obtaining Documentation Obtaining Support and Security Guidelines ...

Page 45: ...P A R T 1 Getting Started and General Information ...

Page 46: ......

Page 47: ...age 1 6 Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network A firewall can also protect inside networks from each other for example by keeping a human resources network separate from a user network If you have network resources that need to be available to an outside user such as a web or FTP server you can place these resources on...

Page 48: ...age 1 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module page 1 3 Sending Traffic to the Content Security and Control Security Services Module page 1 3 Applying QoS Policies page 1 3 Applying Connection Limits and TCP Normalization page 1 3 Permitting or Denying Traffic with Access Lists You can apply an access list to limit traffic from inside to outside or allow...

Page 49: ...ion against viruses spyware spam and other unwanted traffic It accomplishes this by scanning the FTP HTTP POP3 and SMTP traffic that you configure the adaptive security appliance to send to it Applying QoS Policies Some network traffic such as voice and streaming video cannot tolerate long latency times QoS is a network feature that lets you give priority to these types of traffic QoS refers to th...

Page 50: ...ide and outside interfaces You might use a transparent firewall to simplify your network configuration Transparent mode is also useful if you want the firewall to be invisible to attackers You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode For example a transparent firewall can allow multicast streams using an EtherType access list Stateful Inspectio...

Page 51: ...path or the control plane path Packets that go through the session management path include HTTP packets that require inspection or content filtering Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection VPN Functional Overview A VPN is a secure connection across a TCP IP network such as the Internet that appears as a private connec...

Page 52: ... having multiple standalone devices Many features are supported in multiple context mode including routing tables firewall features IPS and management Some features are not supported including VPN and dynamic routing protocols In multiple context mode the security appliance includes a configuration for each context that identifies the security policy interfaces and almost all the options you can c...

Page 53: ...rted are noted directly in each section Some models do not support all features covered in this guide For example the ASA 5505 adaptive security appliance does not support security contexts This guide might not list each supported model when discussing a feature To determine the features that are supported for your model before you start your configuration see the Supported Platforms and Feature L...

Page 54: ...memory command saves the running configuration to the default location for the startup configuration even if you previously configured the boot config command to set a different location when the configuration was cleared this path was also cleared Note This command also clears the boot system command if present along with the rest of the configuration The boot system command lets you boot from a ...

Page 55: ...n 1 no shutdown interface Ethernet 0 7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192 168 1 1 255 255 255 0 security level 100 no shutdown global outside 1 interface nat inside 1 0 0 http server enable http 192 168 1 0 255 255 255 0 inside dhcpd address 192 168 1 2 192 168 1 254 inside dhcpd auto...

Page 56: ...d for ASDM and is accessible to users on the 192 168 1 0 network The configuration consists of the following commands interface ethernet 1 ip address 192 168 1 1 255 255 255 0 nameif management security level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192 168 1 0 255 255 255 0 management dhcpd address 192 168 1 2 192 168 1 254 management dhcpd lease ...

Page 57: ...ol See the hardware guide that came with your security appliance for more information about the console cable Step 2 Press the Enter key to see the following prompt hostname This prompt indicates that you are in user EXEC mode Step 3 To access privileged EXEC mode enter the following command hostname enable The following prompt appears Password Step 4 Enter the enable password at the prompt By def...

Page 58: ...text files To set the mode to transparent enter the following command in the system execution space hostname config firewall transparent This command also appears in each context configuration for informational purposes only you cannot enter this command in a context To set the mode to routed enter the following command in the system execution space hostname config no firewall transparent Working ...

Page 59: ...figurations can reside on external servers In this case the security appliance saves the configuration back to the server you identified in the context URL except for an HTTP or HTTPS URL which do not let you save the configuration to the server Saving All Context Configurations at the Same Time To save all context configurations at the same time as well as the system configuration enter the follo...

Page 60: ...he context context a could not be saved due to Unknown errors Copying the Startup Configuration to the Running Configuration Copy a new startup configuration to the running configuration using one of these options To merge the startup configuration with the running configuration enter the following command hostname config copy startup config running config A merge adds any new commands from the ne...

Page 61: ...ecific parameters or options of a command enter the following command hostname config no configurationcommand level2configurationcommand qualifier In this case you use the no command to remove the specific configuration identified by qualifier For example to remove a specific nat command enter enough of the command to identify it uniquely as follows hostname config no nat inside 1 To erase the sta...

Page 62: ...ds described in this guide are preceded by a CLI prompt The prompt in the following example is hostname config hostname config context a In the text configuration file you are not prompted to enter commands so the prompt is omitted as follows context a For additional information about formatting the file see Appendix C Using the Command Line Interface ...

Page 63: ...outing protocols This section provides an overview of security contexts and includes the following topics Common Uses for Security Contexts page 3 1 Unsupported Features page 3 2 Context Configuration Files page 3 2 How the Security Appliance Classifies Packets page 3 3 Cascading Security Contexts page 3 8 Management Access to Security Contexts page 3 9 Common Uses for Security Contexts You might ...

Page 64: ...iguration The system administrator adds and manages contexts by configuring each context configuration location allocated interfaces and other context operating parameters in the system configuration which like a single mode configuration is the startup configuration The system configuration identifies basic settings for the security appliance The system configuration does not include any network ...

Page 65: ...that context In transparent firewall mode unique interfaces for contexts are required so this method is used to classify packets at all times Unique MAC Addresses If multiple contexts share an interface then the classifier uses the interface MAC address The security appliance lets you assign a different MAC address in each context to the same shared interface whether it is a shared physical interf...

Page 66: ... 10 10 0 netmask 255 255 255 0 Context B static inside shared 10 20 10 0 10 20 10 0 netmask 255 255 255 0 Context C static inside shared 10 30 10 0 10 30 10 0 netmask 255 255 255 0 Note For management traffic destined for an interface the interface IP address is used for classification Invalid Classifier Criteria The following configurations are not used for packet classification NAT exemption The...

Page 67: ...Context B includes the MAC address to which the router sends the packet Figure 3 1 Packet Classification with a Shared Interface using MAC Addresses Classifier Context A Context B MAC 000C F142 4CDC MAC 000C F142 4CDB MAC 000C F142 4CDA GE 0 1 3 GE 0 1 2 GE 0 0 1 Shared Interface Admin Context GE 0 1 1 Host 209 165 201 1 Host 209 165 200 225 Host 209 165 202 129 Packet Destination 209 165 201 1 vi...

Page 68: ...to Context B Note If you share an inside interface and do not use unique MAC addresses the classifier imposes some major restrictions The classifier relies on the address translation configuration to classify the packet within a context and you must translate the destination addresses of the traffic Because you do not usually perform NAT on outside addresses sending packets from inside to outside ...

Page 69: ...ing Multiple Context Mode Security Context Overview Figure 3 3 Incoming Traffic from Inside Networks Host 10 1 1 13 Host 10 1 1 13 Host 10 1 1 13 Classifier Context A Context B GE 0 1 3 GE 0 1 2 GE 0 0 1 Admin Context GE 0 1 1 Inside Customer A Inside Customer B Internet Admin Network 92395 ...

Page 70: ...d cascading contexts the outside interface of one context is the same interface as the inside interface of another context You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context Note Cascading contexts requires that you configure unique MAC addresses for each context interface Because of the limitations of c...

Page 71: ...ss the security appliance console From the console you access the system execution space Access the admin context using Telnet SSH or ASDM See Chapter 40 Managing System Access to enable Telnet SSH and SDM access As the system administrator you can access all contexts When you change to a context from admin or the system your username changes to the default enable_15 username If you configured com...

Page 72: ...onvert from single mode to multiple mode by following the procedures in this section ASDM does not support changing modes so you need to change modes using the CLI This section includes the following topics Backing Up the Single Mode Configuration page 3 10 Enabling Multiple Context Mode page 3 10 Restoring Single Context Mode page 3 11 Backing Up the Single Mode Configuration When you convert fro...

Page 73: ...use the system configuration does not have any network interfaces as part of its configuration you must access the security appliance from the console to perform the copy To copy the old running configuration to the startup configuration and to change the mode to single mode perform the following steps in the system execution space Step 1 To copy the backup version of your original running configu...

Page 74: ...3 12 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode ...

Page 75: ... This chapter includes the following sections Interface Overview page 4 1 Configuring VLAN Interfaces page 4 5 Configuring Switch Ports as Access Ports page 4 9 Configuring a Switch Port as a Trunk Port page 4 11 Allowing Communication Between VLAN Interfaces on the Same Security Level page 4 13 Interface Overview This section describes the ports and interfaces of the ASA 5505 adaptive security ap...

Page 76: ...the VLANs on the same network at Layer 2 using the configured security policy to apply firewall services See the Maximum Active VLAN Interfaces for Your License section for more information about the maximum VLAN interfaces VLAN interfaces let you divide your equipment into separate VLANs for example home business and Internet VLANs To segregate the switch ports into separate VLANs you assign each...

Page 77: ... Security Plus license you can configure 20 VLAN interfaces including a VLAN interface for failover and a VLAN interface as a backup link to your ISP This backup interface does not pass through traffic unless the route through the primary interface fails You can configure trunk ports to accomodate multiple VLANs per port Note The ASA 5505 adaptive security appliance supports Active Standby failove...

Page 78: ...anually assign MAC addresses In transparent firewall mode each VLAN has a unique MAC address You can override the generated MAC addresses if desired by manually assigning MAC addresses Power Over Ethernet Ethernet 0 6 and Ethernet 0 7 support PoE for devices such as IP phones or wireless access points If you install a non PoE device or do not connect to these switch ports the adaptive security app...

Page 79: ...ection NetBIOS inspection engine Applied only for outbound connections SQL Net inspection engine If a control connection for the SQL Net formerly OraServ port exists between a pair of hosts then only an inbound data connection is permitted through the adaptive security appliance Filtering HTTP S and FTP filtering applies only for outbound connections from a higher level to a lower level For same s...

Page 80: ...number specifies the VLAN ID to which this VLAN interface cannot initiate traffic With the Base license you can only configure a third VLAN if you use this command to limit it For example you have one VLAN assigned to the outside for Internet access one VLAN assigned to an inside business network and a third VLAN assigned to your home network The home network does not need to access the business n...

Page 81: ...enter this command to reset the DHCP lease and request a new lease If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command some DHCP requests might not be sent To obtain an IP address from a PPPoE server see Chapter 35 Configuring the PPPoE Client Step 6 Optional To assign a private MAC address to this interface enter the following command host...

Page 82: ... 3 1 1 255 255 255 0 hostname config if no shutdown hostname config if interface vlan 400 hostname config if nameif backup isp hostname config if security level 50 hostname config if ip address 10 1 2 1 255 255 255 0 hostname config if no shutdown hostname config if failover lan faillink vlan500 hostname config failover interface ip faillink 10 4 1 1 255 255 255 0 standby 10 4 1 2 255 255 255 0 Th...

Page 83: ...k loop To configure a switch port perform the following steps Step 1 To specify the switch port you want to configure enter the following command hostname config interface ethernet0 port Where port is 0 through 7 For example enter the following command hostname config interface ethernet0 1 Step 2 To assign this switch port to a VLAN enter the following command hostname config if switchport access ...

Page 84: ...n command hostname config interface vlan 100 hostname config if nameif outside hostname config if security level 0 hostname config if ip address 10 1 1 1 255 255 255 0 hostname config if no shutdown hostname config if interface vlan 200 hostname config if nameif inside hostname config if security level 100 hostname config if ip address 10 2 1 1 255 255 255 0 hostname config if no shutdown hostname...

Page 85: ...eed and duplex to a fixed value thus disabling auto negotiation for both settings then Auto MDI MDIX is also disabled To configure a trunk port perform the following steps Step 1 To specify the switch port you want to configure enter the following command hostname config interface ethernet0 port Where port is 0 through 7 For example enter the following command hostname config interface ethernet0 1...

Page 86: ...ot already enabled enter the following command hostname config if no shutdown To disable the switch port enter the shutdown command The following example configures seven VLAN interfaces including the failover interface which is configured using the failover lan command VLANs 200 201 and 202 are trunked on Ethernet 0 1 hostname config interface vlan 100 hostname config if nameif outside hostname c...

Page 87: ... hostname config if interface ethernet 0 3 hostname config if switchport access vlan 400 hostname config if no shutdown hostname config if interface ethernet 0 4 hostname config if switchport access vlan 500 hostname config if no shutdown Allowing Communication Between VLAN Interfaces on the Same Security Level By default interfaces on the same security level cannot communicate with each other All...

Page 88: ...nce Command Line Configuration Guide OL 12172 03 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level ...

Page 89: ...exts according to Chapter 6 Adding and Managing Security Contexts and finally configure the interface parameters within each context according to Chapter 7 Configuring Interface Parameters Note To configure interfaces for the ASA 5505 adaptive security appliance see Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter includes the f...

Page 90: ...ber SFP RJ 45 is the default If you want to configure the security appliance to use the fiber SFP connectors see the Configuring and Enabling Fiber Interfaces section on page 5 3 Auto MDI MDIX Feature For RJ 45 interfaces on the ASA 5500 series adaptive security appliance the default auto negotiation setting also includes the Auto MDI MDIX feature Auto MDI MDIX eliminates the need for crossover ca...

Page 91: ...o setting is the default Step 4 To enable the interface enter the following command hostname config if no shutdown To disable the interface enter the shutdown command If you enter the shutdown command you also shut down all subinterfaces If you shut down an interface in the system execution space then that interface is shut down in all contexts that share it Configuring and Enabling Fiber Interfac...

Page 92: ...mmand disables link negotiation Step 4 To enable the interface enter the following command hostname config if no shutdown To disable the interface enter the shutdown command If you enter the shutdown command you also shut down all subinterfaces If you shut down an interface in the system execution space then that interface is shut down in all contexts that share it Configuring a Redundant Interfac...

Page 93: ...condary unit You can monitor redundant interfaces for failover using the monitor interface command be sure to reference the logical redundant interface name When the active interface fails over to the standby interface this activity does not cause the redundant interface to appear to be failed when being monitored for device level failover Only when both physical interfaces fail does the redundant...

Page 94: ... if member interface physical_interface See the Configuring and Enabling RJ 45 Interfaces section for a description of the physical interface ID After you add the interface any configuration for it such as an IP address is removed Step 3 To add the second member interface to the redundant interface enter the following command hostname config if member interface physical_interface Make sure the sec...

Page 95: ...lowing topics Subinterface Overview page 5 7 Adding a Subinterface page 5 8 Subinterface Overview Subinterfaces let you divide a physical or redundant interface into multiple logical interfaces that are tagged with different VLAN IDs An interface with one or more VLAN subinterfaces is automatically configured as an 802 1Q trunk Because VLANs allow you to keep traffic separate on a given physical i...

Page 96: ...wing steps Step 1 To specify the new subinterface enter the following command hostname config interface physical_interface redundant number subinterface hostname config subif See the Configuring and Enabling RJ 45 Interfaces section for a description of the physical interface ID The redundant number argument is the redundant interface ID such as redundant 1 The subinterface ID is an integer betwee...

Page 97: ...tings Redundant Interfaces and Subinterfaces Configuring VLAN Subinterfaces and 802 1Q Trunking By default the subinterface is enabled To disable the interface enter the shutdown command If you shut down an interface in the system execution space then that interface is shut down in all contexts that share it ...

Page 98: ... 10 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 5 Configuring Ethernet Settings Redundant Interfaces and Subinterfaces Configuring VLAN Subinterfaces and 802 1Q Trunking ...

Page 99: ...le Context Mode Configuring Resource Management By default all security contexts have unlimited access to the resources of the security appliance except where maximum limits per context are enforced However if you find that one or more contexts use too many resources and they cause other contexts to be denied connections for example then you can configure resource management to limit the use of re...

Page 100: ...all contexts that exceeds the practical limit of the security appliance then the performance of the security appliance might be impaired The security appliance lets you assign unlimited access to one or more resources in a class instead of a percentage or absolute number When a resource is unlimited contexts can use as much of the resource as the system has available or that is practically availab...

Page 101: ... default class for those limits For example if you create a class with a 2 percent limit for all concurrent connections but no other limits then all other limits are inherited from the default class Conversely if you create a class with a limit for all resources the class uses no settings from the default class By default the default class provides unlimited access to resources for all contexts ex...

Page 102: ...ext to one resource class The exception to this rule is that limits that are undefined in the member class are inherited from the default class so in effect a context could be a member of default plus another class Configuring a Class To configure a class in the system configuration perform the following steps You can change the value of a particular resource limit by reentering the command with a...

Page 103: ...r the following command hostname config resmgmt limit resource rate resource_name number For this particular resource the limit overrides the limit set for all Enter the rate argument to set the rate per second for certain resources For resources that do not have a system limit you cannot set the percentage between 1 and 100 you can only set an absolute value See Table 6 1 for resources for which ...

Page 104: ...ll mode the number of MAC addresses allowed in the MAC address table conns Concurrent or Rate N A Concurrent connections See the Supported Platforms and Feature Licenses section on page A 1 for the connection limit for your platform Rate N A TCP or UDP connections between any two hosts including connections between one host and multiple other hosts inspects Rate N A N A Application inspections hos...

Page 105: ...e does not exist yet in your configuration you can subsequently enter the context name command to match the specified name to continue the admin context configuration To add or change a context in the system configuration perform the following steps Step 1 To add or modify a context enter the following command in the system execution space hostname config context name The name is a string up to 32...

Page 106: ...ave as interior characters only letters digits or an underscore For example you can use the following names int0 inta int_0 For subinterfaces you can specify a range of mapped names If you specify a range of subinterfaces you can specify a matching range of mapped names Follow these guidelines for ranges The mapped name must consist of an alphabetic portion followed by a numeric portion The alphab...

Page 107: ...ation file is not available you see the following message WARNING Could not fetch the URL disk url INFO Creating context with default config You can then change to the context configure it at the CLI and enter the write memory command to write the file to Flash memory Note The admin context file must be stored on the internal Flash memory ftp user password server port path filename type xx The typ...

Page 108: ...r the following command hostname config ctx member class_name If you do not specify a class the context belongs to the default class You can only assign a context to one resource class For example to assign the context to the gold class enter the following command hostname config ctx member gold Step 6 Optional To assign an IPS virtual sensor to this context if you have the AIP SSM installed use t...

Page 109: ...pliance generates both an active and standby MAC address for each interface If the active unit fails over and the standby unit becomes active the new active unit starts using the active MAC addresses to minimize network disruption When you assign an interface to a context the new MAC address is generated immediately If you enable this command after you create context interfaces then MAC addresses ...

Page 110: ... a context or between contexts see the following commands To change to a context enter the following command hostname changeto context name The prompt changes to the following hostname name To change to the system execution space enter the following command hostname admin changeto system The prompt changes to the following hostname Managing Security Contexts This section describes how to manage se...

Page 111: ...ernal Flash memory To set the admin context enter the following command in the system execution space hostname config admin context context_name Any remote management sessions such as Telnet SSH or HTTPS that are connected to the admin context are terminated You must reconnect to the new admin context Note A few system commands including ntp server identify an interface name that belongs to the ad...

Page 112: ...is running Reloading a Security Context You can reload the context in two ways Clear the running configuration and then import the startup configuration This action clears most attributes associated with the context such as connections and NAT tables Remove the context from the system configuration This action clears additional attributes such as memory allocation which might be useful for trouble...

Page 113: ...on and includes the following topics Viewing Context Information page 6 15 Viewing Resource Allocation page 6 16 Viewing Resource Usage page 6 19 Monitoring SYN Attacks in Contexts page 6 20 Viewing Context Information From the system execution space you can view a list of contexts including the name allocated interfaces and configuration file URL From the system execution space view all contexts ...

Page 114: ...t0 0 GigabitEthernet0 0 10 GigabitEthernet0 1 GigabitEthernet0 1 10 GigabitEthernet0 1 20 GigabitEthernet0 2 GigabitEthernet0 2 30 GigabitEthernet0 3 Management0 0 Management0 0 1 Flags 0x00000019 ID 257 Context null is a system resource Config URL null Real Interfaces Mapped Interfaces Flags 0x00000009 ID 258 See the Cisco Security Appliance Command Reference for more information about the detail...

Page 115: ...il Resource Origin A Value was derived from the resource all C Value set in the definition of this class D Value set in default class Resource Class Mmbrs Origin Limit Total Total Conns rate default all CA unlimited gold 1 C 34000 34000 N A silver 1 CA 17000 17000 N A bronze 0 CA 8500 All Contexts 3 51000 N A Inspects rate default all CA unlimited gold 1 DA unlimited silver 1 CA 10000 10000 N A br...

Page 116: ...onze 0 CA 11520 All Contexts 3 23040 N A mac addresses default all C 65535 gold 1 D 65535 65535 100 00 silver 1 CA 6553 6553 9 99 bronze 0 CA 3276 All Contexts 3 137623 209 99 Table 6 4 shows each field description Table 6 4 show resource allocation detail Fields Field Description Resource The name of the resource that you can limit Class The name of each class including the default class The All ...

Page 117: ... is one of the following keywords current Shows the active concurrent instances or the current rate of the resource denied Shows the number of instances that were denied because they exceeded the resource limit shown in the Limit column peak Shows the peak concurrent instances or the peak rate of the resource since the statistics were last cleared either using the clear resource usage command or b...

Page 118: ...the combined limit is 125 The system limit is only 100 so the system limit is shown hostname show resource usage summary Resource Current Peak Limit Denied Context Telnet 1 1 100 S 0 Summary SSH 2 2 100 S 0 Summary Conns 56 90 N A 0 Summary Hosts 89 102 N A 0 Summary S System Combined context limits exceed the system limit the system limit is shown The following is sample output from the show reso...

Page 119: ... s URL Server Req 0 s 0 s WebSns Req 0 s 0 s TCP Fixup 0 s 0 s HTTP Fixup 0 s 0 s FTP Fixup 0 s 0 s AAA Authen 0 s 0 s AAA Author 0 s 0 s AAA Account 0 s 0 s TCP Intercept 322779 s 322779 s The following is sample output from the show resource usage detail command that shows the amount of resources being used by TCP Intercept for individual contexts Sample text in italics shows the TCP intercept i...

Page 120: ...wing sample output shows the resources being used by TCP intercept for the entire system Sample text in italics shows the TCP intercept information hostname config show resource usage summary detail Resource Current Peak Limit Denied Context memory 238421312 238434336 unlimited 0 Summary chunk channels 46 48 unlimited 0 Summary chunk dbgtrace 4 4 unlimited 0 Summary chunk fixup 45 45 unlimited 0 S...

Page 121: ...ing sections Security Level Overview page 7 1 Configuring Interface Parameters page 7 2 Allowing Communication Between Interfaces on the Same Security Level page 7 7 Security Level Overview Each interface must have a security level from 0 lowest to 100 highest For example you should assign your most secure network such as the inside host network to level 100 While the outside network connected to ...

Page 122: ...o use NAT between any interface or you can choose not to use NAT Keep in mind that configuring NAT for an outside interface might require a special keyword established command This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host For same security interfaces you ca...

Page 123: ...the security appliance sets the security level to 100 Note If you change the security level of an interface and you do not want to wait for existing connections to time out before the new security information is used you can clear the connections using the clear local host command Multiple Context Mode Guidelines For multiple context mode follow these guidelines Configure the context interfaces fr...

Page 124: ...however use it for through traffic if desired see the management only command In transparent firewall mode you can use the management interface for management purposes in addition to the two interfaces allowed for through traffic You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode For example enter the following comman...

Page 125: ...ilover for more information To obtain an IP address from a DHCP server enter the following command hostname config if ip address dhcp setroute where the setroute keyword lets the security appliance use the default route supplied by the DHCP server Reenter this command to reset the DHCP lease and request a new lease If you do not enable the interface using the no shutdown command before you enter t...

Page 126: ...ntext configurations show the interface as enabled The following example configures parameters for the physical interface in single mode hostname config interface gigabitethernet 0 1 hostname config if speed 1000 hostname config if duplex full hostname config if nameif inside hostname config if security level 100 hostname config if ip address 10 1 1 1 255 255 255 0 hostname config if no shutdown T...

Page 127: ...vels for each interface and do not assign any interfaces to the same security level you can configure only one interface per level 0 to 100 You want traffic to flow freely between all same security interfaces without access lists Note If you enable NAT control you do not need to configure NAT between same security level interfaces See the NAT and Same Security Level Interfaces section on page 17 1...

Page 128: ...7 8 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 7 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level ...

Page 129: ...d You can enter passwd or password The password is a case sensitive password of up to 16 alphanumeric and special characters You can use any character in the password except a question mark or a space The password is saved in the configuration in encrypted form so you cannot view the original password after you enter it Use the no password command to restore the password to the default setting Cha...

Page 130: ... A hostname must start and end with a letter or digit and have as interior characters only letters digits or a hyphen This name appears in the command line prompt For example hostname config hostname farscape farscape config Setting the Domain Name The security appliance appends the domain name as a suffix to unqualified names For example if you set the domain name to example com and specify a sys...

Page 131: ...in a specific year enter the following command hostname config clock summer time zone date day month month day year hh mm day month month day year hh mm offset If you use this command you need to reset the dates every year The zone value specifies the time zone as a string for example PDT for Pacific Daylight Time The day value sets the day of the month from 1 to 31 You can enter the day and month...

Page 132: ...y_id md5 key Where key_id is the ID you set in Step 1b using the ntp trusted key command and key is a string up to 32 characters in length Step 2 To identify an NTP server enter the following command hostname config ntp server ip_address key key_id source interface_name prefer Where the key_id is the ID you set in Step 1b using the ntp trusted key command The source interface_name identifies the o...

Page 133: ...time endures reboots Unlike the other clock commands this command is a privileged EXEC command To reset the clock you need to set a new time for the clock set command Setting the Management IP Address for a Transparent Firewall Transparent firewall mode only A transparent firewall does not participate in IP routing The only IP configuration required for the security appliance is to set the managem...

Page 134: ...8 6 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall ...

Page 135: ...ery protocol from RIP or OSPF Your network is small and you can easily manage static routes You do not want the traffic or CPU overhead associated with routing protocols The simplest option is to configure a default route to send all traffic to an upstream router relying on the router to route the traffic for you However in some cases the default gateway might not be able to reach the destination ...

Page 136: ...e over static or dynamically discovered routes Static routes remain in the routing table even if the specified gateway becomes unavailable If the specified gateway becomes unavailable you need to remove the static route from the routing table manually However static routes are removed from the routing table if the specified interface goes down They are reinstated when the interface comes back up N...

Page 137: ... or learned default routes The following restrictions apply to default routes with the tunneled option Do not enable unicast RPF ip verify reverse path on the egress interface of tunneled route Enabling uRPF on the egress interface of a tunneled route causes the session to fail Do not enable TCP intercept on the egress interface of the tunneled route Doing so causes the session to fail Do not use ...

Page 138: ...er on the target network such as a AAA server that the security appliance needs to communicate with a persistent network object on the destination network a desktop or notebook computer that may be shut down at night is not a good choice You can configure static route tracking for statically defined routes or default routes obtained through DHCP or PPPoE You can only enable PPPoE clients on multip...

Page 139: ...k track_id hostname config if ip addresss dhcp setroute hostname config if exit Note You must use the setroute argument with the ip address dhcp command to obtain the default route using DHCP To track a default route obtained through PPPoE enter the following commands hostname config interface phy_if hostname config if pppoe client route track track_id hostname config if ip addresss pppoe setroute...

Page 140: ...f the routes from the specified routing protocol are allowed to be redistributed into the target routing process To define a route map perform the following steps Step 1 To create a route map entry enter the following command hostname config route map name permit deny sequence_number Route map entries are read in order You can identify the order using the sequence_number option or the security app...

Page 141: ... 0 and 294967295 To set the metric type enter the following command hostname config route map set metric type type 1 type 2 The following example shows how to redistribute routes with a hop count equal to 1 into OSPF The security appliance redistributes these routes as external LSAs with a metric of 5 metric type of Type 1 and a tag equal to 1 hostname config route map 1 to 2 permit hostname confi...

Page 142: ...ets of interfaces You might want to run two processes if you have interfaces that use the same IP addresses NAT allows these interfaces to coexist but OSPF does not allow overlapping addresses Or you might want to run one process on the inside and another on the outside and redistribute a subset of routes between the two processes Similarly you might need to segregate private addresses from public...

Page 143: ...ction on page 9 16 for another use for route maps To redistribute static connected RIP or OSPF routes into an OSPF process perform the following steps Step 1 Optional Create a route map to further define which routes from the specified routing protocol are redistributed in to the OSPF routing process See the Defining Route Maps section on page 9 6 Step 2 If you have not already done so enter the r...

Page 144: ...hostname config route map set metric type type 1 hostname config route map set tag 1 hostname config route map router ospf 2 hostname config router redistribute ospf 1 route map 1 to 2 The following example shows the specified OSPF process routes being redistributed into OSPF process 109 The OSPF metric is remapped to 100 hostname config router ospf 109 hostname config router redistribute ospf 108...

Page 145: ...seconds The value must be the same for all nodes on the network To specify the length of time between the hello packets that the security appliance sends on an OSPF interface enter the following command hostname config interface ospf hello interval seconds The value must be the same for all nodes on the network To enable OSPF MD5 authentication enter the following command hostname config interface...

Page 146: ...ce inside hostname config interface ospf cost 20 hostname config interface ospf retransmit interval 15 hostname config interface ospf transmit delay 10 hostname config interface ospf priority 20 hostname config interface ospf hello interval 10 hostname config interface ospf dead interval 40 hostname config interface ospf authentication key cisco hostname config interface ospf message digest key 1 ...

Page 147: ...configuration mode for the OSPF process you want to configure by entering the following command hostname config router ospf process_id Step 2 Enter any of the following commands To enable authentication for an OSPF area enter the following command hostname config router area area id authentication To enable MD5 authentication for an OSPF area enter the following command hostname config router area...

Page 148: ... steps Step 1 If you have not already done so enter the router configuration mode for the OSPF process you want to configure by entering the following command hostname config router ospf process_id Step 2 Enter any of the following commands To define an NSSA area enter the following command hostname config router area area id nssa no redistribution default information originate To summarize groups...

Page 149: ...arization between OSPF areas hostname config router ospf 1 hostname config router area 17 range 12 1 0 0 255 255 0 0 Configuring Route Summarization When Redistributing Routes into OSPF When routes from other protocols are redistributed into OSPF each route is advertised individually in an external LSA However you can configure the security appliance to advertise a single route for all the redistr...

Page 150: ...OSPF neighbor The if_name is the interface used to communicate with the neighbor If the OSPF neighbor is not on the same network as any of the directly connected interfaces you must specify the interface Generating a Default Route You can force an autonomous system boundary router to generate a default route into an OSPF routing domain Whenever you specifically configure redistribution of routes i...

Page 151: ...ations It can be an integer from 0 to 65535 The default time is 10 seconds A value of 0 means that there is no delay that is two SPF calculations can be done one immediately after the other The following example shows how to configure route calculation timers hostname config router ospf 1 hostname config router timers spf 10 120 Logging Neighbors Going Up or Down By default the system sends a syst...

Page 152: ... list of LSAs waiting to be flooded over a specified interface enter the following command hostname show ospf flood list if_name Monitoring OSPF You can display specific statistics such as the contents of IP routing tables caches and databases You can use the information provided to determine resource utilization and solve network problems You can also display information about node reachability a...

Page 153: ...e network topology changes These RIP packets contain information about the networks that the devices can reach as well as the number of routers or gateways that a packet must travel through to reach the destination address RIP generates more traffic than OSPF but is easier to configure RIP has advantages over static routes because the initial configuration is simple and you do not need to update t...

Page 154: ...ce name sets only that interface to passive RIP mode In passive mode RIP routing updates are accepted by but not sent out of the specified interface You can enter this command for each interface you want to set to passive mode Step 6 Optional Disable automatic route summarization by entering the following command hostname config router no auto summarize RIP Version 1 always uses automatic route su...

Page 155: ...onnected metric metric_value transparent route map map_name To redistribute static routes into the RIP routing process enter the following command hostname config router redistribute static metric metric_value transparent route map map_name To redistribute routes from an OSPF routing process into the RIP routing process enter the following command hostname config router redistribute ospf pid match...

Page 156: ...P Authentication The security appliance supports RIP message authentication for RIP Version 2 messages To enable RIP message authentication perform the following steps Step 1 Enter interface configuration mode for the interface you are configuring by entering the following command hostname config interface phy_if Step 2 Optional Set the authentication mode by entering the following command By defa...

Page 157: ...page 9 25 Enabling EIGRP Authentication page 9 26 Defining an EIGRP Neighbor page 9 27 Redistributing Routes Into EIGRP page 9 27 Configuring the EIGRP Hello Interval and Hold Time page 9 28 Disabling Automatic Route Summarization page 9 28 Configuring Summary Aggregate Addresses page 9 29 Disabling EIGRP Split Horizon page 9 29 Changing the Interface Delay Value page 9 30 Monitoring EIGRP page 9 ...

Page 158: ...recomputation DUAL queries the EIGRP neighbors for a route who in turn query their neighbors Routers that do no have a feasible successor for the route return an unreachable message During route recomputation DUAL marks the route as active By default the security appliance waits for three minutes to receive a response from its neighbors If the security appliance does not receive a response from a ...

Page 159: ...dates b Enter the following command to apply the filter You can specify an interface to apply the filter to only those updates received by that interface hostname config router distribute list acl in interface if_name You can enter multiple distribute list commands in your EIGRP router configuration Enabling and Configuring EIGRP Stub Routing You can configure the security appliance as an EIGRP st...

Page 160: ...st be configured with the same authentication mode and key for adjacencies to be established Before you can enable EIGRP route authentication you must enable EIGRP To enable EIGRP authentication on an interface perform the following steps Step 1 Enter interface configuration mode for the interface on which you are configuring EIGRP message authentication by entering the following command hostname ...

Page 161: ...EIGRP routing process You do not need to redistribute static or connected routes if they fall within the range of a network statement in the EIGRP configuration To redistribute routes into the EIGRP routing process perform the following steps Step 1 Optional Create a route map to further define which routes from the specified routing protocol are redistributed in to the RIP routing process See the...

Page 162: ...fault hello packets are sent every 5 seconds The hello packet advertises the security appliance hold time The hold time indicates to EIGRP neighbors the length of time the neighbor should consider the security appliance reachable If the neighbor does not receive a hello packet within the advertised hold time then the security appliance is considered unreachable By default the advertised hold time ...

Page 163: ...ic routes are in the routing table EIGRP will advertise the summary address out the interface with a metric equal to the minimum of all more specific routes To create a summary address perform the following steps Step 1 Enter interface configuration mode for the interface on which you are creating a summary address by entering the following command hostname config interface phy_if Step 2 Create th...

Page 164: ...ch you are changing the delay value used by EIGRP by entering the following command hostname config interface phy_if Step 2 To disable split horizon enter the following command hostname config if delay value The value entered is in tens of microseconds So to set the delay for 2000 microseconds you would enter a value of 200 Step 3 Optional To view the delay value assigned to an interface use the s...

Page 165: ...ble This section contains the following topics Displaying the Routing Table page 9 31 How the Routing Table is Populated page 9 32 How Forwarding Decisions are Made page 9 33 Displaying the Routing Table To view the entries in the routing table enter the following command hostname show route Codes C connected S static I IGRP R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area ...

Page 166: ...east preferred The parameters used to determine the metrics differ for different routing protocols The path with the lowest metric is selected as the optimal path and installed in the routing table If there are multiple paths to the same destination with equal metrics load balancing is done on these equal cost paths If the security appliance learns about a destination from more than one routing pr...

Page 167: ... OSPF routing process are used in the security appliance routing table Backup Routes A backup route is registered when the initial attempt to install the route in the routing table fails because another route was installed instead If the route that was installed in the routing table fails the routing table maintenance process calls each routing protocol process that has registered a backup route a...

Page 168: ...following routes in the routing table hostname show route R 192 168 32 0 24 120 4 via 10 1 1 2 O 192 168 32 0 19 110 229840 via 10 1 1 3 In this case a packet destined to 192 168 32 1 is directed toward 10 1 1 2 because 192 168 32 1 falls within the 192 168 32 0 24 network It also falls within the other route in the routing table but the 192 168 32 0 24 has the longest prefix within the routing ta...

Page 169: ...re defined intervals DDNS allows frequently changing address hostname associations to be updated frequently Mobile hosts for example can then move freely on a network without user or administrator intervention DDNS provides the necessary dynamic updating and synchronizing of the name to address and address to name mappings on the DNS server WCCP specifies interactions between one or more routers L...

Page 170: ...ip_address ip_address interface_name The security appliance assigns a client one of the addresses from this pool to use for a given length of time These addresses are the local untranslated addresses for the directly connected network The address pool must be on the same subnet as the security appliance interface Step 2 Optional To specify the IP address es of the DNS server s the client will use ...

Page 171: ... inside Configuring DHCP Options You can configure the security appliance to send information for the DHCP options listed in RFC 2132 The DHCP options fall into one of three categories Options that return an IP address Options that return a text string Options that return a hexadecimal value The security appliance supports all three categories of DHCP options To configure a DHCP option do one of t...

Page 172: ...ddress and TFTP server IP address preconfigured it sends a request with option 150 or 66 to the DHCP server to obtain this information DHCP option 150 provides the IP addresses of a list of TFTP servers DHCP option 66 gives the IP address or the hostname of a single TFTP server Cisco IP Phones might also include DHCP option 3 in their requests which sets the default route Cisco IP Phones might inc...

Page 173: ...f the DHCP server feature is also enabled Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router For multiple context mode you cannot enable DHCP relay on an interface that is used by more than one context Note DHCP Relay services are not available in transparent firewall mode A security appliance in transparent firewall mode o...

Page 174: ...entary DHCP centralizes and automates IP address allocation while dynamic DNS update automatically records the association between assigned addresses and hostnames When you use DHCP and dynamic DNS update this configures a host automatically for network access whenever it attaches to the IP network You can locate and reach the host using its permanent unique DNS hostname Mobile hosts for example c...

Page 175: ...ace enter the following commands hostname DDNS update method interface eth1 hostname config if ddns update ddns 2 hostname config if ddns update hostname asa example com Step 3 To configure a static IP address for eth1 enter the following commands hostname config if ip address 10 0 0 40 255 255 255 0 Example 2 Client Updates Both A and PTR RRs DHCP Server Honors Client Update Request FQDN Provided...

Page 176: ...name DDNS update method interface Ethernet0 hostname if config ddns update ddns 2 hostname if config ddns update hostname asa example com Step 3 To enable the DHCP client feature on the interface enter the following commands hostname if config dhcp client update dns server none hostname if config ip address dhcp Step 4 To configure the DHCP server to override the client update requests enter the f...

Page 177: ...ands hostname config if dhcpd update dns hostname config if dhcpd domain example com Configuring Web Cache Services Using WCCP The purpose of web caching is to reduce latency and network traffic Previously accessed web pages are stored in a cache buffer so if a user needs the page again they can retrieve it from the cache instead of the web server WCCP specifies interactions between the security a...

Page 178: ... and it requests data from a web server then the contents of the traffic flow will be subject to all the other configured features of the security appliance In failover WCCP redirect tables are not replicated to standby units After a failover packets will not be redirected until the tables are rebuilt Sessions redirected prior to failover will likely be reset by the web server Enabling WCCP Redire...

Page 179: ...e password password argument specifies MD5 authentication for messages received from the service group Messages that are not accepted by the authentication are discarded Step 2 To enable WCCP redirection on an interface enter the following command hostname config wccp interface interface_name web cache service_number redirect in The standard service is web cache which intercepts TCP port 80 HTTP t...

Page 180: ...10 12 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 10 Configuring DHCP DDNS and WCCP Services Configuring Web Cache Services Using WCCP ...

Page 181: ...n upstream multicast router which sets up delivery of the multicast data When configured for stub multicast routing the security appliance cannot be configured for PIM The security appliance supports both PIM SM and bi directional PIM PIM SM is a multicast routing protocol that uses the underlying unicast routing information base or a separate multicast capable routing information base It builds u...

Page 182: ...address 224 0 0 0 is never assigned to any group The address 224 0 0 1 is assigned to all systems on a subnet The address 224 0 0 2 is assigned to all routers on a subnet When you enable multicast routing on the security appliance IGMP Version 2 is automatically enabled on all interfaces Note Only the no igmp command appears in the interface configuration when you use the show run command If the m...

Page 183: ...mmand hostname config if igmp join group group address Configuring a Statically Joined Group Sometimes a group member cannot report its membership in the group or there may be no members of a group on the network segment but you still want multicast traffic for that group to be sent to that network segment You can have multicast traffic for that group sent to the segment in one of two ways Using t...

Page 184: ...fined memberships using the igmp join group and igmp static group commands are still permitted The no form of this command restores the default value Modifying the Query Interval and Query Timeout The security appliance sends query messages to discover which multicast groups have members on the networks attached to the interfaces Members respond with IGMP report messages indicating that they want ...

Page 185: ... works correctly when IGMP Version 1 hosts are present To control which version of IGMP is running on an interface enter the following command hostname config if igmp version 1 2 Configuring Stub Multicast Routing A security appliance acting as the gateway to the stub area does not need to participate in PIM Instead you can configure it to act as an IGMP proxy agent and forward IGMP messages from ...

Page 186: ...ally enabled on all interfaces Note PIM is not supported with PAT The PIM protocol does not use ports and PAT only works with protocols that use ports This section describes how to configure optional PIM settings This section includes the following topics Disabling PIM on an Interface page 11 18 Configuring a Static Rendezvous Point Address page 11 19 Configuring the Designated Router Priority pag...

Page 187: ...argument is the name or number of a standard access list that defines which multicast groups the RP should be used with Do not use a host ACL with this command Excluding the bidir keyword causes the groups to operate in PIM sparse mode Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the actual bidir configuration Configuring the Designated...

Page 188: ...s This range of addresses can be reused in domains administered by different organizations They would be considered local not globally unique To configure a multicast boundary enter the following command hostname config if multicast boundary acl filter autorp A standard ACL defines the range of addresses affected When a boundary is set up no multicast data packets are allowed to flow across the bo...

Page 189: ... domain The bidir enabled routers can elect a DF from among themselves even when there are non bidir routers on the segment Multicast boundaries on the non bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir subset cloud When the pim bidir neighbor filter command is enabled the routers that are permitted by the ACL are considered to be bidir capabl...

Page 190: ...Multicast Routing For More Information about Multicast Routing The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature RFC 2236 IGMPv2 RFC 2362 PIM SM RFC 2588 IP Multicast and Firewalls RFC 2113 IP Router Alert Option IETF draft ietf idmr igmp proxy 01 txt ...

Page 191: ...his chapter includes the following sections IPv6 enabled Commands page 12 1 Configuring IPv6 page 12 2 Verifying the IPv6 Configuration page 12 11 For an sample IPv6 configuration see Appendix B Sample Configurations IPv6 enabled Commands The following security appliance commands can accept and display IPv6 addresses capture configure copy http name object group ping show conn show local host show...

Page 192: ...d to specify a port number with the address for example fe80 2e0 b6ff fe01 3b7a 8080 The command uses a colon as a separator such as the write net and config net commands for example configure net fe80 2e0 b6ff fe01 3b7a tftp config pixconfig The following commands were modified to work for IPv6 debug fragment ip verify mtu icmp entered as ipv6 icmp The following inspection engines support IPv6 FT...

Page 193: ...dified EUI 64 interface ID is automatically generated for the interface when stateless autoconfiguration is enabled To enable stateless autoconfiguration enter the following command hostname config if ipv6 address autoconfig If you only need to configure a link local address on the interface and are not going to assign any other IPv6 addresses to the interface you have the option of manually defin...

Page 194: ... addresses on a local link enter the following command hostname config ipv6 enforce eui64 if_name The if_name argument is the name of the interface as specified by the nameif command on which you are enabling the address format enforcement When this command is enabled on an interface the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to en...

Page 195: ...n is 1 To change the number of duplicate address detection attempts enter the following command hostname config if ipv6 nd dad attempts value The value argument can be any value from 0 to 600 Setting the value argument to 0 disables duplicate address detection on the interface When you configure an interface to send out more than one duplicate address detection attempt you can also use the ipv6 nd...

Page 196: ...6 access list entry specifically for ICMP traffic enter the following command hostname config ipv6 access list id line num permit deny icmp source destination icmp_type To create an IPv6 access list entry enter the following command hostname config ipv6 access list id line num permit deny protocol source src_port destination dst_port The following describes the arguments for the ipv6 access list c...

Page 197: ...ction contains the following topics Configuring Neighbor Solicitation Messages page 12 7 Configuring Router Advertisement Messages page 12 9 Configuring Neighbor Solicitation Messages Neighbor solicitation messages ICMPv6 Type 135 are sent on the local link by nodes attempting to discover the link layer addresses of other nodes on the local link The neighbor solicitation message is sent to the sol...

Page 198: ... 8 Configuring the Neighbor Solicitation Message Interval To configure the interval between IPv6 neighbor solicitation retransmissions on an interface enter the following command hostname config if ipv6 nd ns interval value Valid values for the value argument range from 1000 to 3600000 milliseconds The default value is 1000 milliseconds This setting is also sent in router advertisement messages Co...

Page 199: ...fault router and if so the amount of time in seconds the router should be used as a default router Additional information for hosts such as the hop limit and MTU a host should use in packets that it originates The amount of time between neighbor solicitation message retransmissions on a given link The amount of time a node considers a neighbor reachable Router advertisements are also sent in respo...

Page 200: ... 3 to 1800 seconds or 500 to 1800000 milliseconds if the msec keyword is used The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the security appliance is configured as a default router by using the ipv6 nd ra lifetime command To prevent synchronization with other IPv6 nodes randomly adjust the actual value used to within 20 percent of the ...

Page 201: ... discovery process To configure a static entry in the IPv6 neighbor discovery cache enter the following command hostname config if ipv6 neighbor ipv6_address if_name mac_address The ipv6_address argument is the link local IPv6 address of the neighbor the if_name argument is the interface through which the neighbor is available and the mac_address argument is the MAC address of the neighbor interfa...

Page 202: ...see the IPv6 configuration on an interface you need to use the show ipv6 interface command The show ipv6 interface command does not display any IPv4 settings for the interface if both types of addresses are configured on the interface The show ipv6 route Command To display the routes in the IPv6 routing table enter the following command hostname show ipv6 route The output from the show ipv6 route ...

Page 203: ...and what the user did accounting AAA provides an extra level of protection and control for user access than using access lists alone For example you can create an access list allowing all outside users to access Telnet on a server on the DMZ network If you want only some users to access the server and you might not always know IP addresses of these users you can enable AAA to allow only authentica...

Page 204: ...same access to services for all authenticated users If you need the control that authorization provides you can configure a broad authentication rule and then have a detailed authorization configuration For example you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization The securi...

Page 205: ... service by each AAA server type including the local database For more information about support for a specific AAA server type refer to the topics following the table Table 13 1 Summary of AAA Support AAA Service Database Type Local RADIUS TACACS SDI NT Kerberos LDAP HTTP Form Authentication of VPN users Yes Yes Yes Yes Yes Yes Yes Yes1 1 HTTP Form protocol supports single sign on authentication ...

Page 206: ...2138 Accounting attributes defined in RFC 2139 RADIUS attributes for tunneled protocol support defined in RFC 2868 Cisco IOS VSAs identified by RADIUS vendor ID 9 Cisco VPN related VSAs identified by RADIUS vendor ID 3076 Microsoft VSAs defined in RFC 2548 RADIUS Authorization Functions The security appliance can use RADIUS servers for user authorization for network access using dynamic access lis...

Page 207: ...information from an RSA SecurID authentication request and using it to authenticate to another server The Agent first sends a lock request to the SecurID server before sending the user authentication request The server locks the username preventing another replica server from accepting it This means that the same user cannot authenticate to two security appliances using the same authentication ser...

Page 208: ... username and password to the authenticating server using HTTPS If the server approves the authentication request it returns an SSO authentication cookie to the WebVPN server The security appliance keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server In addition to the HTTP Form protocol WebVPN administrators ...

Page 209: ...CS servers in the group all are unavailable the local database is used to authorize commands based on privilege levels VPN authentication and authorization VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable The authentication server group command available in tunnel group gener...

Page 210: ... keyword when you specify mschap For example if you enter the password test the show running config display would appear to be something like the following username pat password DLaUiAX3l78qgoB5c7iVNw nt encrypted The only time you would actually enter the encrypted or nt encrypted keyword at the CLI is if you are cutting and pasting a configuration to another security appliance and you are using ...

Page 211: ...butes configuration mode and specifies the service type attribute hostname config aaa authorization exec authentication server hostname config username rwilliams password gOgeOus hostname config username rwilliams attributes hostname config username service type nas prompt Identifying AAA Server Groups and Servers If you want to use an external AAA server for authentication authorization or accoun...

Page 212: ...ecify the method reactivation policy by which failed servers in a group are reactivated enter the following command hostname config aaa server group reactivation mode depletion deadtime minutes timed Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive The deadtime minutes argument specifies the amount of time in minutes between 0 and 1440 ...

Page 213: ...g aaa server group exit hostname config aaa server AuthInbound inside host 10 1 1 1 hostname config aaa server host key TACPlusUauthKey Table 13 2 Host Mode Commands Server Types and Defaults Command Applicable AAA Server Types Default Value accounting port RADIUS 1646 acl netmask convert RADIUS standard authentication port RADIUS 1645 kerberos realm Kerberos key RADIUS TACACS ldap attribute map L...

Page 214: ...pper case letters only Although the security appliance accepts lower case letters for a realm name it does not translate lower case letters to upper case letters Be sure to use upper case letters only Example 13 2 Kerberos Server Group and Server hostname config aaa server watchdogs protocol kerberos hostname config aaa server group aaa server watchdogs host 192 168 3 4 hostname config aaa server ...

Page 215: ...the security appliance and the server For example if both the LDAP server and the security appliance support both mechanisms the security appliance selects Kerberos the stronger of the mechanisms The following example configures the security appliance for authentication to an LDAP directory server named ldap_dir_1 using the digest MD5 SASL mechanism and communicating over an SSL secured connection...

Page 216: ...sociate the server and tunnel groups using the tunnel group general attributes command While there are other authorization related commands and options available for specific requirements the following example shows fundamental commands for enabling user authorization with LDAP This example then creates an IPSec remote access tunnel group named remote 1 and assigns that new tunnel group to the pre...

Page 217: ..._1 hostname config aaa server host Note The command to create an attribute map ldap attribute map and the command to bind it to an LDAP server ldap attribute map differ only by a hyphen and the mode The following commands display or clear all LDAP attribute maps in the running configuration hostname show running config all ldap attribute map hostname config clear configuration ldap attribute map h...

Page 218: ...d as credentials Authorization Enabled by authorization server group setting Uses the username as a credential Using certificates If user digital certificates are configured the security appliance first validates the certificate It does not however use any of the DNs from the certificates as a username for the authentication If both authentication and authorization are enabled the security applian...

Page 219: ...e Integrity client software are co resident on a remote PC The following steps summarize the actions of the remote PC security appliance and Integrity server in the establishment of a session between the PC and the enterprise private network 1 The VPN client software residing on the same remote PC as the Integrity client software connects to the security appliance and tells the security appliance ...

Page 220: ...e VPN connections if the Zone Labs Integrity Server fails The following commands ensure that the security appliance waits 12 seconds for a response from either the active or standby Integrity servers before declaring an the Integrity server as failed and closing the VPN client connections hostname config zonelabs integrity fail timeout 12 hostname config zonelabs integrity fail close hostname conf...

Page 221: ...fic failover conditions are met If those conditions are met failover occurs The security appliance supports two failover configurations Active Active failover and Active Standby failover Each failover configuration has its own method for determining and performing failover With Active Active failover both units can pass network traffic This lets you configure load balancing on your network Active ...

Page 222: ...ate the software image files and the configuration files If it does not configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail Software Requirements The two units in a failover configuration must be in the operating modes routed or transparent single or multiple context They have the same major first number and minor second numb...

Page 223: ...hich are dedicated connections between the two units in a failover configuration This section includes the following topics Failover Link page 14 3 Stateful Failover Link page 14 5 Failover Link The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit The following information is communicated over the failover link The unit state a...

Page 224: ...ated VLAN for the failover link Sharing the failover link VLAN with any other VLANs can cause intermittent traffic problems and ping and ARP failures If you use a switch to connect the failover link use dedicated interfaces on the switch and security appliance for the failover link do not share the interface with subinterfaces carrying regular network traffic On systems running in multiple context...

Page 225: ...nded If you are using a dedicated Ethernet interface for the Stateful Failover link you can use either a switch or a crossover cable to directly connect the units If you use a switch no other hosts or routers should be on this link Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance If you are using the failover link as the Stateful Failover link y...

Page 226: ...ver page 14 10 Determining Which Type of Failover to Use page 14 15 Active Standby Failover This section describes Active Standby failover and includes the following topics Active Standby Failover Overview page 14 6 Primary Secondary Status and Active Standby Status page 14 7 Device Initialization and Configuration Synchronization page 14 7 Command Replication page 14 8 Failover Triggers page 14 9...

Page 227: ...ct a peer it becomes the active unit If both units boot simultaneously then the primary unit becomes the active unit and the secondary unit becomes the standby unit Note If the secondary unit boots without detecting the primary unit it becomes the active unit It uses its own MAC addresses for the active IP addresses However when the primary unit becomes available the secondary unit changes the MAC...

Page 228: ... save the active configuration to Flash memory to replicate the commands The following commands are replicated to the standby unit all configuration commands except for the mode firewall and failover lan unit commands copy running config startup config delete mkdir rename rmdir write memory The following commands are not replicated to the standby unit all forms of the copy command except for copy ...

Page 229: ...g events occurs The unit has a hardware failure or a power failure The unit has a software failure Too many monitored interfaces fail The no failover active command is entered on the active unit or the failover active command is entered on the standby unit Failover Actions In Active Standby failover failover occurs on a unit basis Even on systems running in multiple context mode you cannot fail ov...

Page 230: ... status are all attributes of a failover group rather than the unit When an active failover group fails it changes to the standby state while the standby failover group becomes active The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed The interfaces in the failover group that is now in the standby state take ...

Page 231: ...aining the failover groups in the standby state However a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit distributing the traffic across the devices Note The security appliance does not provide load balancing services Load balancing must be handled by a router passing traffic to the security appliance Which unit e...

Page 232: ...xt configurations to be saved Note Startup configurations saved on external servers are accessible from either unit over the network and do not need to be saved separately for each unit Alternatively you can copy the contexts configuration files from the disk on the primary unit to an external server and then copy them to disk on the secondary unit where they become available when the unit reloads...

Page 233: ...y the configuration for the security context is written to the peer unit You must enter the command in the security context on the unit where the security context appears in the active state Replicated commands are not saved to the Flash memory when replicated to the peer unit They are added to the running configuration To save replicated commands to Flash memory on both units use the write memory...

Page 234: ...r Becomestandby Mark as failed Become active Mark active as failed When a unit in a failover pair fails any active failover groups on that unit are marked as failed and become active on the peer unit Interface failure on active failover group above threshold Failover Mark active group as failed Become active None Interface failure on standby failover group above threshold No failover No action Mar...

Page 235: ...tion Regular and Stateful Failover The security appliance supports two types of failover regular and stateful This section includes the following topics Regular Failover page 14 15 Stateful Failover page 14 15 Regular Failover When a failover occurs all active connections are dropped Clients need to reestablish connections when the new active unit takes over Stateful Failover When Stateful Failove...

Page 236: ...ssions Citrix authentication Citrix users must reauthenticate after failover Note If failover occurs during an active Cisco IP SoftPhone session the call remains active because the call session state information is replicated to the standby unit When the call is terminated the IP SoftPhone client loses connection with the Cisco CallManager This occurs because there is no session information for th...

Page 237: ...exts You should monitor important interfaces for example you might configure one context to monitor a shared interface because the interface is shared all contexts benefit from the monitoring When a unit does not receive hello messages on a monitored interface for half of the configured hold time it runs the following tests 1 Link Up Down test A test of the interface status If the Link Up Down tes...

Page 238: ...il again Failover Feature Platform Matrix Table 14 4 shows the failover features supported by each hardware platform Failover Times by Platform Table 14 5 shows the minimum default and maximum failover times for the PIX 500 series security appliance Table 14 6 shows the minimum default and maximum failover times for the ASA 5500 series adaptive security appliance Table 14 4 Failover Feature Suppor...

Page 239: ...security appliance You cannot configure failover when Easy VPN remote is enabled on the ASA 5505 adaptive security appliance VPN failover is not supported in multiple context mode CA server is not supported If you have a CA server configured on the active unit the CA server functionality will be lost when the unit fails over The crypto ca server command and associated commands are not synchronized...

Page 240: ... Failover cable to the PIX 500 series security appliances Make sure that you attach the end of the cable marked Primary to the unit you use as the primary unit and that you attach the end of the cable marked Secondary to the other unit Step 2 Power on the primary unit Step 3 If you have not done so already configure the active and standby IP addresses for each data interface routed mode for the ma...

Page 241: ...ess do not change at failover unless it uses a data interface The active IP address always stays with the primary unit while the standby IP address stays with the secondary unit c Enable the interface hostname config interface phy_if hostname config if no shutdown Step 5 Enable failover hostname config failover Step 6 Power on the secondary unit and enable failover on the unit if it is not already...

Page 242: ...k if you are going to use a dedicated Stateful Failover interface You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step hostname config if ip address active_addr netmask standby standby_addr In routed firewall mode and for the management only interface this command is entered in interface configuration mode for each interface In transparent ...

Page 243: ... argument assigns a logical name to the interface specified by the phy_if argument The phy_if argument can be the physical port name such as Ethernet1 or a previously created subinterface such as Ethernet0 2 3 This interface should not be used for any other purpose except optionally the failover link b Assign an active and standby IP address to the Stateful Failover link Note If the Stateful Failo...

Page 244: ...ry unit a Specify the interface to be used as the failover interface hostname config failover lan interface if_name phy_if The if_name argument assigns a name to the interface specified by the phy_if argument b Assign the active and standby IP address to the failover link hostname config failover interface ip if_name ip_addr mask standby ip_addr Note Enter this command exactly as you entered it on...

Page 245: ...state information Enter the following command in global configuration mode to enable HTTP state replication when Stateful Failover is enabled hostname config failover replication http Disabling and Enabling Interface Monitoring By default monitoring physical interfaces is enabled and monitoring subinterfaces is disabled You can monitor up to 250 interfaces on a unit You can control which interface...

Page 246: ...s less than 5 times the poll time Note If the interface link is down interface testing is not conducted and the standby unit could become active in just one interface polling period if the number of failed interface meets or exceeds the configured failover criteria Configuring Failover Criteria By default a single interface failure causes failover You can specify a specific number of interfaces or...

Page 247: ...s 4 The burned in MAC address Use the show interface command to display the MAC address used by an interface Configuring Active Active Failover This section describes how to configure Active Active failover Note Active Active failover is not available on the ASA 5505 adaptive security appliance This section includes the following topics Prerequisites page 14 27 Configuring Cable Based Active Activ...

Page 248: ...Stateful Failover interface in a later step hostname context config if ip address active_addr netmask standby standby_addr In routed firewall mode and for the management only interface this command is entered in interface configuration mode for each interface In transparent firewall mode the command is entered in global configuration mode Step 4 Optional To enable Stateful Failover configure the S...

Page 249: ...config failover Step 8 Power on the secondary unit and enable failover on the unit if it is not already enabled hostname config failover The active unit sends the configuration in running memory to the standby unit As the configuration synchronizes the messages Beginning configuration replication Sending to mate and End Configuration Replication to mate appear on the primary console Step 9 Save th...

Page 250: ...ddress active_addr netmask standby standby_addr In routed firewall mode and for the management only interface this command is entered in interface configuration mode for each interface In transparent firewall mode the command is entered in global configuration mode Step 2 Configure the basic failover parameters in the system execution space a PIX 500 series security appliance only Enable LAN based...

Page 251: ... and MAC address do not change at failover The active IP address always stays with the primary unit while the standby IP address stays with the secondary unit c Enable the interface Note If the Stateful Failover link uses the failover link or regular data interface skip this step You have already enabled the interface hostname config interface phy_if hostname config if no shutdown Step 4 Configure...

Page 252: ...t a Specify the interface to be used as the failover interface hostname config failover lan interface if_name phy_if The if_name argument assigns a logical name to the interface specified by the phy_if argument The phy_if argument can be the physical port name such as Ethernet1 or a previously created subinterface such as Ethernet0 2 3 On the ASA 5505 adaptive security appliance the phy_if specifi...

Page 253: ... entered on the unit that has failover group 1 in the active state This section includes the following topics Configuring Failover Group Preemption page 14 33 Enabling HTTP Replication with Stateful Failover page 14 34 Disabling and Enabling Interface Monitoring page 14 34 Configuring Interface Health Monitoring page 14 34 Configuring Failover Criteria page 14 34 Configuring Virtual MAC Addresses ...

Page 254: ...llowing command within a context hostname context config no monitor interface if_name To enable health monitoring on an interface enter the following command within a context hostname context config monitor interface if_name Configuring Interface Health Monitoring The security appliance sends hello packets out of each data interface to monitor interface health If the security appliance does not re...

Page 255: ...e config failover group 1 2 hostname config fover group mac address phy_if active_mac standby_mac The phy_if argument is the physical name of the interface such as Ethernet1 The active_mac and standby_mac arguments are MAC addresses in H H H format where H is a 16 bit hexadecimal digit For example the MAC address 00 0C F1 42 4C DE would be entered as 000C F142 4CDE The active_mac address is associ...

Page 256: ... in the active failover group to the standby failover group replication http HTTP session state information is not passed to the standby failover group and therefore is not present on the standby interface For the security appliance to be able re route asymmetrically routed HTTP packets you need to replicate the HTTP state information You can configure the asr group command on an interface without...

Page 257: ...ostname primary interface GigabitEthernet0 1 description LAN STATE Failover Interface interface GigabitEthernet0 2 no shutdown interface GigabitEthernet0 3 no shutdown interface GigabitEthernet0 4 no shutdown interface GigabitEthernet0 5 no shutdown failover failover lan unit primary failover lan interface folink GigabitEthernet0 1 failover link folink failover interface ip folink 10 0 4 1 255 255...

Page 258: ...ress 10 2 20 1 255 255 255 0 standby 10 2 20 11 Figure 14 1 on page 14 37 shows the ASR support working as follows 1 An outbound session passes through security appliance SecAppA It exits interface outsideISP A 192 168 1 1 2 Because of asymmetric routing configured somewhere upstream the return traffic comes back through the interface outsideISP B 192 168 2 2 on security appliance SecAppB 3 Normal...

Page 259: ...s system resource usage and can cause false failure detection in cases where the networks are congested or where the security appliance is running near full capacity Configuring Failover Communication Authentication Encryption You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key Note On the PIX 500 series security appliance if y...

Page 260: ...lity page 14 49 Using the show failover Command This section describes the show failover command output On each unit you can verify the failover status by entering the show failover command The information displayed depends upon whether you are using Active Standby or Active Active failover This section includes the following topics show failover Active Standby page 14 40 Show Failover Active Acti...

Page 261: ...context displays the failover information for that context The information is similar to the information shown when using the command in single context mode Instead of showing the active standby status of the unit it displays the active standby status of the context Table 14 7 provides descriptions for the information shown Failover On Last Failover at 04 03 11 UTC Jan 4 2003 This context Negotiat...

Page 262: ...uring which the unit must receive a hello message on the failover link before declaring the peer failed Interface Poll frequency n seconds The number of seconds you set with the failover polltime interface command The default is 15 seconds Interface Policy Displays the number or percentage of interfaces that must fail to trigger failover Monitored Interfaces Displays the number of interfaces monit...

Page 263: ...ther administratively shutdown or is physically down failed The interface has failed and is not passing stateful data Stateful Obj For each field type the following statistics are shown They are counters for the number of state information packets sent between the two units the fields do not necessarily show active connections through the unit xmit Number of transmitted packets to the other unit x...

Page 264: ...1 0 5 0 0 11 S91 0 11 status Up admin Interface outside 10 132 8 5 Normal admin Interface third 10 132 9 5 Normal admin Interface inside 10 130 8 5 Normal admin Interface fourth 10 130 9 5 Normal ctx1 Interface outside 10 1 1 1 Normal ctx1 Interface inside 10 2 2 1 Normal ctx2 Interface outside 10 3 3 2 Normal ctx2 Interface inside 10 4 4 2 Normal Other host Secondary VPN IPSEC upd IPSec connectio...

Page 265: ...0 0 380 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 1435 0 1450 0 UDP conn 0 0 0 0 ARP tbl 124 0 65 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 15 0 0 0 VPN IPSEC upd 90 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q 0 1 1895 Xmit Q 0 0 1940 The following is sample output from the show failover group command...

Page 266: ...declaring the peer failed Interface Poll frequency n seconds The number of seconds you set with the failover polltime interface command The default is 15 seconds Interface Policy Displays the number or percentage of interfaces that must fail before triggering failover Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible Group 1 Last Failover at Group 2 Last ...

Page 267: ...s either administratively shutdown or is physically down failed The interface has failed and is not passing stateful data Stateful Obj For each field type the following statistics are used They are counters for the number of state information packets sent between the two units the fields do not necessarily show active connections through the unit xmit Number of transmitted packets to the other uni...

Page 268: ...show running config failover All of the failover commands are displayed On units running multiple context mode enter this command in the system execution space Entering show running config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value VPN IPSEC upd IPSec connection information VPN CTCP upd cTCP tunnel...

Page 269: ...f the test was not successful enter the show failover command to check the failover status Step 5 When you are finished you can restore the unit or failover group to active status by enter the following command For Active Standby failover enter the following command on the active unit hostname config failover active For Active Active failover enter the following command on the unit where the failo...

Page 270: ...ith failover disabled see the Forcing Failover section on page 14 49 Disabling failover on an Active Active failover pair causes the failover groups to remain in the active state on whichever unit they are currently active on no matter which unit they are configured to prefer Enter the no failover command in the system execution space Restoring a Failed Unit or Failover Group To restore a failed u...

Page 271: ...management stations define a syslog host and compile the Cisco syslog MIB into your SNMP management station See the snmp server and logging commands in the Cisco Security Appliance Command Reference for more information Remote Command Execution Remote command execution lets you send commands entered at the command line to a specific failover peer Because configuration commands are replicated from ...

Page 272: ...obal configuration mode of the active unit of a failover pair and you use the failover exec active command to change to interface configuration mode the terminal prompt remains in global configuration mode but commands entered using failover exec are entered in interface configuration mode The following examples shows the difference between the terminal session mode and the failover exec command m...

Page 273: ...grade one unit using the zero downtime upgrade procedure and not the other both units must be running software that supports the failover exec command for the command to work Command completion and context help is not available for the commands in the cmd_string argument In multiple context mode you can only send commands to the peer context on the peer unit To send commands to a different context...

Page 274: ...r HTTP server is for the primary unit only Auto Update Process Overview The following is an overview of the Auto Update process in failover configurations This process assumes that failover is enabled and operational The Auto Update process cannot occur if the units are synchronizing configurations if the standby unit is in the failed state for any reason other than SSM card failure or if the fail...

Page 275: ...lient Sent DeviceDetails to cgi bin dda pl of server 192 168 0 21 Auto update client Processing UpdateInfo from server 192 168 0 21 Component asdm URL http 192 168 0 21 asdm bint checksum 0x94bced0261cc992ae710faf8d244cf32 Component config URL http 192 168 0 21 config rms xml checksum 0x67358553572688a805a155af312f6898 Component image URL http 192 168 0 21 cdisk73 bin checksum 0x6d091b43ce96243e29...

Page 276: ...ate HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 ...

Page 277: ...P A R T 2 Configuring the Firewall ...

Page 278: ......

Page 279: ... topics IP Routing Support page 15 1 How Data Moves Through the Security Appliance in Routed Firewall Mode page 15 1 IP Routing Support The security appliance acts as a router between connected networks and each interface requires an IP address on a different subnet In single context mode the routed firewall supports OSPF and RIP Multiple context mode supports static routes only We recommend using...

Page 280: ...according to the terms of the security policy access lists filters AAA For multiple context mode the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context the destination address is associated by matching an address translation in a context In this case the interface would be unique the www example com IP add...

Page 281: ...llowing steps describe how data moves through the security appliance see Figure 15 2 1 A user on the outside network requests a web page from the DMZ web server using the global destination address of 209 165 201 3 which is on the outside interface subnet 2 The security appliance receives the packet and because it is a new session the security appliance verifies that the packet is allowed accordin...

Page 282: ...erforms NAT by translating the local source address to 209 165 201 3 6 The security appliance forwards the packet to the outside user An Inside User Visits a Web Server on the DMZ Figure 15 3 shows an inside user accessing the DMZ web server Figure 15 3 Inside to DMZ The following steps describe how data moves through the security appliance see Figure 15 3 1 A user on the inside network requests a...

Page 283: ...e many lookups associated with a new connection 5 The security appliance forwards the packet to the inside user An Outside User Attempts to Access an Inside Host Figure 15 4 shows an outside user attempting to access the inside network Figure 15 4 Outside to Inside The following steps describe how data moves through the security appliance see Figure 15 4 1 A user on the outside network attempts to...

Page 284: ...oute the traffic on the Internet the private addressing scheme does not prevent routing 2 The security appliance receives the packet and because it is a new session the security appliance verifies if the packet is allowed according to the security policy access lists filters AAA 3 The packet is denied and the security appliance drops the packet and logs the connection attempt Transparent Mode Over...

Page 285: ...ing from a low to a high security interface an extended access list is required on the low security interface See the Adding an Extended Access List section on page 16 5 for more information Allowed MAC Addresses The following destination MAC addresses are allowed through the transparent firewall Any MAC address not on this list is dropped TRUE broadcast destination MAC address equal to FFFF FFFF ...

Page 286: ...de without NAT the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup Route statements can still be configured but they only apply to security appliance originated traffic For example if your syslog server is located on a remote network you must use a static route so the security appliance can reach that subnet An exception to this rule is whe...

Page 287: ...ddress for each interface a transparent firewall has an IP address assigned to the entire device The security appliance uses this IP address as the source address for packets originating on the security appliance such as system messages or AAA communications The management IP address must be on the same subnet as the connected network You cannot set the subnet to a host subnet 255 255 255 255 You ...

Page 288: ...le 15 1 Unsupported Features in Transparent Mode Feature Description Dynamic DNS DHCP relay The transparent firewall can act as a DHCP server but it does not support the DHCP relay commands DHCP relay is not required because you can allow DHCP traffic to pass through using two extended access lists one that allows DCHP requests from the inside interface to the outside and one that allows the repli...

Page 289: ...her access list lets the outside users access only the web server on the inside network Figure 15 7 Typical Transparent Firewall Data Path This section describes how data moves through the security appliance and includes the following topics An Inside User Visits a Web Server page 15 12 An Inside User Visits a Web Server Using NAT page 15 13 An Outside User Visits a Web Server on the Inside Networ...

Page 290: ...rs AAA For multiple context mode the security appliance first classifies the packet according to a unique interface 3 The security appliance records that a session is established 4 If the destination MAC address is in its table the security appliance forwards the packet out of the outside interface The destination MAC address is that of the upstream router 209 186 201 2 If the destination MAC addr...

Page 291: ...apped address 209 165 201 10 Because the mapped address is not on the same network as the outside interface then be sure the upstream router has a static route to the mapped network that points to the security appliance 4 The security appliance then records that a session is established and forwards the packet from the outside interface 5 If the destination MAC address is in its table the security...

Page 292: ...ide web server 2 The security appliance receives the packet and adds the source MAC address to the MAC address table if required Because it is a new session it verifies that the packet is allowed according to the terms of the security policy access lists filters AAA For multiple context mode the security appliance first classifies the packet according to a unique interface 3 The security appliance...

Page 293: ...work Figure 15 11 Outside to Inside The following steps describe how data moves through the security appliance see Figure 15 11 1 A user on the outside network attempts to reach an inside host 2 The security appliance receives the packet and adds the source MAC address to the MAC address table if required Because it is a new session it verifies if the packet is allowed according to the terms of th...

Page 294: ...15 16 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 15 Firewall Mode Overview Transparent Mode Overview ...

Page 295: ... about IPv6 access lists see the Configuring IPv6 Access Lists section on page 12 6 Access List Overview Access lists are made up of one or more Access Control Entries An ACE is a single entry in an access list that specifies a permit or deny rule and is applied to a protocol a source and destination IP address or network and optionally the source and destination ports Access lists are used in a v...

Page 296: ...cess you do not also need an access list allowing the host IP address You only need to configure management access according to Chapter 40 Managing System Access Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic Control network access for IP traffic for a given user Extended downloaded from a AAA server per user You can configure the RADIUS server to download a...

Page 297: ...c is denied IP Addresses Used for Access Lists When You Use NAT When you use NAT the IP addresses you specify for an access list depend on the interface to which the access list is attached you need to use addresses that are valid on the network connected to the interface This guideline applies for both inbound and outbound access lists the direction does not determine the address used only the in...

Page 298: ...the translated address of the inside host in the access list because that address is the address that can be used on the outside network see Figure 16 2 Figure 16 2 IP Addresses in Access Lists NAT used for Destination Addresses See the following commands for this example hostname config access list OUTSIDE extended permit ip host 209 165 200 225 host 209 165 201 5 hostname config access group OUT...

Page 299: ...ended access list and includes the following sections Extended Access List Overview page 16 5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall page 16 6 Adding an Extended ACE page 16 6 Extended Access List Overview An extended access list is made up of one or more ACEs in which you can specify the line number to insert the ACE source and destination addresses and dependin...

Page 300: ... you change the access list configuration and you do not want to wait for existing connections to time out before the new access list information is used you can clear the connections using the clear local host command Allowing Broadcast and Multicast Traffic through the Transparent Firewall In routed firewall mode broadcast and multicast traffic is blocked even if you allow it in an access list i...

Page 301: ...port numbers used by the source or destination The permitted operators are as follows lt less than gt greater than eq equal to neq not equal to range an inclusive range of values When you use this operator specify two port numbers for example range 100 200 You can specify the ICMP type only for the icmp protocol Because ICMP is a connectionless protocol you either need access lists to allow ICMP i...

Page 302: ...9 165 201 29 eq www hostname config access list ACL_IN extended permit ip any any Adding an EtherType Access List Transparent firewall mode only This section describes how to add an EtherType access list and includes the following sections EtherType Access List Overview page 16 8 Adding an EtherType ACE page 16 10 EtherType Access List Overview An EtherType access list is made up of one or more AC...

Page 303: ...he end of the access list does not affect IP traffic or ARPs for example if you allow EtherType 8037 the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list or implicitly allowed from a high security interface to a low security interface However if you explicitly deny all traffic with an EtherType ACE then IP and AR...

Page 304: ...stname config access list ETHER ethertype permit bpdu hostname config access list ETHER ethertype permit mpls unicast hostname config access group ETHER in interface inside The following access list allows some EtherTypes through the security appliance but denies IPX hostname config access list ETHER ethertype deny ipx hostname config access list ETHER ethertype permit 0x1234 hostname config acces...

Page 305: ... Object Grouping This section describes how to use object grouping to simplify access list creation and maintenance This section includes the following topics How Object Grouping Works page 16 11 Adding Object Groups page 16 12 Nesting Object Groups page 16 15 Displaying Object Groups page 16 17 Removing Object Groups page 16 17 Using Object Groups with an Access List page 16 16 How Object Groupin...

Page 306: ...up page 16 13 Adding an ICMP Type Object Group page 16 14 Adding a Protocol Object Group To add or change a protocol object group perform the following steps After you add the group you can add more objects as required by following this procedure again for the same group name and specifying additional objects You do not need to reenter existing objects the commands you already set remain in place ...

Page 307: ...o add a network group enter the following command hostname config object group network grp_id The grp_id is a text string up to 64 characters in length The prompt changes to network configuration mode Step 2 Optional To add a description enter the following command hostname config network description text The description can be up to 200 characters Step 3 To define the networks in the group enter ...

Page 308: ... 11 For example to create service groups that include DNS TCP UDP LDAP TCP and RADIUS UDP enter the following commands hostname config object group service services1 tcp udp hostname config service description DNS Group hostname config service port object eq domain hostname config service object group service services2 udp hostname config service description RADIUS Group hostname config service po...

Page 309: ...Then perform the following steps Step 1 To add or edit an object group under which you want to nest another object group enter the following command hostname config object group protocol network icmp type grp_id service grp_id tcp udp tcp udp Step 2 To add the specified group under the object group you specified in Step 1 enter the following command hostname config group_type group object grp_id T...

Page 310: ...ers All other traffic is allowed hostname config access list ACL_IN extended deny tcp host 10 1 1 4 host 209 165 201 29 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 78 host 209 165 201 29 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 89 host 209 165 201 29 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 4 host 209 165 201...

Page 311: ...ect host 209 165 201 1 network object 192 168 1 0 255 255 255 0 group object ftp_servers Removing Object Groups To remove an object group enter one of the following commands Note You cannot remove an object group or make an object group empty if it is used in an access list To remove a specific object group enter the following command hostname config no object group grp_id To remove all object gro...

Page 312: ...6 18 Applying the Time Range to an ACE page 16 19 Adding a Time Range To add a time range to implement a time based access list perform the following steps Step 1 Identify the time range name by entering the following command hostname config time range name Step 2 Specify the time range as either a recurring time range or an absolute time range Multiple periodic entries are allowed per time range ...

Page 313: ...nd syntax Note If you also enable logging for the ACE use the log keyword before the time range keyword If you disable the ACE using the inactive keyword use the inactive keyword as the last keyword The following example binds an access list named Sales to a time range named New_York_Minute hostname config access list Sales line 1 extended deny tcp host 209 165 200 225 host 209 165 201 1 time rang...

Page 314: ...e at the first hit and at the end of each interval identifying the total number of hits during the interval At the end of each interval the security appliance resets the hit count to 0 If no packets match the ACE during an interval the security appliance deletes the flow entry A flow is defined by the source and destination IP addresses protocols and ports Because the source port might differ for ...

Page 315: ...106100 access list outside acl permitted tcp outside 1 1 1 1 12345 inside 192 168 1 1 1357 hit cnt 2 600 second interval When a packet is denied by the third ACE the security appliance generates the following system message ASA PIX 2 106100 access list outside acl denied ip outside 3 3 3 3 12345 inside 192 168 1 1 1357 hit cnt 1 first hit 20 additional attempts within a 5 minute interval the defau...

Page 316: ... To set the maximum number of deny flows permitted per context before the security appliance stops logging enter the following command hostname config access list deny flow max number The number is between 1 and 4096 4096 is the default To set the amount of time between system messages number 106101 that identify that the maximum number of deny flows was reached enter the following command hostnam...

Page 317: ...y NAT page 17 10 NAT and Same Security Level Interfaces page 17 13 Order of NAT Commands Used to Match Real Addresses page 17 14 Mapped Address Guidelines page 17 14 DNS and NAT page 17 15 Introduction to NAT Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network NAT is composed of two steps the process by which a real address...

Page 318: ...orks section on page D 2 for more information NAT hides the real addresses from other networks so attackers cannot learn the real address of a host You can resolve IP routing problems such as overlapping addresses See Table 25 1 on page 25 3 for information about protocols that do not support NAT NAT in Routed Mode Figure 17 1 shows a typical NAT example in routed mode with a private network on th...

Page 319: ... appliance because it uses the MAC address table NAT however causes the security appliance to use a route lookup instead of a MAC address lookup so it needs a static route to the downstream router The alias command is not supported Because the transparent firewall does not have any interface IP addresses you cannot use interface PAT ARP inspection is not supported Moreover if for some reason a hos...

Page 320: ...versing from an inside interface to an outside interface match a NAT rule for any host on the inside network to access a host on the outside network you must configure NAT to translate the inside host address as shown in Figure 17 3 Figure 17 3 NAT Control and Outbound Traffic Management IP 10 1 2 2 www example com 10 1 2 1 Host 10 1 2 27 Internet Source Addr Translation 209 165 201 10 10 1 2 27 S...

Page 321: ...rm NAT on any addresses for which you configure dynamic NAT See the Dynamic NAT and PAT Implementation section on page 17 17 for more information about how dynamic NAT is applied If you want the added security of NAT control but do not want to translate inside addresses in some cases you can apply a NAT exemption or identity NAT rule on those addresses See the Bypassing NAT section on page 17 30 f...

Page 322: ...st initiates the connection The translation is in place only for the duration of the connection and a given user does not keep the same IP address after the translation times out For an example see the timeout xlate command in the Cisco Security Appliance Command Reference Users on the destination network therefore cannot initiate a reliable connection to a host that uses dynamic NAT although the ...

Page 323: ...Attempts to Initiate a Connection to a Mapped Address Note For the duration of the translation a remote host can initiate a connection to the translated host if an access list allows it Because the address is unpredictable a connection to the host is unlikely Nevertheless in this case you can rely on the security of the access list Web Server www example com Outside Inside 209 165 201 2 10 1 2 1 1...

Page 324: ...so expires after 30 seconds of inactivity The timeout is not configurable Users on the destination network cannot reliably initiate a connection to a host that uses PAT even if the connection is allowed by an access list Not only can you not predict the real or mapped port number of the host but the security appliance does not create a translation at all unless the translated host is the initiator...

Page 325: ...that require inspection for secondary channels for example FTP and VoIP the security appliance automatically translates the secondary ports For example if you want to provide a single address for remote users to access FTP HTTP and SMTP but these are all actually different servers on the real network you can specify static PAT statements for each server that uses the same mapped IP address but dif...

Page 326: ... though the mapped address is the same as the real address you cannot initiate a connection from the outside to the inside even if the interface access list allows it Use static identity NAT or NAT exemption for this functionality Static identity NAT static command Static identity NAT lets you specify the interface on which you want to allow the real addresses to appear so you can use identity NAT...

Page 327: ... host on the 10 1 2 0 24 network accessing two different servers When the host accesses the server at 209 165 201 11 the real address is translated to 209 165 202 129 When the host accesses the server at 209 165 200 225 the real address is translated to 209 165 202 130 Consequently the host appears to be on the same network as the servers which can help with routing Figure 17 9 Policy NAT with Dif...

Page 328: ... 0 209 165 201 11 255 255 255 255 eq 23 hostname config nat inside 1 access list WEB hostname config global outside 1 209 165 202 129 hostname config nat inside 2 access list TELNET hostname config global outside 2 209 165 202 130 For policy static NAT and for NAT exemption which also uses an access list to identify traffic both translated and remote hosts can originate traffic For traffic origina...

Page 329: ...gular NAT See the When to Use Application Protocol Inspection section on page 25 2 for information about NAT support for other protocols NAT and Same Security Level Interfaces NAT is not required between same security level interfaces even if you enable NAT control You can optionally configure NAT if desired However if you configure dynamic NAT when NAT control is enabled then NAT is required See ...

Page 330: ... statement to translate only 10 1 1 1 When 10 1 1 1 makes a connection the specific statement for 10 1 1 1 is used because it matches the real address best We do not recommend using overlapping statements they use more memory and can slow the performance of the security appliance Mapped Address Guidelines When you translate the real address to a mapped address you can use the following mapped addr...

Page 331: ...ss to ftp cisco com using the real address receive the real address from the DNS server and not the mapped address When an inside host sends a DNS request for the address of ftp cisco com the DNS server replies with the mapped address 209 165 201 10 The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10 1 3 14 If you do not...

Page 332: ...to use the mapped address for ftp cisco com 10 1 2 56 you need to configure DNS reply modification for the static translation Figure 17 13 DNS Reply Modification Using Outside NAT See the following command for this example hostname config static outside inside 10 1 2 56 209 165 201 10 netmask 255 255 255 255 dns Configuring NAT Control NAT control requires that packets traversing from an inside in...

Page 333: ...t command identifying the real addresses on a given interface that you want to translate Then you configure a separate global command to specify the mapped addresses when exiting another interface in the case of PAT this is one address Each nat command matches a global command by comparing the NAT ID a number that you assign to each command see Figure 17 14 Figure 17 14 nat and global ID Matching ...

Page 334: ... also on ID 1 Traffic from the Inside interface and the DMZ interface share a mapped pool or a PAT address when exiting the Outside interface see Figure 17 15 Figure 17 15 nat Commands on Multiple Interfaces See the following commands for this example hostname config nat inside 1 10 1 2 0 255 255 255 0 hostname config nat dmz 1 10 1 1 0 255 255 255 0 hostname config global outside 1 209 165 201 3 ...

Page 335: ...201 3 209 165 201 10 hostname config global dmz 1 10 1 1 23 If you use different NAT IDs you can identify different sets of real addresses to have different mapped addresses For example on the Inside interface you can have two nat commands on two different NAT IDs On the Outside interface you configure two global commands for these two IDs Then when traffic from Inside network A exits the Outside ...

Page 336: ...rst in the order they are in the configuration and then uses the PAT global commands in order You might want to enter both a dynamic NAT global command and a PAT global command if you need to use dynamic NAT for a particular application but want to have a backup PAT statement in case all the dynamic NAT addresses are depleted Similarly you might enter two PAT statements if you need more than the a...

Page 337: ...interface for example traffic on a DMZ is translated when accessing the Inside and the Outside interfaces then you must configure a separate nat command without the outside option In this case you can identify the same addresses in both statements and use the same NAT ID see Figure 17 19 Note that for outside NAT DMZ interface to Inside interface the inside host uses a static command to allow outs...

Page 338: ... access any lower or same security level interface you must apply a global command with the same NAT ID on each interface or use a static command NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword If you do apply outside NAT then the NAT requirements preceding...

Page 339: ...address defined by the global command is the same for each translation but the port is dynamically assigned Figure 17 21 Dynamic PAT For more information about dynamic NAT see the Dynamic NAT section on page 17 6 For more information about PAT see the PAT section on page 17 8 Note If you change the NAT configuration and you do not want to wait for existing translations to time out before the new N...

Page 340: ...r the host one needs the mapped address and one needs the real address This option rewrites the address in the DNS reply to the client The translated host needs to be on the same interface as either the client or the DNS server Typically hosts that need to allow access from other interfaces use a static translation so this option is more likely to be used with the static command See the DNS and NA...

Page 341: ...1 10 1 2 0 255 255 255 0 outside dns hostname config global inside 1 10 1 1 45 To identify a single real address with two different destination addresses using policy NAT enter the following commands see Figure 17 9 on page 17 11 for a related figure hostname config access list NET1 permit ip 10 1 2 0 255 255 255 0 209 165 201 0 255 255 255 224 hostname config access list NET2 permit ip 10 1 2 0 2...

Page 342: ...ear xlate command you must remove the static command instead Only dynamic translations created by the nat and global commands can be removed with the clear xlate command To configure static NAT enter one of the following commands For policy static NAT enter the following command hostname config static real_interface mapped_interface mapped_ip interface access list acl_name dns norandomseq tcp tcp_...

Page 343: ...limit udp udp_max_conns See the Configuring Dynamic NAT or PAT section on page 17 23 for information about the options For example the following policy static NAT example shows a single real address that is translated to two mapped addresses depending on the destination address see Figure 17 9 on page 17 11 for a related figure hostname config access list NET1 permit ip host 10 1 2 27 209 165 201 ...

Page 344: ...static PAT enter one of the following commands For policy static PAT enter the following command hostname config static real_interface mapped_interface tcp udp mapped_ip interface mapped_port access list acl_name dns norandomseq tcp tcp_max_conns emb_limit udp udp_max_conns Identify the real addresses and destination source addresses using an extended access list Create the extended access list us...

Page 345: ...rce port for the active transfer is not modified to another port which may interfere with other devices that perform NAT on FTP traffic For example for Telnet traffic initiated from hosts on the 10 1 3 0 network to the security appliance outside interface 10 1 2 14 you can redirect the traffic to the inside host at 10 1 1 15 by entering the following commands hostname config access list TELNET per...

Page 346: ... 10 1 1 15 255 255 255 255 hostname config global outside 1 10 1 2 14 hostname config nat inside 2 10 1 1 0 255 255 255 0 hostname config global outside 2 10 1 2 78 To translate a well known port 80 to another port 8080 enter the following command hostname config static inside outside tcp 10 1 2 45 80 10 1 1 16 8080 netmask 255 255 255 255 Bypassing NAT This section describes how to bypass NAT You...

Page 347: ... can originate connections Static identity NAT lets you use regular NAT or policy NAT Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate see the Policy NAT section on page 17 10 for more information about policy NAT For example you can use policy static identity NAT for an inside address when it accesses the outside interface and the de...

Page 348: ..._limit udp udp_max_conns Specify the same IP address for both real_ip arguments See the Configuring Dynamic NAT or PAT section on page 17 23 for information about the other options For example the following command uses static identity NAT for an inside IP address 10 1 1 3 when accessed by the outside hostname config static inside outside 10 1 1 3 10 1 1 3 netmask 255 255 255 255 The following com...

Page 349: ... This access list can include both permit ACEs and deny ACEs Do not specify the real and destination ports in the access list NAT exemption does not consider the ports NAT exemption also does not consider the inactive or time range keywords all ACEs are considered to be active for NAT exemption configuration By default this command exempts traffic from inside to outside If you want traffic from ou...

Page 350: ...68 100 0 24 but hosts on each network must communicate as allowed by access lists Without NAT when a host on the inside network tries to access a host on the overlapping DMZ network the packet never makes it past the security appliance which sees the packet as having a destination address on the inside network Moreover if the destination address is being used by another host on the inside network ...

Page 351: ...2 168 100 0 255 255 255 128 10 1 1 2 1 The security appliance already has a connected route for the inside network These static routes allow the security appliance to send traffic for the 192 168 100 0 24 network out the DMZ interface to the gateway router at 10 1 1 2 You need to split the network into two because you cannot create a static route with the exact same network as a connected route Al...

Page 352: ...ation perform the following steps Step 1 Configure PAT for the inside network by entering the following commands hostname config nat inside 1 0 0 0 0 0 0 0 0 0 0 hostname config global outside 1 209 165 201 15 Step 2 Redirect Telnet requests for 209 165 201 5 to 10 1 1 6 by entering the following command hostname config static inside outside tcp 209 165 201 5 telnet 10 1 1 6 telnet netmask 255 255...

Page 353: ...72 03 Chapter 17 Configuring NAT NAT Examples Step 5 Redirect HTTP requests on port 8080 for PAT address 209 165 201 15 to 10 1 1 7 port 80 by entering the following command hostname config static inside outside tcp 209 165 201 15 8080 10 1 1 7 www netmask 255 255 255 255 ...

Page 354: ...17 38 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 17 Configuring NAT NAT Examples ...

Page 355: ...rview By default all traffic from a higher security interface to a lower security interface is allowed Access lists let you either allow traffic from lower security interfaces or restrict traffic from higher security interfaces The security appliance supports two types of access lists Inbound Inbound access lists apply to traffic as it enters an interface Outbound Outbound access lists apply to tr...

Page 356: ... 209 165 200 225 eq www hostname config access group OUTSIDE out interface outside Applying an Access List to an Interface To apply an extended access list to the inbound or outbound direction of an interface enter the following command hostname config access group access_list_name in out interface interface_name per user override You can apply one access list of each type extended and EtherType t...

Page 357: ...ostname config access list OUT extended permit ip host 209 168 200 3 any hostname config access list OUT extended permit ip host 209 168 200 4 any hostname config access group ANY in interface inside hostname config access group ANY in interface hr hostname config access group OUT out interface outside For example the following sample access list allows common EtherTypes originating on the inside ...

Page 358: ... Command Line Configuration Guide OL 12172 03 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface hostname config access list outsideacl extended permit object group myaclog interface inside any ...

Page 359: ...uses cut through proxy to significantly improve performance compared to a traditional proxy server The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model The security appliance cut through proxy challenges a user initially at the application layer and then authenticates against standard AAA servers or the local database Afte...

Page 360: ...ntication for network access to any protocol or service users can authenticate directly with HTTP HTTPS Telnet or FTP only A user must first authenticate with one of these services before the security appliance allows other traffic requiring authentication The authentication ports that the security appliance supports for AAA are fixed Port 21 for FTP Port 23 for Telnet Port 80 for HTTP Port 443 fo...

Page 361: ...and then the FTP username name1 name2 For the password the user enters the security appliance password followed by an at sign and then the FTP password password1 password2 For example enter the following text name jamiec patm password letmein he110 This feature is useful when you have cascaded firewalls that require multiple logins You can separate several names and passwords by multiple at signs ...

Page 362: ...ated in Step 1 Note You can alternatively use the aaa authentication include command which identifies traffic within the command However you cannot use both methods in the same configuration See the Cisco Security Appliance Command Reference for more information Step 4 Optional To enable the redirection method of authentication for HTTP or HTTPS connections enter the following command hostname con...

Page 363: ...rity appliance provides several methods of securing HTTP authentication Enable the redirection method of authentication for HTTP Use the aaa authentication listener command with the redirect keyword This method prevents the authentication credentials from continuing to the destination server See the Security Appliance Authentication Prompts section on page 19 2 for more information about the redir...

Page 364: ...ce If you do not want to allow HTTP HTTPS Telnet or FTP through the security appliance but want to authenticate other types of traffic you can authenticate with the security appliance directly using HTTP HTTPS or Telnet This section includes the following topics Enabling Direct Authentication Using HTTP and HTTPS page 19 6 Enabling Direct Authentication Using Telnet page 19 7 Enabling Direct Authe...

Page 365: ...nnstatus html Enabling Direct Authentication Using Telnet Although you can configure network access authentication for any protocol or service see the aaa authentication match or aaa authentication include command you can authenticate directly with HTTP Telnet or FTP only A user must first authenticate with one of these services before other traffic that requires authentication is allowed through ...

Page 366: ... 202 129 eq telnet hostname config access list AUTH remark This is the virtual Telnet address hostname config aaa authentication match AUTH outside tacacs Configuring Authorization for Network Access After a user authenticates for a given connection the security appliance can use authorization to further control traffic from the user This section includes the following topics Configuring TACACS Au...

Page 367: ... used for authentication matching Note If you have configured authentication and want to authorize all the traffic being authenticated you can use the same access list you created for use with the aaa authentication match command Step 3 To enable authorization enter the following command hostname config aaa authorization match acl_name interface_name server_group where acl_name is the name of the ...

Page 368: ...and the user specific access list With the per user override keyword the user specific access list determines what is permitted For more information see the access group command entry in the Cisco Security Appliance Command Reference This section includes the following topics Configuring a RADIUS Server to Send Downloadable Access Control Lists page 19 10 Configuring a RADIUS Server to Download Pe...

Page 369: ...co Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list If the security appliance has not previously received the named downloadable access list it may have an out of date version of the access list or it may not have downloaded any version of the access list In either case the security appliance ...

Page 370: ...ntil Cisco Secure ACS sends the last of the access list in an access accept message Configuring Cisco Secure ACS for Downloadable Access Lists You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and then assign the access list to a group or to an individual user The access list definition consists of one or more security appliance commands that are similar...

Page 371: ...ar to the access list extended command see the Adding an Extended Access List section on page 16 5 except that you replace the following command prefix access list acl_name extended with the following text ip inacl nnn The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command statement to be configured on the security appliance If this parameter is omit...

Page 372: ...basis using the acl netmask convert command available in the aaa server configuration mode For more information about configuring a RADIUS server see Identifying AAA Server Groups and Servers section on page 13 9 For more information about the acl netmask convert command see the Cisco Security Appliance Command Reference Configuring a RADIUS Server to Download Per User Access Control List Names To...

Page 373: ...nterface_name server_group where the acl_name argument is the access list name set in the access list command The interface_name argument is the interface name set in the nameif command The server_group argument is the server group name set in the aaa server command Note Alternatively you can use the aaa accounting include command which identifies traffic within the command but you cannot use both...

Page 374: ...e at a time The order of entries matters because the packet uses the first entry it matches as opposed to a best match scenario If you have a permit entry and you want to deny an address that is allowed by the permit entry be sure to enter the deny entry before the permit entry The mac argument specifies the source MAC address in 12 digit hexadecimal form that is nnnn nnnn nnnn The macmask argumen...

Page 375: ...pter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization hostname config mac list 1 deny 00a0 c95d 0282 ffff ffff ffff hostname config mac list 1 permit 00a0 c95d 0000 ffff ffff 0000 hostname config aaa mac exempt match 1 ...

Page 376: ...19 18 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization ...

Page 377: ...her you can remove specific undesirable objects from HTTP traffic such as ActiveX objects or Java applets that may pose a security threat in certain situations You can also use URL filtering to direct specific traffic to an external filtering server such an Secure Computing SmartFilter formerly N2H2 or Websense filtering server Long URL HTTPS and FTP filtering can now be enabled using both Websens...

Page 378: ...ing top level tags to comments Caution This command also blocks any Java applets image files or multimedia objects that are embedded in object tags If the object or object HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU security appliance cannot block the tag ActiveX blocking does not occur when users access an IP address referenced b...

Page 379: ...mask foreign_ip foreign_mask To use this command replace port with the TCP port to which filtering is applied Typically this is port 80 but other values are accepted The http or url literal can be used for port 80 You can specify a range of ports by using a hyphen between the starting port number and the ending port number The local IP address and mask identify one or more internal hosts that are ...

Page 380: ... N2H2 for filtering HTTP HTTPS FTP and long URL filtering Note This release does not support the url cache command for URL filtering Although security appliance performance is less affected when using an external server users may notice longer access times to websites or FTP servers when the filtering server is remote from the security appliance When filtering is enabled and a request for content ...

Page 381: ... URL filtering server The port number is the Secure Computing SmartFilter server port number of the filtering server the security appliance also listens for UDP replies on this port Note The default port is 4005 This is the default port used by the Secure Computing SmartFilter server to communicate to the security appliance via TCP or UDP For information on changing the default port please refer t...

Page 382: ...buffered while awaiting responses from the url server Note Buffering URLs longer than 3072 bytes are not supported Step 2 To configure the maximum memory available for buffering pending URLs and for buffering long URLs enter the following command hostname config url block mempool size memory pool size Replace memory pool size with a value from 2 to 10240 for a maximum memory allocation of 2 KB to ...

Page 383: ... port port local_ip local_mask foreign_ip foreign_mask allow proxy block Replace port with one or more port numbers if a different port than the default port for HTTP 80 is used Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork responding to re...

Page 384: ...lter url http 0 0 0 0 hostname config filter url except 10 0 2 54 255 255 255 255 0 0 Filtering HTTPS URLs You must identify and enable the URL filtering server before enabling HTTPS filtering Note Websense and Smartfilter currently support HTTPS older versions of Secure Computing SmartFilter formerly N2H2 did not support HTTPS filtering Because HTTPS content is encrypted the security appliance se...

Page 385: ...iltering policy To enable FTP filtering enter the following command hostname config filter ftp port port localIP local_mask foreign_IP foreign_mask allow interact block Replace port port with a range of port numbers if a different port than the default port for FTP 21 is used Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests Replace foreign...

Page 386: ...me show running config url server statistics Global Statistics URLs total allowed denied 13 3 10 URLs allowed by cache server 0 3 URLs denied by cache server 0 10 HTTPSs total allowed denied 138 137 1 HTTPSs allowed by cache server 0 137 HTTPSs denied by cache server 0 1 FTPs total allowed denied 0 0 0 FTPs allowed by cache server 0 0 FTPs denied by cache server 0 0 Requests dropped 0 Server timeo...

Page 387: ...nfig url block block statistics URL Pending Packet Buffer Stats with max block 128 Cumulative number of packets held 896 Maximum number of packets held per URL 3 Current number of packets held global 38 Packets dropped due to exceeding url block buffer limit 7546 HTTP server retransmission 10 Number of packets released back to client 0 This shows the URL block statistics Viewing Caching Statistics...

Page 388: ... s AAA Author 0 s 0 s AAA Account 0 s 0 s This shows URL filtering performance statistics along with other performance statistics The filtering statistics are shown in the URL Access and URL Server Req rows Viewing Filtering Configuration The following is sample output from the show running config filter command hostname show running config filter filter url http 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ...

Page 389: ...r Policy Framework provides a consistent and flexible way to configure security appliance features For example you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application as opposed to one that applies to all TCP applications Modular Policy Framework supports the following features TCP normalization TCP and UDP connection limits and timeo...

Page 390: ..._default match default inspection traffic policy map type inspect dns preset_dns_map parameters message length maximum 512 policy map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service policy...

Page 391: ... firewall mode you can use an EtherType access list hostname config cmap match access list access_list_name For more information about creating access lists see the Adding an Extended Access List section on page 16 5 or the Adding an EtherType Access List section on page 16 8 For information about creating access lists with NAT see the IP Addresses Used for Access Lists When You Use NAT section on...

Page 392: ...ic The class map matches traffic for a tunnel group to which you want to apply QoS hostname config cmap match tunnel group name You can also specify one other match command to refine the traffic match You can specify any of the preceding commands except for the match any match access list or match default inspection traffic commands Or you can enter the following command to police each flow hostna...

Page 393: ...n mode Step 2 Optional Add a description to the class map by entering the following command hostname config cmap description string Step 3 Define the traffic to include in the class by matching one of the following characteristics You can include only one match command in the class map Access list The class map matches traffic specified by an extended access list If the security appliance is opera...

Page 394: ... that you can create more complex match criteria and you can reuse class maps Parameters Parameters affect the behavior of the inspection engine Some traffic matching commands can specify regular expressions to match text inside a packet Be sure to create and test the regular expressions before you configure the policy map either singly or grouped together in a regular expression class map The def...

Page 395: ...other metacharacters on the subexpression For example d o a g matches dog and dag but do ag matches do and ag A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition For example ab xy 3 z matches abxyxyxyz Alternation Matches either expression it separates For example dog cat matches dog or cat Question mark A quantifier that indicates that the...

Page 396: ...on match failed Step 2 To add a regular expression after you tested it enter the following command a c Character range class Matches any character in the range a z matches any lowercase letter You can mix characters and ranges abcq z matches a b c q r s t u v w x y z and so does a cq z The dash character is literal only if it is the last or the first character within the brackets abc or abc Quotat...

Page 397: ...e following command hostname config class map type regex match any class_map_name hostname config cmap Where class_map_name is a string up to 40 characters in length The name class default is reserved All types of class maps use the same name space so you cannot reuse a name already used by another type of class map The match any keyword specifies that the traffic matches the class map if it match...

Page 398: ...ame config cmap Where the application is the application you want to inspect For supported applications see the CLI help for a list of supported applications or see Chapter 25 Configuring Application Layer Protocol Inspection The class_map_name argument is the name of the class map up to 40 characters in length The match all keyword is the default and specifies that traffic must match all criteria...

Page 399: ...ing traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following methods Specify the inspection class map that you created in the Identifying Traffic in an Inspection Class Map section on page 21 10 by entering the following command hostname config pmap class class_map_name hostname config pmap c Not all applications support inspection c...

Page 400: ...tches multiple match or class commands that are the same then they are matched in the order they appear in the policy map For example for a packet with the header length of 1001 it will match the first command below and be logged and then will match the second command and be reset If you reverse the order of the two match commands then the packet will be dropped and the connection reset before it ...

Page 401: ...ffic hostname config cmap match req resp content type mismatch hostname config cmap match request body length gt 1000 hostname config cmap match not request uri regex class URLs hostname config cmap policy map type inspect http http map1 hostname config pmap class http traffic hostname config pmap c drop connection log hostname config pmap c match req resp content type mismatch hostname config pma...

Page 402: ...e Types Feature types supported by the Modular Policy Framework that you can enable in the policy map include the following TCP normalization TCP and UDP connection limits and timeouts and TCP sequence number randomization CSC Application inspection IPS QoS input policing QoS output policing QoS priority queue Feature Directionality Actions are applied to traffic bidirectionally or unidirectionall...

Page 403: ...on Modular Policy Framework operates on traffic flows and not just individual packets If traffic is part of an existing connection that matches a feature in a policy on one interface that traffic flow cannot also match the same feature in a policy on another interface only the first policy is used For example if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic and you ...

Page 404: ...vice CSC Application inspection IPS QoS input policing QoS output policing QoS priority queue Default Layer 3 4 Policy Map The configuration includes a default Layer 3 4 policy map that the security appliance uses in the default global policy It is called global_policy and performs inspection on the default inspection traffic You can only apply one global policy so if you want to alter the global ...

Page 405: ...n limits and timeouts and TCP sequence number randomization See the Configuring Connection Limits and Timeouts section on page 23 14 QoS policing and QoS priority See Chapter 24 Applying QoS Policies Application inspection See Chapter 25 Configuring Application Layer Protocol Inspection Note If there is no match default_inspection_traffic command in a class map then at most one inspect command is ...

Page 406: ... conn max 2000 When a Telnet connection is initiated it matches class telnet_traffic Similarly if an FTP connection is initiated it matches class ftp_traffic For any TCP connection other than Telnet and FTP it will match class tcp_traffic Even though a Telnet or FTP connection can match class tcp_traffic the security appliance does not make this match because they previously matched other classes ...

Page 407: ...ection and Connection Limits to HTTP Traffic to Specific Servers page 21 21 Applying Inspection to HTTP Traffic with NAT page 21 22 Applying Inspection and QoS Policing to HTTP Traffic In this example see Figure 21 1 any HTTP connection TCP traffic on port 80 that enters or exits the security appliance through the outside interface is classified for HTTP inspection Any HTTP traffic that exits the ...

Page 408: ...d for HTTP inspection Because the policy is a global policy inspection occurs only as the traffic enters each interface Figure 21 2 Global HTTP Inspection See the following commands for this example hostname config class map http_traffic hostname config cmap match port tcp eq 80 hostname config policy map http_traffic_policy hostname config pmap class http_traffic hostname config pmap c inspect ht...

Page 409: ...tatic inside outside 209 165 201 1 192 168 1 2 hostname config nat inside 1 192 168 1 0 255 255 255 0 hostname config global outside 1 209 165 201 2 hostname config access list serverA extended permit tcp any host 209 165 201 1 eq 80 hostname config access list ServerB extended permit tcp any host 209 165 200 227 eq 80 hostname config class map http_serverA hostname config cmap match access list s...

Page 410: ...list in the class map If you applied it to the outside interface you would use the mapped address Figure 21 4 HTTP Inspection with NAT See the following commands for this example hostname config static inside outside 209 165 200 225 192 168 1 1 hostname config access list http_client extended permit tcp host 192 168 1 1 any eq 80 hostname config class map http_client hostname config cmap match acc...

Page 411: ...M page 22 9 Checking SSM Status page 22 18 Transferring an Image onto an SSM page 22 19 Managing the AIP SSM This section includes the following topics AIP SSM Overview page 22 1 Sessioning to the AIP SSM page 22 5 Configuring the Security Policy on the AIP SSM page 22 6 Assigning Virtual Sensors to Security Contexts page 22 6 Diverting Traffic to the AIP SSM page 22 8 AIP SSM Overview You can ins...

Page 412: ...its security policy to the traffic and takes appropriate actions 5 Valid traffic is sent back to the adaptive security appliance over the backplane the AIP SSM might block some traffic according to its security policy and that traffic is not passed on 6 VPN policies are applied if configured 7 Traffic exits the adaptive security appliance Figure 22 1 shows the traffic flow when running the AIP SSM...

Page 413: ...efore the AIP SSM can shun it Figure 22 2 shows the AIP SSM in promiscuous mode In this example the AIP SSM sends a shun message to the security appliance for traffic it identified as a threat Figure 22 2 AIP SSM Traffic Flow in the Adaptive Security Appliance Promiscuous Mode Using Virtual Sensors The AIP SSM running IPS software Version 6 0 and above can run multiple virtual sensors which means ...

Page 414: ...re the inspection and protection policy which determines how to inspect traffic and what to do when an intrusion is detected Configure the inspection and protection policy for each virtual sensor if you want to run the AIP SSM in multiple sensor mode See the Configuring the Security Policy on the AIP SSM section on page 22 6 3 On the ASA 5500 series adaptive security appliance in multiple context ...

Page 415: ...bject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using this product you agree to comply with applicable laws and regulations If y...

Page 416: ...nfiguring the AIP SSM exit the IPS software by entering the following command sensor exit If you sessioned to the AIP SSM from the security appliance you return to the security appliance prompt Assigning Virtual Sensors to Security Contexts If the security appliance is in multiple context mode then you can assign one or more IPS virtual sensors to each context Then when you configure the context t...

Page 417: ...fault sensor before you allocate a new default sensor If you do not specify a sensor as the default and the context configuration does not include a sensor name then traffic uses the default sensor on the AIP SSM Step 3 Repeat Step 1 and Step 2 for each context Step 4 To configure the context IPS policy change to the context execution space using the following command hostname config ctx changeto ...

Page 418: ...mmand hostname config pmap c ips inline promiscuous fail close fail open sensor sensor_name mapped_name where the inline and promiscuous keywords control the operating mode of the AIP SSM See the Operating Modes section on page 22 2 for more details The fail close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable The fail open keyword sets the adaptive...

Page 419: ...override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface The following example diverts all IP traffic to the AIP SSM in promiscuous mode and blocks all IP traffic if the AIP SSM card fails for any reason hostname config access list IPS permit ip any any hostname config class map my ips class hostname config cmap m...

Page 420: ... SSM for scanning In this example the client could be a network user who is accessing a website downloading files from an FTP server or retrieving mail from a POP3 server SMTP scans differ in that you should configure the adaptive security appliance to scan traffic sent from the outside to SMTP servers protected by the adaptive security appliance Note The CSC SSM can scan FTP file transfers only w...

Page 421: ...he management network This HTTP proxy server enables the CSC SSM to contact the Trend Micro update server The management port of the adaptive security appliance is connected to the management network To permit management of the adaptive security appliance and the CSC SSM hosts running ASDM must be connected to the management network The management network includes an SMTP server for e mail notific...

Page 422: ...ather the following information for use in Step 6 Activation keys received after completing Step 2 The CSC SSM management port IP address netmask and gateway IP address Note The CSC SSM management port IP address must be accessible by the hosts used to run ASDM The IP addresses for the CSC SSM management port and the adaptive security appliance management interface can be in different subnets DNS ...

Page 423: ...e license you have purchased are enabled With a Base License the features enabled by default are SMTP virus scanning POP3 virus scanning and content filtering webmail virus scanning HTTP file blocking FTP virus scanning and file blocking logging and automatic updates With a Plus License the additional features enabled by default are SMTP anti spam SMTP content filtering POP3 anti spam URL blocking...

Page 424: ...sks to hosts on an inside network and you probably do not want the adaptive security appliance to divert this traffic to the CSC SSM Therefore we recommend using access lists to further limit the traffic selected by the class maps of CSC SSM service policies Specifically use access lists that match the following HTTP connections to outside networks FTP connections from clients inside the adaptive ...

Page 425: ...5 255 0 eq 25 This access list matches inbound SMTP connections from any external host to any host on the DMZ network The policy applied to the outside interface would therefore ensure that incoming SMTP e mail would be diverted to the CSC SSM for scanning However the policy would not match SMTP connections from hosts on the inside network to the mail server on the DMZ network because those connec...

Page 426: ...should be diverted to the CSC SSM with the class map command hostname config class map class_map_name hostname config cmap where class_map_name is the name of the traffic class When you enter the class map command the CLI enters class map configuration mode Step 3 With the access list you created in Step 1 use a match access list command to identify the traffic to be scanned hostname config cmap m...

Page 427: ...licy map to each interface The adaptive security appliance begins diverting traffic to the CSC SSM as specified Example 22 1 is based on the network shown in Figure 22 7 and shows the creation of two service policies The first policy csc_out_policy is applied to the inside interface and uses the csc_out access list to ensure that all outbound requests for FTP and POP3 are scanned The csc_out acces...

Page 428: ...Cisco Security Appliance Command Reference hostname show module 1 Mod Card Type Model Serial No 0 ASA 5520 Adaptive Security Appliance ASA5520 P3000000034 1 ASA 5500 Series Security Services Module 20 ASA SSM 20 0 Mod MAC Address Range Hw Version Fw Version Sw Version 0 000b fcf8 c30d to 000b fcf8 c311 1 0 1 0 10 0 7 1 0 1 1 000b fcf8 012c to 000b fcf8 012c 1 0 1 0 10 0 Trend Micro InterScan Secur...

Page 429: ... intelligent SSM perform the following steps Step 1 Create or modify a recovery configuration for the SSM a Determine if there is a recovery configuration for the SSM Use the show module command with the recover keyword hostname show module slot recover where slot is the slot number occupied by the SSM If the recover keyword is not valid a recovery configuration does not exist This keyword is avai...

Page 430: ... TFTP server can connect to the management port IP address that you specify for the SSM After you complete the series of prompts the adaptive security appliance is ready to transfer the image that it finds to the SSM at the specified URL Step 2 To transfer the image from the TFTP server to the SSM and restart the SSM use the hw module module recover command with the boot keyword hostname hw module...

Page 431: ... IP Audit for Basic IPS Support page 23 18 Configuring Threat Detection This section describes how to configure scanning threat detection and basic threat detection and also how to use statistics to analyze threats Threat detection is available in single mode only This section includes the following topics Configuring Basic Threat Detection page 23 1 Configuring Scanning Threat Detection page 23 5...

Page 432: ...tected or no data UDP session attack detected When the security appliance detects a threat it immediately sends a system log message 730100 Basic threat detection affects performance only when there are drops or potential threats even in this scenario the performance impact is insignificant Configuring Basic Threat Detection To configure basic threat detection including enabling or disabling it an...

Page 433: ...age the drops It also determines the burst threshold rate interval see below Table 23 1 Basic Threat Detection Default Settings Packet Drop Reason Trigger Settings Average Rate Burst Rate DoS attack detected Bad packet format Connection limits exceeded Suspicious ICMP packets detected 100 drops sec over the last 600 seconds 400 drops sec over the last 10 second period 80 drops sec over the last 36...

Page 434: ...ows the average rate in events sec over two fixed time periods the last 10 minutes and the last 1 hour It also shows the current burst rate in events sec over the last completed burst interval which is 1 60th of the average rate interval or 10 seconds whichever is larger the number of times the rates were exceeded triggered and the total number of events over the time periods The security applianc...

Page 435: ...ution The scanning threat detection feature can affect the security appliance performance and memory significantly while it creates and gathers host and subnet based data structure and information This section includes the following topics Enabling Scanning Threat Detection page 23 5 Managing Shunned Hosts page 23 6 Viewing Attackers and Targets page 23 7 Enabling Scanning Threat Detection To conf...

Page 436: ...length of time over which to average the events It also determines the burst threshold rate interval see below The average rate av_rate argument can be between 0 and 2147483647 in drops sec The burst rate burst_rate argument can be between 0 and 2147483647 in drops sec The burst rate is calculated as the average rate every N seconds where N is the burst rate interval The burst rate interval is 1 6...

Page 437: ...asic threat detection see the Managing Basic Threat Statistics section on page 23 4 By default statistics for access lists are enabled Caution Enabling statistics can affect the security appliance performance depending on the type of statistics enabled The threat detection statistics host command affects performance in a significant way if you have a high traffic load you might consider enabling t...

Page 438: ...nfinished burst interval already exceeds the number of events in the oldest burst interval 1 of 60 when calculating the total events In that case the security appliance calculates the total events as the last 59 complete intervals plus the events so far in the unfinished burst interval This exception lets you monitor a large increase in events in real time To view statistics enter one of the follo...

Page 439: ... gre icmp igmp igrp ip ipinip ipsec nos ospf pcp pim pptp snp tcp udp where the protocol_number argument is an integer between 0 and 255 The following is sample output from the show threat detection statistics host command hostname show threat detection statistics host Average eps Current eps Trigger Total events Host 10 0 0 1 tot ses 289235 act ses 22571 fw drop 0 insp drop 0 null ses 21438 bad a...

Page 440: ...ORT_CLOSE Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout Average eps Shows the average rate in events sec over each time period The security appliance stores the count at the end of each burst period for a total of 60 completed burst intervals The unfinished burst interval presently occurring is not included in the average...

Page 441: ...t size The default is to drop these packets so use this command to allow them hostname config tcp map exceed mss allow drop Total events Shows the total number of events over each rate interval The unfinished burst interval presently occurring is not included in the total events The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number o...

Page 442: ...ale allow clear Or hostname config tcp map tcp options range lower upper allow clear drop Where allow allows packets with the specified option clear clears the option and allows the packet drop drops the packet The selective ack keyword allows or clears the SACK option The default is to allow the SACK option The timestamp keyword allows or clears the timestamp option Clearing the timestamp option ...

Page 443: ...n page 21 2 for more information Step 4 To add or edit a policy map that sets the actions to take with the class map traffic enter the following command hostname config policy map name Step 5 To identify the class map from Step 1 to which you want to assign an action enter the following command hostname config pmap class class_map_name Step 6 Apply the TCP map to the class map by entering the foll...

Page 444: ...nic connections protects you from a DoS attack The security appliance uses the per client limits and the embryonic connection limit to trigger TCP Intercept which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets An embryonic connection is a connection request that has not finished the necessary handshake between source and destination TCP Intercep...

Page 445: ...ization can be disabled if required For example If another in line firewall is also randomizing the initial sequence numbers there is no need for both firewalls to be performing this action even though this action does not affect the traffic If you use eBGP multi hop through the security appliance and the eBGP peers are using MD5 Randomization breaks the MD5 checksum You use a WAAS device that req...

Page 446: ...ed retries before declaring the connection as dead The minimum value is 1 and the maximum value is 255 and the default is 5 You can enter this command all on one line in any order or you can enter each attribute as a separate command The command is combined onto one line in the running configuration Note This command is not available for management traffic Step 6 To activate the policy map on one ...

Page 447: ...t RPF enter the following command hostname config ip verify reverse path interface interface_name Configuring the Fragment Size By default the security appliance allows up to 24 fragments per IP packet and up to 200 fragments awaiting reassembly You might need to let fragments on your network if you have an application that routinely fragments packets such as NFS over UDP However if you do not hav...

Page 448: ...ort for a security appliance that does not have an AIP SSM It supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature To enable IP audit perform the following steps Step 1 To define an IP audit policy for informational signatures enter the following command hostname config ip audit name name info action ala...

Page 449: ...feature that lets you give priority to these types of traffic As the Internet community of users upgrades their access points from modems to high speed broadband connections like DSL and cable the likelihood increases that at any given time a single user might be able to absorb most if not all of the available bandwidth thus starving the other users To prevent any one user or site to site connecti...

Page 450: ...ces For example you can ensure that the most important time critical traffic receives the network resources available bandwidth and minimum delay it needs and that other applications using the link get their fair share of service without interfering with mission critical traffic QoS provides maximum rate control or policing for tunneled traffic for each individual user tunnel and every site to sit...

Page 451: ... 1 class map class map name n match match criteria n The policy map command defines a named object that represents a set of policies to be applied to a set of traffic classes An example of such a policy is policing the traffic class to some maximum rate The basic form of the command is as follows policy map policy map name class class map name 1 policy 1 policy n class class map name n policy m po...

Page 452: ... tunnel group in this case the previously defined Tunnel Group 1 is required as the first match characteristic to classify traffic for a specific tunnel and it allows for an additional match line to classify the traffic IP differential services code point expedited forwarding hostname config class map TG1 voice hostname config cmap match tunnel group Tunnel Group 1 hostname config cmap match dscp ...

Page 453: ...pecified in the given class map A traffic class is a set of traffic that is identifiable by its packet content For example Command Description match access list Matches by name or number access list traffic within a class map match any Identifies traffic that matches any of the criteria in the class map match dscp Matches the IETF defined DSCP value in an IP header in a class map You can specify u...

Page 454: ...re thus ensuring that no one traffic flow can take over the entire resource You use the police command to specify the maximum rate that is the rate limit for this traffic flow this is a value in the range 8000 2000000000 specifying the maximum speed bits per second allowed You also specify what action drop or transmit to take for traffic that conforms to the limit and for traffic that exceeds the ...

Page 455: ... pmap c police output 56000 10500 hostname config pmap c class TG1 voice hostname config pmap c priority hostname config pmap c class TG1 best effort hostname config pmap c police output 200000 37500 hostname config pmap c class class default hostname config pmap c police output 1000000 37500 Note You can have up to 256 policy maps and up to 256 classes in a policy map The maximum number of classe...

Page 456: ...rough 2048 packets The range of tx ring limit values is 3 through 128 packets on the PIX platform and 3 to 256 packets on the ASA platform Configuring Priority Queuing You identify high priority traffic by using the priority command in Class mode This command instructs the security appliance to mark as high priority the traffic selected by the class map For priority queuing to occur you must creat...

Page 457: ...rity queue on the interface outside the GigabitEthernet0 1 interface sets the queue limit to 2048 packets and sets the tx ring limit to 256 hostname config priority queue outside hostname config priority queue queue limit 2048 hostname config priority queue tx ring limit 256 Note When priority queuing is enabled the security appliance empties all packets in higher priority queues before transmitti...

Page 458: ...tname config cmap match port tcp udp range begin_port_number end_port_number where begin_port_number is the lowest port in the range of ports and end_port_number is the highest port Step 4 Create a policy map or modify an existing policy map that you want to use to apply policing or priority queuing to the traffic identified in Step 2 For more information about QoS policy maps see the Defining a Q...

Page 459: ...e priority command you must enable priority queues on interfaces before the security appliance performs priority queuing For each interface on which you want the security appliance to perform priority queuing perform the following steps a Enter the priority queue command hostname config priority queue interface hostname config priority queue where interface is the name assigned to the physical int...

Page 460: ...fig pmap c service policy qos interface outside hostname config priority queue outside hostname config priority queue queue limit 2048 hostname config priority queue tx ring limit 256 Viewing QoS Configuration This section includes the following topics Viewing QoS Policy Map Configuration page 24 13 Viewing the Priority Queue Configuration for an Interface page 24 13 Viewing QoS Service Policy Con...

Page 461: ...those that include the police and priority commands use the following command in privileged EXEC mode hostname show running config policy map The following is sample output from the show running config policy map hostname show running config policy map policy map test class class default policy map inbound_policy class ftp port inspect ftp strict inbound_ftp policy map qos class browse police 5600...

Page 462: ...hat include the police command and the related statistics hostname show service policy police Global policy Service policy global_fw_policy Interface outside Service policy qos Class map browse police Interface outside cir 56000 bps bc 10500 bytes conformed 10065 packets 12621510 bytes actions transmit exceeded 499 packets 625146 bytes actions drop conformed 5600 bps exceed 5016 bps Class map cmap...

Page 463: ...ode The results show the statistics for both the best effort BE queue and the low latency queue LLQ The following is sample output from the show priority queue statistics command for the interface named test hostname show priority queue statistics test Priority Queue Statistics interface test Queue Type BE Packets Dropped 0 Packets Transmit 0 Packets Enqueued 0 Current Q Length 0 Max Q Length 0 Qu...

Page 464: ...24 16 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 24 Applying QoS Policies Viewing QoS Statistics ...

Page 465: ...n affect overall throughput Several common inspection engines are enabled on the security appliance by default but you might need to enable others depending on your network This chapter includes the following sections Inspection Engine Overview page 25 2 When to Use Application Protocol Inspection page 25 2 Inspection Limitations page 25 3 Default Inspection Policy page 25 3 Configuring Applicatio...

Page 466: ...an address translation and creates an entry for the session in the fast path so that further packets can bypass time consuming checks However the fast path relies on predictable port numbers and does not perform address translations inside a packet Many protocols open secondary TCP or UDP ports The initial session on a well known port is used to negotiate dynamically assigned port numbers Other ap...

Page 467: ... to apply inspection to non standard ports or to add inspections that are not enabled by default you need to either edit the default policy or disable it and apply a new one Table 25 1 lists all inspections supported the default ports used in the default class map and the inspection engines that are on by default shown in bold This table also notes any NAT limitations Table 25 1 Supported Applicat...

Page 468: ...tside NAT No NAT on same security interfaces Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances SMTP and ESMTP TCP 25 RFC 821 1123 SNMP UDP 161 162 No NAT or PAT RFC 1155 1157 1212 1213 1215 v 2 RFC 1902 1908 v 3 RFC 2570 2580 SQL Net TCP 1521 v 1 and v 2 Sun RPC over UDP and TCP UDP 111 No NAT or PAT The default class map includes UDP port 111 if you want to e...

Page 469: ...on The default Layer 3 4 class map for through traffic is called inspection_default It matches traffic using a special match command match default inspection traffic to match the default ports for each application protocol You can specify a match access list command along with the match default inspection traffic command to narrow the matched traffic to specific IP addresses Because the match defa...

Page 470: ...e the Configuring an FTP Inspection Policy Map for Additional Inspection Control section on page 25 27 GTP See the Configuring a GTP Inspection Policy Map for Additional Inspection Control section on page 25 32 H323 See the Configuring an H 323 Inspection Policy Map for Additional Inspection Control section on page 25 39 HTTP See the Configuring an HTTP Inspection Policy Map for Additional Inspect...

Page 471: ...traffic matches a class map that contains an inspection command and then matches another class map that also has an inspection command only the first matching class is used For example SNMP matches the inspection_default class map To enable SNMP inspection enable SNMP inspection for the default class in Step 5 Do not add another class that matches SNMP Step 5 Enable application inspection by enter...

Page 472: ...9 identify the map name in this command h323 ras map_name If you added an H323 inspection policy map according to Configuring an H 323 Inspection Policy Map for Additional Inspection Control section on page 25 39 identify the map name in this command http map_name If you added an HTTP inspection policy map according to the Configuring an HTTP Inspection Policy Map for Additional Inspection Control...

Page 473: ...g a RADIUS Inspection Policy Map for Additional Inspection Control section on page 25 61 identify the map name in this command rsh rtsp map_name If you added a NetBIOS inspection policy map according to Configuring an RTSP Inspection Policy Map for Additional Inspection Control section on page 25 63 identify the map name in this command sip map_name If you added a SIP inspection policy map accordi...

Page 474: ...sage transmission which may have a performance impact in a real time environment When you enable this debugging or logging and Cisco IP SoftPhone seems unable to complete call setup through the security appliance increase the timeout values in the Cisco TSP settings on the system running Cisco IP SoftPhone The following summarizes special considerations when using CTIQBE application inspection in ...

Page 475: ...o that external interface This line does not appear if the CallManager is located on an internal interface or if the internal CTI device address and ports are translated to the same external interface that is used by the CallManager The output indicates a call has been established between this CTI device and another phone at 172 29 1 88 The RTP and RTCP listening ports of the other phone are UDP 2...

Page 476: ...instance providing the service The security appliance allows the appropriate port number and network address and also applies NAT if needed for the secondary connection DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135 Map and lookup operations of the EPM are supported for clients Client and server can be located in any security zone The...

Page 477: ...ed from the lookup operation If no timeout is configured for the lookup operation the timeout pinhole command or the default is used The epm service only keyword enforces endpoint mapper service during binding so that only its service traffic is processed The lookup operation keyword enables the lookup operation of the endpoint mapper service The following example shows how to define a DCERPC insp...

Page 478: ...ion DNS packet size is not checked Enforces a domain name length of 255 bytes and a label length of 63 bytes Verifies the integrity of the domain name referred to by the pointer if compression pointers are encountered in the DNS message Checks to see if a compression pointer loop exists A single connection is created for multiple DNS sessions as long as they are between the same two hosts and the ...

Page 479: ...ing to the web server on the inside network For configuration instructions for scenarios similar to this one see the Configuring DNS Rewrite with Two NAT Zones section on page 25 16 Figure 25 1 Translating the Address in a DNS Reply DNS Rewrite DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server is on an inside interface For an illustration and config...

Page 480: ...S Rewrite is based on dynamic translation instead of a static mapping Using the Alias Command for DNS Rewrite The alias command causes the security appliance to translate addresses on an IP network residing on any interface into addresses on another IP network connected through a different interface The syntax for this command is as follows hostname config alias interface_name mapped address real ...

Page 481: ...n DNS application inspection is enabled by default with a maximum DNS packet length of 512 bytes For configuration instructions see the Configuring Application Inspection section on page 25 5 Step 5 On the public DNS server add an A record for the web server such as domain qualified hostname IN A mapped address where domain qualified hostname is the hostname with a domain suffix as in server examp...

Page 482: ... A record of server example com The DNS server returns the A record showing that server example com binds to address 209 165 200 5 When a web client on the outside network attempts to access http server example com the sequence of events is as follows 1 The host running the web client sends the DNS server a request for the IP address of server example com 2 The DNS server responds with the IP addr...

Page 483: ...the A record rewrite in step b would be reverted and other processing for the packet continues 5 The security appliance sends the HTTP request to server example com on the DMZ interface Configuring DNS Rewrite with Three NAT Zones To enable the NAT policies for the scenario in Figure 25 2 perform the following steps Step 1 Create a static translation for the web server on the DMZ network as follow...

Page 484: ...wing A record on the DNS server server example com IN A 209 165 200 225 Verifying and Monitoring DNS Inspection To view information about the current DNS connections enter the following command hostname show conn For connections using a DNS server the source port of the connection may be replaced by the IP address of DNS server in the show conn command output A single connection is created for mul...

Page 485: ...a Regular Expression section on page 21 6 See the types of text you can match in the match commands described in Step 3 Step 2 Optional Create one or more regular expression class maps to group regular expressions according to the Creating a Regular Expression Class Map section on page 21 9 Step 3 Optional Create a DNS inspection class map by performing the following steps A class map groups multi...

Page 486: ...eyword specifies the question portion of a DNS message The resource record keyword specifies the resource record portion of a DNS message The answer keyword specifies the Answer RR section The authority keyword specifies the Authority RR section The additional keyword specifies the Additional RR section g Optional To match a DNS message domain name list enter the following command hostname config ...

Page 487: ...e parameters that affect the inspection engine perform the following steps a To enter parameters configuration mode enter the following command hostname config pmap parameters hostname config pmap p b To randomize the DNS identifier for a DNS query enter the following command hostname config pmap p id randomization c To enable logging for excessive DNS ID mismatches enter the following command hos...

Page 488: ... ESMTP Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter create an ESMTP inspection policy map You can then apply the inspection policy map when you enable ESMTP inspection according to the Configuring Application Inspection section on page 25 5 To create an ESMTP inspection policy map perform the following steps Step 1 Optional Add one ...

Page 489: ...o the server and or client The log keyword which you can use alone or with one of the other keywords sends a system log message The rate limit message_rate argument limits the rate of messages You can specify multiple class or match commands in the policy map For information about the order of class and match commands see the Defining Actions in an Inspection Policy Map section on page 21 11 Step ...

Page 490: ...ts the FTP sessions and performs four tasks Prepares dynamic secondary data connection Tracks the FTP command response sequence Generates an audit trail Translates the embedded IP address FTP application inspection prepares secondary channels for FTP data transfer Ports for these channels are negotiated through PORT or PASV commands The channels are allocated in response to a file upload a file do...

Page 491: ...s the connection if it detects TCP stream editing Invalid port negotiation The negotiated dynamic port value is checked to see if it is less than 1024 As port numbers in the range from 1 to 1024 are reserved for well known connections if the negotiated port falls in this range then the TCP connection is freed Command pipelining The number of characters present after the port numbers in the PORT an...

Page 492: ...want to perform different actions for each match command you should identify the traffic directly in the policy map a Create the class map by entering the following command hostname config class map type inspect ftp match all match any class_map_name hostname config cmap Where class_map_name is the name of the class map The match all keyword is the default and specifies that traffic must match all...

Page 493: ...mand hostname config pmap description string Step 6 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following methods Specify the FTP class map that you created in Step 3 by entering the following command hostname config pmap class class_map_name hostname config pmap c Table 25 3 FTP Map request command de...

Page 494: ...ords sends a system log message The rate limit message_rate argument limits the rate of messages You can specify multiple class or match commands in the policy map For information about the order of class and match commands see the Defining Actions in an Inspection Policy Map section on page 21 11 Step 7 To configure parameters that affect the inspection engine perform the following steps a To ent...

Page 495: ...njunction with NAT the FTP application inspection translates the IP address within the application payload This is described in detail in RFC 959 GTP Inspection This section describes the GTP inspection engine This section includes the following topics GTP Inspection Overview page 25 31 Configuring a GTP Inspection Policy Map for Additional Inspection Control page 25 32 Verifying and Monitoring GT...

Page 496: ...at allows the SGSN to provide GPRS network access for a mobile station by creating modifying and deleting tunnels GTP uses a tunneling mechanism to provide a service for carrying user data packets Note When using GTP with failover if a GTP connection is established and the active unit fails before data is transmitted over the tunnel the GTP data connection with a j flag set is not replicated to th...

Page 497: ...message_id range lower_range upper_range Where the message_id is an alphanumeric identifier between 1 and 255 The lower_range is lower range of message IDs The upper_range is the upper range of message IDs Step 5 To match a message length enter the following command hostname config pmap match not message length min min_length max max_length Where the min_length and max_length are both between 1 an...

Page 498: ...ork object If the GSN responding belongs to the same object group as the GSN that the GTP request was sent to and if the SGSN is in a object group that the responding GSN is permitted to send a GTP response to the security appliance permits the response d To create an object to represent the pool of load balancing GSNs perform the following steps Use the object group command to define a new networ...

Page 499: ...ject command instead of identifying whole networks The example then modifies a GTP map to permit responses from the GSN pool to the SGSN hostname config object group network gsnpool32 hostname config network network object 192 168 100 0 255 255 255 0 hostname config object group network sgsn32 hostname config network network object host 192 168 50 100 hostname config gtp map gtp policy hostname co...

Page 500: ...ostname config pmap parameters hostname config pmap p tunnel limit 3000 hostname config policy map global_policy hostname config pmap class inspection_default hostname config pmap c inspect gtp gmap hostname config service policy global_policy global Verifying and Monitoring GTP Inspection To display GTP configuration enter the show service policy inspect gtp command in privileged EXEC mode For th...

Page 501: ...70921435 MS address 1 1 1 1 primary pdp Y nsapi 2 sgsn_addr_signal 10 0 0 2 sgsn_addr_data 10 0 0 2 ggsn_addr_signal 10 1 1 1 ggsn_addr_data 10 1 1 1 sgsn control teid 0x000001d1 sgsn data teid 0x000001d3 ggsn control teid 0x6306ffa0 ggsn data teid 0x6305f9fc seq_tpdu_up 0 seq_tpdu_down 0 signal_sequence 0 upstream_signal_flow 0 upstream_data_flow 0 downstream_signal_flow 0 downstream_data_flow 0 ...

Page 502: ...TCP port 1720 to request Q 931 call setup As part of the call setup process the H 323 terminal supplies a port number to the client to use for an H 245 TCP connection In environments where H 323 gatekeeper is in use the initial packet is transmitted using UDP H 323 inspection monitors the Q 931 TCP connection to determine the H 245 port number If the H 323 terminals are not using FastConnect the s...

Page 503: ...is not supported with NAT between same security level interfaces When a NetMeeting client registers with an H 323 gatekeeper and tries to call an H 323 gateway that is also registered with the H 323 gatekeeper the connection is established but no voice is heard in either direction This problem is unrelated to the security appliance If you configure a network static address where the network static...

Page 504: ... c Optional To match a called party enter the following command hostname config cmap match not called party regex class class_name regex_name Where the regex regex_name argument is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 d Optional To match a media type enter the following command hostname config cmap match n...

Page 505: ... hostname config pmap parameters hostname config pmap p b To define the H 323 call duration limit enter the following command hostname config pmap p call duration limit time Where time is the call duration limit in seconds Range is from 0 0 0 ti 1163 0 0 A value of 0 means never timeout c To enforce call party number used in call setup enter the following command hostname config pmap p call party ...

Page 506: ...ing connection is closed use the timeout h225 command The default for H 225 timeout is one hour To configure the idle time after which an H 323 control connection is closed use the timeout h323 command The default is five minutes Verifying and Monitoring H 323 Inspection This section describes how to display information about H 323 sessions This section includes the following topics Monitoring H 2...

Page 507: ... slow start Slow start is when the two endpoints of a call open another TCP control channel for H 245 Fast start is where the H 245 messages are exchanged as part of the H 225 messages on the H 225 control channel Along with the debug h323 h245 event debug h323 h225 event and show local host commands this command is used for troubleshooting H 323 inspection engine issues The following is sample ou...

Page 508: ...ion includes the following topics HTTP Inspection Overview page 25 44 Configuring an HTTP Inspection Policy Map for Additional Inspection Control page 25 45 HTTP Inspection Overview Use the HTTP inspection engine to protect against specific attacks and other threats that may be associated with HTTP traffic HTTP inspection performs several functions Enhanced HTTP inspection URL screening through N2...

Page 509: ... The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria and you can reuse class maps To specify traffic that should not match the class map use the match not command For example if the match not command specifies the string example com then any traffic that includes example c...

Page 510: ...nt is the maximum number of header fields g Optional To match text found in the HTTP request message method enter the following command hostname config cmap match not request method method regex regex_name class regex_class_name Where the method is the predefined message method keyword The regex regex_name argument is the regular expression you created in Step 1 The class regex_class_name is the r...

Page 511: ...ch you want to perform actions using one of the following methods Specify the HTTP class map that you created in Step 3 by entering the following command hostname config pmap class class_map_name hostname config pmap c Specify traffic directly in the policy map using one of the match commands described in Step 3 If you use a match not command then any traffic that does not match the criterion in t...

Page 512: ...licy map that will allow and log any HTTP connection that attempts to access www xyz com asp or www xyz 0 9 0 9 com with methods GET or PUT All other URL Method combinations will be silently allowed hostname config regex url1 www xyz com asp hostname config regex url2 www xyz 0 9 0 9 com hostname config regex get GET hostname config regex put PUT hostname config class map type regex match any url_...

Page 513: ...match commands directly in the policy map The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria and you can reuse class maps To specify traffic that should not match the class map use the match not command For example if the match not command specifies the string example com...

Page 514: ...s the IP address and netmask of the message source h Optional To match the destination IP address of the IM message enter the following command hostname config cmap match not peer ip address ip_address ip_address_mask Where the ip_address and the ip_address_mask is the IP address and netmask of the message destination i Optional To match the version of the IM message enter the following command ho...

Page 515: ...inname3 rahul yahoo com hostname config regex loginname3 darshant yahoo com hostname config regex yhoo_version_regex 1 0 hostname config class map type regex match any yahoo_src_login_name_regex hostname config cmap match regex loginname1 hostname config cmap match regex loginname2 hostname config class map type regex match any yahoo_dst_login_name_regex hostname config cmap match regex loginname3...

Page 516: ...e host and the security appliance reach the outside host without consuming any additional NAT resource This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the security appliance When the security appliance does not translate the intermediate hops all the intermediate hops appear with the mapped destination IP address The ICMP p...

Page 517: ...erver Once a successful BIND RESPONSE from the server is received other operational messages may be exchanged such as ADD DEL SEARCH or MODIFY to perform operations on the ILS Directory The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers used by H 323 SETUP and CONNECT messages to establish the NetMeeting sessions Microsoft NetMeeting v2 X and v3 X provides ILS su...

Page 518: ...of digital circuits Residential gateways that provide a traditional analog RJ11 interface to a Voice over IP network Examples of residential gateways include cable modem cable set top boxes xDSL devices broad band wireless devices Business gateways that provide a traditional digital PBX interface or an integrated soft PBX interface to a Voice over IP network Note To avoid policy failure when upgra...

Page 519: ...rtInProgress The first four commands are sent by the call agent to the gateway The Notify command is sent by the gateway to the call agent The gateway may also send a DeleteConnection The registration of the MGCP gateway with the call agent is achieved by the RestartInProgress command The AuditEndpoint and the AuditConnection commands are sent by the call agent to the gateway All commands are comp...

Page 520: ... the policy map The CLI enters policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 To configure parameters that affect the inspection engine perform the following steps a To enter parameters configuration mode enter the following command hostname config pmap parameters hostname config pmap p...

Page 521: ...102 hostname config pmap p gateway 10 10 10 117 102 hostname config pmap p command queue 150 Configuring MGCP Timeout Values The timeout mgcp command lets you set the interval for inactivity after which an MGCP media connection is closed The default is 5 minutes The timeout mgcp pat command lets you set the timeout for PAT xlates Because MGCP does not have a keepalive mechanism if you use non Cisc...

Page 522: ...enable NETBIOS inspection according to the Configuring Application Inspection section on page 25 5 To create a NETBIOS inspection policy map perform the following steps Step 1 Optional Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21 6 See the types of text you can match in the match commands described in Ste...

Page 523: ...o the server and or client The log keyword which you can use alone or with one of the other keywords sends a system log message The rate limit message_rate argument limits the rate of messages You can specify multiple class or match commands in the policy map For information about the order of class and match commands see the Defining Actions in an Inspection Policy Map section on page 21 11 Step ...

Page 524: ...sessions initiated from a modem bank PAC PPTP Access Concentrator to the headend PNS PPTP Network Server When used this way the PAC is the remote client and the PNS is the server However when used for VPN by Windows the interaction is inverted The PNS is a remote single user PC that initiates connection to the head end PAC to gain access to a central network RADIUS Accounting Inspection One of the...

Page 525: ...pect radius accounting radius_accounting_map parameters host 10 1 1 1 inside key 123456789 send response enable gprs validate attribute 22 Step 3 Configure the service policy and control plane keywords policy map type management global_policy class c1 inspect radius accounting radius_accounting_map service policy global_policy control plane abc global RSH Inspection RSH inspection is enabled by de...

Page 526: ... HTTP cloaking where RTSP messages are hidden in the HTTP messages Using RealPlayer When using RealPlayer it is important to properly configure transport mode For the security appliance add an access list command from the server to the client or vice versa For RealPlayer change transport mode by clicking Options Preferences Transport RTSP Settings If using TCP mode on the RealPlayer select the Use...

Page 527: ...atch directly in the inspection policy map is that the class map lets you create more complex match criteria and you can reuse class maps To specify traffic that should not match the class map use the match not command For example if the match not command specifies the string example com then any traffic that includes example com does not match the class map For the traffic that you identify in th...

Page 528: ... the matching traffic by entering the following command hostname config pmap c drop send protocol error drop connection send protocol error mask reset log rate limit message_rate Not all options are available for each match or class command See the CLI help or the Cisco Security Appliance Command Reference for the exact options available The drop keyword drops all packets that match The send proto...

Page 529: ...ilter map hostname config service policy rtsp traffic policy global SIP Inspection This section describes SIP application inspection This section includes the following topics SIP Inspection Overview page 25 65 SIP Instant Messaging page 25 66 Configuring SIP Timeout Values page 25 70 Verifying and Monitoring SIP Inspection page 25 71 SIP Inspection Overview SIP as defined by the IETF enables call...

Page 530: ...ion and be translated As a call is set up the SIP session is in the transient state until the media address and media port is received from the called endpoint in a Response message indicating the RTP port the called endpoint listens on If there is a failure to receive the response messages within one minute the signaling connection is torn down Once the final handshake is made the call state is m...

Page 531: ... match commands described in Step 3 Step 2 Optional Create one or more regular expression class maps to group regular expressions according to the Creating a Regular Expression Class Map section on page 21 9 s Step 3 Optional Create a SIP inspection class map by performing the following steps A class map groups multiple traffic matches Traffic must match all of the match commands to match the clas...

Page 532: ...sion class map you created in Step 2 g Optional To match a SIP IM subscriber enter the following command hostname config cmap match not im subscriber regex class class_name regex_name Where the regex regex_name argument is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 h Optional To match a SIP via header enter the ...

Page 533: ...r class command See the CLI help or the Cisco Security Appliance Command Reference for the exact options available The drop keyword drops all packets that match The send protocol error keyword sends a protocol error message The drop connection keyword drops the packet and closes the connection The mask keyword masks out the matching portion of the packet The reset keyword drops the packet closes t...

Page 534: ...s according to RFC 3261 enter the following command hostname config pmap p strict header validation action drop drop connection reset log log i To allow non SIP traffic using the well known SIP signaling port enter the following command hostname config pmap p traffic non sip j To identify the non SIP URIs present in the Alert Info and Call Info header fields enter the following command hostname co...

Page 535: ...each its end The following is sample output from the show sip command hostname show sip Total 2 call id c3943000 960ca 2e43 228f 10 130 56 44 state Call init idle 0 00 01 call id c3943000 860ca 7e1f 11f7 10 130 56 45 state Active idle 0 00 06 This sample shows two active SIP sessions on the security appliance as shown in the Total field Each call id represents a call The first session with the cal...

Page 536: ...er IP address the mapping must be static as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its configuration An static identity entry allows the Cisco CallManager on the higher security interface to accept registrations from the Cisco IP Phones Cisco IP Phones require access to a TFTP server to download the configuration information they need to connect to...

Page 537: ...rst and second phones are UDP 22948 and 20798 respectively The following is sample output from the show xlate debug command for these Skinny connections hostname show xlate debug 2 in use 2 most used Flags D DNS d dump I identity i inside n no random r portmap s static NAT from inside 10 0 0 11 to outside 172 18 1 11 flags si idle 0 00 16 timeout 0 05 00 NAT from inside 10 0 0 22 to outside 172 18...

Page 538: ...e Command Reference for the exact options available The drop keyword drops all packets that match The send protocol error keyword sends a protocol error message The drop connection keyword drops the packet and closes the connection The mask keyword masks out the matching portion of the packet The reset keyword drops the packet closes the connection and sends a TCP reset to the server and or client...

Page 539: ...by adding monitoring capabilities ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP For convenience the term SMTP is used in this document to refer to both SMTP and ESMTP The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions Most commands used in an extended SMTP session are the same ...

Page 540: ... transition by the SMTP server For unknown commands the security appliance changes all the characters in the packet to X In this case the server generates an error code to the client Because of the change in the packed the TCP checksum has to be recalculated or adjusted TCP stream editing Command pipelining SNMP Inspection SNMP application inspection lets you restrict SNMP traffic to a specific ve...

Page 541: ...Refuse Resend and Marker will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet SQL Net Version 2 TNSFrames Redirect and Data packets will be scanned for ports to open and addresses to NAT if preceded by a REDIRECT TNSFrame type with a zero data length for the payload When the Redirect message with data length zero passes through ...

Page 542: ... port port timeout hh mm ss You can use this command to specify the timeout after which the pinhole that was opened by Sun RPC application inspection will be closed For example to create a timeout of 30 minutes to the Sun RPC server with the IP address 192 168 100 2 enter the following command hostname config sunrpc server inside 192 168 100 2 255 255 255 255 service 100003 protocol tcp 111 timeou...

Page 543: ...255 service 100005 protocol UDP port 111 timeout 0 30 00 This output shows that a timeout interval of 30 minutes is configured on UDP port 111 for the Sun RPC server with the IP address 192 168 100 2 on the inside interface To display the pinholes open for Sun RPC services enter the show sunrpc server active command The following is sample output from show sunrpc server active command hostname sho...

Page 544: ...PAT translation if necessary are allocated on a reception of a valid read RRQ or write WRQ request This secondary channel is subsequently used by TFTP for file transfer or error notification Only the TFTP server can initiate traffic over the secondary channel and at most one incomplete secondary channel can exist between the TFTP client and server An error notification from the server closes the s...

Page 545: ...yer protocol inspection You should be familiar with the inspection features on the ASA security appliance especially Skinny and SIP inspection For more information on deployment topologies and configuration refer to the Cisco Security Appliance Command Line Configuration Guide http www cisco com en US products ps6120 products_configuration_guide_chapter09186a00807032 0a_4container_ccmigration_0918...

Page 546: ... security appliance use the same NTP server as the Cisco Unified CallManager cluster TLS handshake may fail due to certificate validation failure if clock is out of sync between the security appliance and the Cisco Unified CallManager server IP M Client Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Proxy Server Hello Proxy Server Certificate Proxy Server Key Exchan...

Page 547: ...e recommend to use a different key pair for each role Step 3 Create the proxy certificate for the Cisco Unified CallManager cluster using the following commands for example hostname config for self signed CCM proxy certificate hostname config crypto ca trustpoint ccm_proxy hostname config ca trustpoint enrollment self hostname config ca trustpoint fqdn none hostname config ca trustpoint subject na...

Page 548: ...cluster Step 6 Create a TLS proxy instance using the following commands for example hostname config tls proxy my_proxy hostname config tlsp server trust point ccm_proxy hostname config tlsp client ldc issuer ldc_server hostname config tlsp client ldc keypair phone_common hostname config tlsp client cipher suite aes128 sha1 aes256 sha1 The server commands configure the proxy parameters for the orig...

Page 549: ...TL Client that is released with Cisco Unified CallManager Release 5 1 to interoperate with the security appliance See the CTL Client section on page 25 88 for more information regarding TLS proxy support Debugging TLS Proxy You may enable TLS proxy debug flags along with SSL syslogs to debug TLS proxy connection problems For example using the following commands to enable TLS proxy related debug an...

Page 550: ... handshake with server inside 195 168 2 201 5061 for TLSv1 session Apr 17 2007 23 13 47 ASA 7 725009 Device proposes the following 2 cipher s to server inside 195 168 2 201 5061 Apr 17 2007 23 13 47 ASA 7 725011 Cipher 1 AES128 SHA Apr 17 2007 23 13 47 ASA 7 725011 Cipher 2 AES256 SHA Apr 17 2007 23 13 47 ASA 7 711001 TLSP cbad5120 Generating LDC for client cn SEP0017593F50A8 key pair phone_common...

Page 551: ...ide 133 9 0 211 50437 inside 195 168 2 200 2443 P 0xcbadf720 proxy S 0xcbc48a08 byte 42940 Client State SSLOK Cipher AES128 SHA Ch 0xca55e498 TxQSize 0 LastTxLeft 0 Flags 0x1 Server State SSLOK Cipher AES128 SHA Ch 0xca55e478 TxQSize 0 LastTxLeft 0 Flags 0x9 Local Dynamic Certificate Status Available Certificate Serial Number 29 Certificate Usage General Purpose Public Key Type RSA 1024 bits Issue...

Page 552: ...The CTL Client application supplied by Cisco Unified CallManager Release 5 1 and later supports a TLS proxy server firewall in the CTL file Figure 25 6 through Figure 25 9 illustrate the TLS proxy features supported in the CTL Client Figure 25 6 CTL Client TLS Proxy Features Add Firewall Figure 25 6 shows support for adding a CTL entry consisting of the security appliance as the TLS proxy ...

Page 553: ... Address or Domain Name Figure 25 7 shows support for entering the security appliance IP address or domain name in the CTL Client Figure 25 8 CTL Client TLS Proxy Features CTL Entry for ASA Figure 25 8 shows that the CTL entry for the security appliance as the TLS proxy has been added The CTL entry is added after the CTL Client connects to the CTL Provider service on the security appliance and ret...

Page 554: ...gotiate X sessions which use TCP when established For successful negotiation and start of an XWindows session the security appliance must allow the TCP back connection from the Xhosted computer To permit the back connection use the established command on the security appliance Once XDMCP negotiates the port to send the display The established command is consulted to verify if this back connection ...

Page 555: ...ction Overview page 26 1 Adding a Static ARP Entry page 26 2 Enabling ARP Inspection page 26 2 ARP Inspection Overview By default all ARP packets are allowed through the security appliance You can control the flow of ARP packets by enabling ARP inspection When you enable ARP inspection the security appliance compares the MAC address IP address and source interface in all ARP packets to static entr...

Page 556: ...on a directly connected network it sends an ARP request asking for the MAC address associated with the IP address and then delivers the packet to the MAC address according to the ARP response The host or router keeps an ARP table so it does not have to send ARP requests for every packet it needs to deliver The ARP table is dynamically updated whenever ARP responses are sent on the network and if a...

Page 557: ...nce includes a built in switch the switch MAC address table maintains the MAC address to switch port mapping for traffic within each VLAN This section discusses the bridge MAC address table which maintains the MAC address to VLAN interface mapping for traffic that passes between VLANs Because the security appliance is a firewall if the destination MAC address of a packet is not in the table the se...

Page 558: ...e security appliance adds corresponding entries to the MAC address table You can disable MAC address learning if desired however unless you statically add MAC addresses to the table no traffic can pass through the security appliance To disable MAC address learning enter the following command hostname config mac learn interface_name disable The no form of this command reenables MAC address learning...

Page 559: ...6 5 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 26 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table inside 0009 7cbe 5101 dynamic 10 ...

Page 560: ...26 6 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 26 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table ...

Page 561: ...P A R T 3 Configuring VPN ...

Page 562: ......

Page 563: ...s between remote users and a private corporate network Each secure connection is called a tunnel The security appliance uses the ISAKMP and IPSec tunneling standards to build and manage tunnels ISAKMP and IPSec accomplish the following Negotiate tunnel parameters Establish tunnels Authenticate users and data Manage security keys Encrypt and decrypt data Manage data transfer across the tunnel Manag...

Page 564: ...with many protocol compliant clients In IPSec LAN to LAN connections the security appliance can function as initiator or responder In IPSec remote access connections the security appliance functions only as responder Initiators propose SAs responders accept reject or make counter proposals all in accordance with configured security association SA parameters To establish a connection both entities ...

Page 565: ...A digital certificate with keys generated by the RSA signatures algorithm Specifies the authentication method the security appliance uses to establish the identity of each IPSec peer crack Challenge Response for Authenticated Cryptographic Keys CRACK provides strong mutual authentication when the client authenticates using a legacy method such as RADIUS and the server uses public key authenticatio...

Page 566: ...nizations If you are interoperating with a peer that supports only one of the values for a parameter your choice is limited to that value crypto isakmp policy group 1 Group 1 768 bit Specifies the Diffie Hellman group identifier which the two IPSec peers use to derive a shared secret without transmitting it to each other With the exception of Group 7 the lower the Diffie Hellman group no the less ...

Page 567: ...ault is Triple DES This example sets encryption to DES crypto isakmp policy priority encryption aes aes 192 aes 256 des 3des For example hostname config crypto isakmp policy 2 encryption des Step 2 Specify the hash algorithm The default is SHA 1 This example configures MD5 crypto isakmp policy priority hash md5 sha For example hostname config crypto isakmp policy 2 hash md5 Step 3 Specify the auth...

Page 568: ...rs must exchange identification information prior to establishing a secure SA Aggressive mode is enabled by default Main mode is slower using more exchanges but it protects the identities of the communicating peers Aggressive mode is faster but does not protect the identities of the peers To disable ISAKMP in aggressive mode enter the following command crypto isakmp am disable For example hostname...

Page 569: ...ce IPSec over TCP if enabled takes precedence over all other connection methods When you enable NAT T the security appliance automatically opens port 4500 on all IPSec enabled interfaces The security appliance supports multiple IPSec peers behind a single NAT PAT device operating in one of the following networks but not both LAN to LAN Remote access In a mixed environment the remote access tunnels...

Page 570: ... security appliance feature only It does not work for LAN to LAN connections The security appliance can simultaneously support standard IPSec IPSec over TCP NAT Traversal and IPSec over UDP depending on the client with which it is exchanging data IPSec over TCP if enabled takes precedence over all other connection methods The VPN 3002 hardware client which supports one tunnel at a time can connect...

Page 571: ...t are about to be disconnected The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop up pane This feature is disabled by default Qualified clients and peers include the following Security appliances with Alerts enabled Cisco VPN clients running version 4 0 or later software no configuration required VPN 3002 hardware clients running version 4 0 or l...

Page 572: ...ning a user to a specific tunnel group Requiring all criteria to match is equivalent to a logical AND operation Alternatively create one rule for each criterion if you want to require that only one match before assigning a user to a specific tunnel group Requiring only one criterion to match is equivalent to a logical OR operation The following example enables mapping of certificate based ISAKMP s...

Page 573: ...for the rule and tunnel group name must be for a tunnel group that already exists Configuring IPSec This section provides background information about IPSec and describes the procedures required to configure the security appliance when using IPSec to implement a VPN It contains the following topics Understanding IPSec Tunnels page 27 11 Understanding Transform Sets page 27 12 Defining Crypto Maps ...

Page 574: ... Applying Crypto Maps to Interfaces for more details Up to six transform sets with which to attempt to match the peer security settings A crypto map set consists of one or more crypto maps that have the same map name You create a crypto map set when you create its first crypto map The following command syntax creates or adds to a crypto map crypto map map name seq num match address access list nam...

Page 575: ...cceed in establishing an SA they must have at least one compatible crypto map To be compatible a crypto map must meet the following criteria The crypto map must contain compatible crypto ACLs for example mirror image ACLs If the responding peer uses dynamic crypto maps so must the security appliance as a requirement to apply IPSec Each crypto map identifies the other peer unless the responding pee...

Page 576: ...ecause they would prevent the establishment of a Phase 2 SA Note To route inbound unencrypted traffic as clear text insert deny ACEs before permit ACEs Figure 27 1 shows an example LAN to LAN network of security appliances Table 27 2 Special Meanings of Permit and Deny in Crypto Access Lists Applied to Outbound Traffic Result of Crypto Map Evaluation Response Match criterion in an ACE containing a...

Page 577: ... two crypto maps one for traffic from Host A 3 and the other for traffic from the other hosts in Network A as shown in the following example Crypto Map Seq_No_1 deny packets from A 3 to B deny packets from A 3 to C permit packets from A to B permit packets from A to C Crypto Map Seq_No_2 permit packets from A 3 to B permit packets from A 3 to C After creating the ACLs you assign a transform set to...

Page 578: ...crypto map set Gap in a straight line Exit from a crypto map when a packet matches an ACE Packet that fits the description of one ACE Each size ball represents a different packet matching the respective ACE in the figure The differences in size merely represent differences in the source and destination of each packet Redirection to the next crypto map in the crypto map set Response when a packet e...

Page 579: ...pto map and resumes evaluation against the next crypto map as determined by the sequence number assigned to it So in the example if Security Appliance A receives a packet from Host A 3 it matches the packet to a deny ACE in the first crypto map and resumes evaluation of the packet against the next crypto map When it matches the packet to the permit ACE in that crypto map it applies the associated ...

Page 580: ...ror equivalents of Crypto Map 2 So the configuration of cascading ACLs in Security Appliances B and C is unnecessary Table 27 3 shows the ACLs assigned to the crypto maps configured for all three security appliances in Figure 27 1 Figure 27 3 maps the conceptual addresses shown in Figure 27 1 to real IP addresses Table 27 3 Example Permit and Deny Statements Conceptual Security Appliance A Securit...

Page 581: ...2 168 201 1 C 2 192 168 201 2 C 3 192 168 201 3 C 192 168 201 0 27 Internet Table 27 4 Example Permit and Deny Statements for Security Appliance A Security Appliance Crypto Map Sequence No ACE Pattern Real ACEs A 1 deny A 3 B deny 192 168 3 3 255 255 255 192 192 168 12 0 255 255 255 248 deny A 3 C deny 192 168 3 3 255 255 255 192 192 168 201 0 255 255 255 224 permit A B permit 192 168 3 0 255 255 ...

Page 582: ...s lists to IPSec traffic use the no form of the sysopt connection permit ipsec command The crypto map access list bound to the outgoing interface either permits or denies IPSec packets through the VPN tunnel IPSec authenticates and deciphers packets that arrive from an IPSec tunnel and subjects them to evaluation against the ACL associated with the tunnel Access lists define which IP traffic to pr...

Page 583: ...luation determines the scope of the IPSec SA Note If you delete the only element in an access list the security appliance also removes the associated crypto map If you modify an access list currently referenced by one or more crypto maps use the crypto map interface command to reinitialize the run time SA database See the crypto map command for more information We recommend that for every crypto a...

Page 584: ...ide these global lifetime values for a particular crypto map IPSec SAs use a derived shared secret key The key is an integral part of the SA they time out together to require the key to refresh Each SA has two lifetimes timed and traffic volume An SA expires after the respective lifetime and negotiations begin for a new one The default lifetimes are 28 800 seconds eight hours and 4 608 000 kilobyt...

Page 585: ...h address 101 In this example the access list named 101 is assigned to crypto map mymap b Specify the peer to which the IPSec protected traffic can be forwarded crypto map map name seq num set peer ip address For example crypto map mymap 10 set peer 192 168 1 100 The security appliance sets up an SA with the peer assigned the IP address 192 168 1 100 Specify multiple peers by repeating this comman...

Page 586: ...s IP address is not already identified in a static crypto map This occurs with the following types of peers Peers with dynamically assigned public IP addresses Both LAN to LAN and remote access peers can use DHCP to obtain a public IP address The security appliance uses this address only to initiate the tunnel Peers with dynamically assigned private IP addresses Peers requesting remote access tunn...

Page 587: ...rt a permit ACL to identify the data flow of the IPSec peer for the crypto access list Otherwise the security appliance accepts any data flow identity the peer proposes Caution Do not assign static default routes for traffic to be tunneled to a security appliance interface configured with a dynamic crypto map set To identify the traffic that should be tunneled add the ACLs to the dynamic crypto ma...

Page 588: ...t pfs group1 group2 group5 group7 For example crypto dynamic map dyn1 10 set pfs group5 Step 5 Add the dynamic crypto map set into a static crypto map set Be sure to set the crypto maps referencing dynamic maps to be the lowest priority entries highest sequence numbers in a crypto map set crypto map map name seq num ipsec isakmp dynamic dynamic map name For example crypto map mymap 200 ipsec isakm...

Page 589: ...ion Command Purpose show running configuration crypto Displays the entire crypto configuration including IPSec crypto maps dynamic crypto maps and ISAKMP show running config crypto ipsec Displays the complete IPSec configuration show running config crypto isakmp Displays the complete ISAKMP configuration show running config crypto map Displays the complete crypto map configuration show running con...

Page 590: ... client uses a legacy based secret key authentication technique such as RADIUS and the gateway uses public key authentication The Nokia back end services must be in place to support both Nokia clients and the CRACK protocol This requirement includes the Nokia Security Services Manager NSSM and Nokia databases as shown in Figure 27 5 Figure 27 5 Nokia 92xx Communicator Service Requirement To suppor...

Page 591: ...point fqdn none Step 2 To configure the identity of the ISAKMP peer perform one of the following steps a Use the crypto isakmp identity command with the hostname keyword For example hostname config crypto isakmp identity hostname or b Use the crypto isakmp identity command with the auto keyword to configure the identity to be automatically determined from the connection type For example hostname c...

Page 592: ...27 30 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 27 Configuring IPSec and ISAKMP Supporting the Nokia VPN Client ...

Page 593: ...e access from virtually anyplace with POTS An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial Up Networking DUN No additional client software such as Cisco VPN client software is required To configure L2TP over IPSec first configure IPSec transport mode to enable IPSec with L2TP Then configure L2TP with a virtual private dial up ...

Page 594: ...s IPSec transport mode only the IP payload is encrypted and the original IP headers are left intact This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet Figure 28 1 illustrates the differences between IPSec Tunnel and Transport modes Therefore In order for Windows 2000 L2TP IPSec clie...

Page 595: ...o the client with the dns value command from group policy configuration mode hostname config group policy group_policy_name attributes hostname config group policy dns value none IP_primary IP_secondary Step 4 Optional Instruct the security appliance to send WINS server IP addresses to the client using the wins server command from group policy configuration mode hostname config group policy wins s...

Page 596: ...base EAP and CHAP are performed by proxy authentication servers Therefore if a remote user belongs to a tunnel group configured with the authentication eap proxy or authentication chap commands and the security appliance is configured to use the local database that user will not be able to connect Step 10 Create a user in the local database with the username command from global configuration mode ...

Page 597: ... a delimiter that you can configure and the group name is the name of a tunnel group that has been configured on the security appliance To enable Tunnel Group Switching you must enable Strip Group processing using the strip group command from tunnel group general attributes mode When enabled the security appliance selects the tunnel group for user connections by obtaining the group name from the u...

Page 598: ...key Left T 2856 Seconds Rekey Int D 95000 K Bytes Rekey Left D 95000 K Bytes Idle Time Out 30 Minutes Idle TO Left 30 Minutes Bytes Tx 419064 Bytes Rx 425040 Pkts Tx 4201 Pkts Rx 4227 L2TPOverIPSec Session ID 3 Username l2tp Assigned IP 90 208 1 200 Encryption none Auth Mode PAP Idle Time Out 30 Minutes Idle TO Left 30 Minutes Bytes Tx 301386 Bytes Rx 306480 Pkts Tx 4198 Pkts Rx 4224 The following...

Page 599: ...3 Username v_gonzalez Assigned IP 90 208 1 202 Encryption none Auth Mode PAP Idle Time Out 1 Minutes Idle TO Left 1 Minutes Bytes Tx 584 Bytes Rx 2224 Pkts Tx 18 Pkts Rx 30 Using L2TP Debug Commands You can display L2TP debug information using the debug l2tp command in privileged EXEC mode To disable the display of debug information use the no form of this command debug l2tp data error event packe...

Page 600: ...lSet Services PolicyAgent Step 3 Create the key by entering oakley Step 4 Create the DWORD by entering EnableLogging Step 5 Set the Enable Logging value to 1 Step 6 Stop and Start the IPSec Policy Agent click Start Programs Administrative Tools Services The debug file will be found at windir debug oakley log Getting Additional Information Additional information on various topics can be found at ww...

Page 601: ...c http www microsoft com windows2000 en server help default asp url WINDOWS2000 en server h elp sag_VPN_us26 htm How to use a Windows 2000 Machine Certificate for L2TP over IPSec VPN Connections http www microsoft com windows2000 techinfo planning security ipsecsteps asp heading3 How to Create a Custom MMC Console and Enabling Audit Policy for Your Computer http support microsoft com support kb ar...

Page 602: ...28 10 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 28 Configuring L2TP over IPSec Viewing L2TP over IPSec Connection Information ...

Page 603: ...ontexts also referred to as multi mode firewall or Active Active stateful failover The exception to this caveat is that you can configure and use one connection for administrative purposes to not through the security appliance in transparent mode Configuring IPSec to Bypass ACLs To permit any packets that come from an IPSec tunnel without checking ACLs for the source and destination interfaces ent...

Page 604: ...2 while also sending unencrypted traffic to a public Web server Figure 29 1 VPN Client Using Intra Interface Feature for Hairpinning To configure this feature use the same security traffic command in global configuration mode with its intra interface argument The command syntax is same security traffic permit inter interface intra interface The following example shows how to enable intra interface...

Page 605: ... see the Applying NAT chapter of this guide Setting Maximum Active IPSec VPN Sessions To limit VPN sessions to a lower value than the security appliance allows enter the vpn sessiondb max session limit command in global configuration mode This command applies to all types of VPN sessions including WebVPN This limit affects the calculated load percentage for VPN Load Balancing The syntax is vpn ses...

Page 606: ...000 and Windows XP platforms windows Includes all Windows based platforms and vpn3002 VPN 3002 hardware client If the client is already running a software version on the list of revision numbers it does not need to update its software If the client is not running a software version on the list it should update You can specify up to three of these client update entries The keyword windows covers al...

Page 607: ...ive clients on all tunnel groups you would enter the following command in privileged EXEC mode hostname client update all hostname If the user s client s revision number matches one of the specified revision numbers there is no need to update the client and no notification message is sent to the user VPN 3002 clients update without user intervention and users receive no notification message Note I...

Page 608: ... virtual cluster master itself fail a secondary device in the cluster immediately and automatically takes over as the new virtual session master Even if several devices in the cluster fail users can continue to connect to the cluster as long as any one device in the cluster is up and available Implementing Load Balancing Enabling load balancing involves Configuring the load balancing cluster by es...

Page 609: ...Concentrators can run load balancing for a mixture of IPSec and WebVPN sessions Load balancing clusters that consist of a both of ASA 7 0 x security appliances and VPN 3000 Concentrators can run load balancing for a mixture of IPSec and WebVPN sessions Load balancing clusters that include ASA 7 1 1 security appliances and either ASA 7 0 x or VPN 3000 Concentrators or both can support only IPSec se...

Page 610: ...urity appliance running ASA Release 7 1 1 software is the initial cluster master then that device fails Another device in the cluster takes over automatically as master and applies its own load balancing algorithm to determine processor loads within the cluster A cluster master running ASA Release 7 1 1 software cannot weight session loads in any way other than what that software provides Therefor...

Page 611: ...he security appliance by entering the interface command with the lbprivate keyword in vpn load balancing configuration mode This command specifies the name or IP address of the private interface for load balancing for this device hostname config load balancing interface lbprivate inside hostname config load balancing Step 3 Set the priority to assign to this device within the cluster The range is ...

Page 612: ...e UDP destination port number you want to use for load balancing hostname config load balancing cluster port port_number hostname config load balancing For example to set the cluster port to 4444 enter the following command hostname config load balancing cluster port 4444 hostname config load balancing Step 4 Optionally enable IPSec encryption for the cluster The default is no encryption This comm...

Page 613: ... master this security appliance can send a fully qualified domain name FQDN using reverse DNS lookup of a cluster device another security appliance in the cluster instead of its outside IP address when redirecting VPN client connections to that cluster device All of the outside and inside network interfaces on the load balancing devices in a cluster must be on the same IP network To do WebVPN load...

Page 614: ...and license for the security appliance supports To view the licensing information for your security appliance enter the show version command in global configuration mode The following example shows the command and the licensing information excerpted from the output of this command hostname config show version Cisco Adaptive Security Appliance Software Version 7 1 0 182 Device Manager Version 5 1 0...

Page 615: ... To remove the session limit use the no version of this command hostname config vpn sessiondb max webvpn session limit number_of_sessions hostname config For example if the security appliance license allows 500 WebVPN sessions and you want to limit the number of WebVPN sessions to 250 enter the following command hostname config vpn sessiondb max webvpn session limit 250 hostname config To remove t...

Page 616: ...29 14 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 29 Setting General IPSec VPN Parameters Configuring VPN Session Limits ...

Page 617: ...s a collection of users treated as a single entity Users get their attributes from group policies Connection profiles identify the group policy for a specific connection If you do not assign a particular group policy to a user the default group policy for the connection applies Note You configure connection profiles using tunnel group commands In this chapter the terms connection profile and tunne...

Page 618: ...e no value for the http proxy command the attribute is not present in the DAP record so the security appliance moves down to the AAA attribute in the username and if necessary the group policy to find a value to apply We recommend that you use ASDM to configure DAP Connection Profiles A connection profile consists of a set of records that determines tunnel connection policies These records identif...

Page 619: ...ser Client address assignment method This method includes values for one or more DHCP servers or address pools that the security appliance assigns to clients Override account disabled This parameter lets you override the account disabled indicator received from a AAA server Password management This parameter lets you warn a user that the current password is due to expire in a specified number of d...

Page 620: ...the IKE peer loses connectivity There are various forms of IKE keepalives For this feature to work both the security appliance and its remote peer must support a common form This feature works with the following peers Cisco AnyConnect VPN Client Cisco VPN Client Release 3 0 and above Cisco VPN 3000 Client Release 2 x Cisco VPN 3002 Hardware Client Cisco VPN 3000 Series Concentrators Cisco IOS soft...

Page 621: ... that are specific to clientless SSL VPN In addition to these attributes you configure general connection profile attributes common to all VPN connections For step by step information on configuring connection profiles see Configuring Connection Profiles for Clientless SSL VPN Sessions in Chapter 30 Configuring Connection Profiles Group Policies and Users Note In earlier releases connection profil...

Page 622: ...ion of all your connection profiles including the default connection profile enter the show running config all tunnel group command Default IPSec Remote Access Connection Profile Configuration The contents of the default remote access connection profile are as follows tunnel group DefaultRAGroup type remote access tunnel group DefaultRAGroup general attributes no address pool no ipv6 address pool ...

Page 623: ...SSL VPN connection profiles Configuring IPSec Remote Access Connection Profiles Use an IPSec remote access connection profile when setting up a connection between a remote client and a central site security appliance using a hardware or software client To configure an IPSec remote access connection profile first configure the tunnel group general attributes then the IPSec remote access attributes ...

Page 624: ...for the interface named test using the server named servergroup1 for authentication hostname config tunnel general authentication server group test servergroup1 hostname config tunnel general Step 3 Specify the name of the authorization server group if any to use When you configure this value users must exist in the authorization database to connect hostname config tunnel general authorization ser...

Page 625: ...ss group hostname config group policy no nac authentication server group hostname config group policy Note NAC requires a Cisco Trust Agent on the remote host Step 8 Specify whether to strip the group or the realm from the username before passing it on to the AAA server The default is not to strip either the group name or the realm hostname config tunnel general strip group hostname config tunnel ...

Page 626: ...the user the opportunity to change the password If the current password has not yet expired the user can still log in using that password The security appliance ignores this command if RADIUS or LDAP authentication has not been configured Note that this does not change the number of days before the password expires but rather the number of days ahead of expiration that the security appliance start...

Page 627: ...ple the following command specifies the use of the CN attribute as the username for authorization hostname config tunnel general authorization dn attributes CN hostname config tunnel general The authorization dn attributes are C Country CN Common Name DNQ DN qualifier EA E mail Address GENQ Generational qualifier GN Given Name I Initials L Locality N Name O Organization OU Organizational Unit SER ...

Page 628: ...ss pool when using IPv6 using the ip local pool command Step 3 Add the ipv6 address pool to your tunnel group policy or group policy tunnel group YourTunGrp1 general attributes ipv6 address pool ipv6pool Note Again you must also configure an IPv4 address pool here as well using the address pool command Step 4 Configure an IPv6 tunnel default gateway ipv6 route inside 0 X X X X X tunneled Configuri...

Page 629: ... id validation is required hostname config tunnel ipsec peer id validate req hostname config tunnel ipsec Step 4 Specify whether to Step 5 Specify whether to enable sending of a certificate chain The following command includes the root certificate and any subordinate CA certificates in the transmission hostname config tunnel ipsec chain hostname config tunnel ipsec This attribute applies to all IP...

Page 630: ...shared key and configure a trustpoint You can use the isakmp ikev1 user authentication command with the optional interface parameter to specify a particular interface When you omit the interface parameter the command applies to all the interfaces and serves as a back up when the per interface command is not specified When there are two isakmp ikev1 user authentication commands specified for a conn...

Page 631: ...t The syntax of this command is hostname config tunnel ppp authentication protocol hostname config tunnel ppp To disable authentication for a specific protocol use the no form of the command hostname config tunnel ppp no authentication protocol hostname config tunnel ppp For example the following command enables the use of the PAP protocol for a PPP connection hostname config tunnel ppp authentica...

Page 632: ...oup command as follows hostname config tunnel group tunnel_group_name type tunnel_type For a LAN to LAN tunnel the type is ipsec l2l for example to create the LAN to LAN connection profile named docs enter the following command hostname config tunnel group docs type ipsec l2l hostname config Configuring LAN to LAN Connection Profile General Attributes To configure the connection profile general at...

Page 633: ...t you are now in tunnel group ipsec attributes configuration mode Step 2 Specify the preshared key to support IKE connections based on preshared keys hostname config tunnel ipsec pre shared key key hostname config tunnel ipsec For example the following command specifies the preshared key XYZX to support IKE connections for an IPSec LAN to LAN connection profile hostname config tunnel ipsec pre sha...

Page 634: ...nel ipsec Step 7 Specify the ISAKMP hybrid authentication method XAUTH or hybrid XAUTH You use isakmp ikev1 user authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different legacy method for remote VPN user authentication such as RADIUS TACACS or SecurID Hybrid XAUTH breaks phase 1 of IKE down into ...

Page 635: ...up3 enter the following command hostname config tunnel group TunnelGroup3 type webvpn hostname config Configuring General Tunnel Group Attributes for Clientless SSL VPN Sessions To configure or change the connection profile general attributes specify the parameters in the following steps Step 1 To configure the general attributes enter tunnel group general attributes command which enters tunnel gr...

Page 636: ...ple the following command specifies the use of the authorization server group FinGroup hostname config tunnel general authorization server group FinGroup hostname config tunnel general Step 4 Specify whether to require a successful authorization before allowing a user to connect The default is not to require authorization hostname config tunnel general authorization required hostname config tunnel...

Page 637: ...P Addresses for VPNs for information about configuring address pools Step 9 Optionally if your server is a RADIUS RADIUS with NT or LDAP server you can enable password management Note If you are using an LDAP directory server for authentication password management is supported with the Sun Microsystems JAVA System Directory Server formerly named the Sun ONE Directory Server and the Microsoft Activ...

Page 638: ...this command The security appliance does not notify the user of the pending expiration but the user can change the password after it expires Optionally configure the ability to override an account disabled indicator from the AAA server by entering the override account disable command hostname config tunnel general override account disable hostname config tunnel general Note Allowing override accou...

Page 639: ...est webvpn attributes hostname config tunnel webvpn customization value 123 hostname config tunnel webvpn Step 3 The security appliance queries NetBIOS name servers to map NetBIOS names to IP addresses Clientless SSL VPN requires NetBIOS to access or share files on remote systems Clientless SSL VPN uses NetBIOS and the CIFS protocol to access or share files on remote systems When you attempt a fil...

Page 640: ...n group list to appear Step 5 To specify incoming URLs or IP addresses for the group use the group url command Specifying a group URL or IP address eliminates the need for the user to select a group at login When a user logs in the security appliance looks for the user s incoming URL or address in the tunnel group policy table If it finds the URL or address and if group url is enabled in the conne...

Page 641: ...cy if criteria match use the hic fail group policy command The default value is DfltGrpPolicy hostname config tunnel webvpn hic fail group policy name hostname config tunnel webvpn Name is the name of a group policy created for a connection profile for clientless SSL VPN sessions This policy is an alternative group policy to differentiate access rights for the following CSD clients Clients that ma...

Page 642: ...name config tunnel webvpn radius reject message Customizing Login Windows for Users of Clientless SSL VPN sessions You can set up different login windows for different groups by using a combination of customization profiles and connection profiles For example assuming that you had created a customization profile called salesgui you can create a connection profile for clientless SSL VPN sessions ca...

Page 643: ...ecurity appliance to access a Sun directory server must be able to access the default password policy on that server We recommend using the directory administrator or a user with directory administrator privileges as the DN Alternatively you can place an ACI on the default password policy Microsoft You must configure LDAP over SSL to enable password management with Microsoft Active Directory See t...

Page 644: ...r password at the next logon specify the password management command in tunnel group general attributes configuration mode on the security appliance and do the following steps under Active Directory Step 1 Select to Start Programs Administrative Tools Active Directory Users and Computers Figure 30 1 Figure 30 1 Active Directory Administrative Tools Menu Step 2 Right click Username Properties Accou...

Page 645: ...Settings Security Settings Account Policies Password Policy Select Minimum password length Using Active Directory to Specify Maximum Password Age To enhance security you can specify that passwords expire after a certain number of days To specify a maximum password age for a user password specify the password management command in tunnel group general attributes configuration mode on the security a...

Page 646: ...mmand entered in tunnel group general attributes mode replaces it Using Active Directory to Override an Account Disabled AAA Indicator To override an account disabled indication from a AAA server specify the override account disable command in tunnel group general attributes configuration mode on thesecurity appliance and do the following steps under Active Directory Note Allowing override account...

Page 647: ...ength To enforce a minimum length for passwords specify the password management command in tunnel group general attributes configuration mode on the security appliance and do the following steps under Active Directory Step 1 Select Start Programs Administrative Tools Domain Security Policy Step 2 Select Windows Settings Security Settings Account Policies Password Policy Step 3 Double click Minimum...

Page 648: ... upper and lowercase letters numbers and special characters specify the password management command in tunnel group general attributes configuration mode on the security appliance and do the following steps under Active Directory Step 1 Select Start Programs Administrative Tools Domain Security Policy Select Windows Settings Security Settings Account Policies Password Policy Step 2 Double click Pa...

Page 649: ... are stored either internally locally on the device or externally on a RADIUS server The connection profile uses a group policy that sets terms for user connections after the tunnel is established Group policies let you apply whole sets of attributes to a user or a group of users rather than having to specify each attribute individually for each user Enter the group policy commands in global confi...

Page 650: ...fltGrpPolicy hostname config To configure the default group policy enter the following command hostname config group policy DfltGrpPolicy internal hostname config Note The default group policy is always internal Despite the fact that the command syntax is hostname config group policy DfltGrpPolicy internal external you cannot change its type to external To change any of the attributes of the defau...

Page 651: ...nac reval period 36000 nac default acl none address pools value vpn_users client firewall none client access rule none webvpn html content filter none homepage none keep alive ignore 4 http comp gzip filter none url list value MyURLs customization value DfltCustomization port forward none port forward name value Application Access sso server none deny message value Login was successful but because...

Page 652: ...ust be no name duplication between them The security appliance supports user authorization on an external LDAP or RADIUS server Before you configure the security appliance to use an external server you must configure the server with the correct security appliance authorization attributes and from a subset of these attributes assign specific permissions to individual users Follow the instructions i...

Page 653: ...or a specified group policy In group policy attributes mode explicitly configure the attribute value pairs that you do not want to inherit from the default group The commands to do this are described in the following sections Configuring WINS and DNS Servers You can specify primary and secondary WINS servers and DNS servers The default value in each case is none To specify these servers do the fol...

Page 654: ... named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy dns server value 10 10 10 15 10 10 10 30 hostname config group policy Step 3 Configure the DHCP network scope hostname config group policy dhcp network scope ip_address none hostname config group policy DHCP scope specifies the range of IP addresses that is a subnetwork that the security appliance DHC...

Page 655: ...vpn simultaneous logins is 1 and the same user logs in again after an abnormal termination then the stale session is removed from the database and the new session is established If however the existing session is still an active connection and the same user logs in again perhaps from another PC the first session is logged off and removed from the database and the new session is established If the ...

Page 656: ...N for remote access VPN sessions assigned to this group policy or to a group policy that inherits this group policy hostname config group policy no vlan vlan_id none no vlan removes the vlan_id from the group policy The group policy inherits the vlan value from the default group policy vlan none removes the vlan_id from the group policy and disables VLAN mapping for this group policy The group pol...

Page 657: ... secure gateway Creates security associations that govern authentication encryption encapsulation and key management webvpn Provides VPN services to remote users via an HTTPS enabled web browser and does not require a client l2tp ipsec Negotiates an IPSec tunnel for an L2TP connection Enter this command to configure one or more tunneling modes You must configure at least one tunneling mode for use...

Page 658: ... CPU usage for each user session and consequently decreases the overall throughput of the security appliance For this reason we recommend that you enable data compression only for remote users connecting with a modem Design a group policy specific to modem users and enable compression only for them Step 3 Specify whether to require that users reauthenticate on IKE rekey by using the re xauth comma...

Page 659: ... secrecy ensures that each new cryptographic key is unrelated to any previous key A group policy can inherit a value for perfect forward secrecy from another group policy Perfect forward secrecy is disabled by default To enable perfect forward secrecy use the pfs command with the enable keyword in group policy configuration mode hostname config group policy pfs enable disable hostname config group...

Page 660: ...t by default The VPN 3002 requires no configuration to use IPSec over UDP The following example shows how to set IPSec over UDP for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy ipsec udp enable If you enabled IPSec over UDP you must also configure the ipsec udp port command in group policy configuration mode This command sets a U...

Page 661: ...te a network list of addresses to tunnel Data to all other addresses travels in the clear and is routed by the remote user s Internet service provider Note Split tunneling is primarily a traffic management feature not a security feature For optimum security we recommend that you do not enable split tunneling The following example shows how to set a split tunneling policy of tunneling only specifie...

Page 662: ...specify the default domain name for users of the group policy enter the default domain command in group policy configuration mode To delete a domain name enter the no form of this command hostname config group policy default domain value domain name none hostname config group policy no default domain domain name The value domain name parameter identifies the default domain name for the group To sp...

Page 663: ...ue Domain1 Domain2 Domain3 Domain4 Configuring DHCP Intercept A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes To avoid this problem the security appliance limits the number of routes it sends to 27 to 40 routes with the number of routes dependent on the classes of the routes DHCP Intercept lets Microsoft Windows XP clients use split tunneli...

Page 664: ...guration enter the no form of this command This option allows inheritance of a value for secure unit authentication from another group policy The following example shows how to enable secure unit authentication for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy secure unit authentication enable Configuring User Authentication User ...

Page 665: ... idle timeout with a null value which disallows an idle timeout and prevents inheriting an user authentication idle timeout value from a default or specified group policy The following example shows how to set an idle timeout value of 45 minutes for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy user authentication idle timeout 45 ...

Page 666: ...less medium Cisco LEAP authenticates wireless clients to RADIUS servers It does not include RADIUS accounting services This feature does not work as intended if you enable interactive hardware client authentication Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the tunnel The following example shows how to set LEAP Bypass for the group pol...

Page 667: ...n addition if you use hostnames and the DNS server is unavailable significant delays can occur To configure backup servers enter the backup servers command in group policy configuration mode hostname config group policy backup servers server1 server2 server10 clear client config keep client config To remove a backup server enter the no form of this command with the backup server specified To remov...

Page 668: ...onfig group policy Step 2 Configure the Microsoft Internet Explorer browser proxy actions methods for a client PC by entering the msie proxy method command in group policy configuration mode hostname config group policy msie proxy method auto detect no modify no proxy use server hostname config group policy The default value is use server To remove the attribute from the configuration use the no f...

Page 669: ...is applied for this client PC The port number is optional none Indicates that there is no IP address hostname or port and prevents inheriting an exception list By default msie proxy except list is disabled The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long The following example shows how to set a Microsoft Internet Explorer proxy e...

Page 670: ...query Enter the number of seconds in the range 30 through 1800 The default setting is 300 To specify the interval between each successful posture validation in a Network Admission Control session and the next query for changes in the host posture use the nac sq period command in group policy configuration mode hostname config group policy nac sq period seconds hostname config group policy To inher...

Page 671: ... ACL from the default group policy access the alternative group policy from which to inherit it then use the no form of this command hostname config group policy no nac default acl acl name none hostname config group policy The elements of this command are as follows acl name Specifies the name of the posture validation server group as configured on the security appliance using the aaa server host...

Page 672: ... ACL present in the security appliance configuration disable Disables the entry in the exemption list without removing it from the list filter Optional filter to apply an ACL to filter the traffic if the computer matches the os name none When entered immediately after vpn nac exempt this keyword disables inheritance and specifies that all hosts will be subject to posture validation When entered im...

Page 673: ... NAC is disabled by default An Access Control Server must be present on the network The following example enables NAC for the group policy hostname config group policy nac enable hostname config group policy Configuring Address Pools Configure a list of address pools for allocating addresses to remote clients by entering the address pools command in group policy attributes configuration mode hostn...

Page 674: ...e split tunneling configured In this case the firewall protects the user s PC and thereby the corporate network from intrusions by way of the Internet or the user s local LAN Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option Set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiatio...

Page 675: ...his policy down to the VPN client The VPN client then in turn passes the policy to the local firewall which enforces it Enter the following commands to set the appropriate client firewall parameters You can configure only one instance of this command Table 30 2 following this set of commands explains the syntax elements of these commands Cisco Integrated Firewall hostname config group policy clien...

Page 676: ... Cisco Integrated firewall type cisco security agent Specifies Cisco Intrusion Prevention Security Agent firewall type CPP Specifies Policy Pushed as source of the VPN client firewall policy custom Specifies Custom firewall type description string Describes the firewall networkice blackice Specifies Network ICE Black ICE firewall type none Indicates that there is no client firewall policy Sets a f...

Page 677: ...h you can enter multiple times in each rule For example client access rule 3 deny type version 3 creates a priority 3 client access rule that denies all client types running release versions 3 x software You can construct a maximum of 25 rules per group policy There is a limit of 255 characters for an entire set of rules You can enter n a for clients that do not send client type and or version To ...

Page 678: ...the authentication subsystem to authenticate users By default clientless SSL VPN is disabled You can customize a configuration of clientless SSL VPN for specific internal group policies Note The webvpn mode that you enter from global configuration mode lets you configure global settings for clientless SSL VPN sessions The webvpn mode described in this section which you enter from group policy conf...

Page 679: ...pter 37 Configuring Clientless SSL VPN for more information about configuring the attributes for clientless SSL VPN sessions To remove all commands entered in group policy webvpn configuration mode enter the no form of this command These webvpn commands apply to the username or group policy from which you configure them hostname config group policy webvpn hostname config group policy no webvpn The...

Page 680: ...string so that the remote user does not receive a message The no deny message none command removes the attribute from the connection profile policy configuration The policy inherits the attribute value The message can be up to 491 alphanumeric characters long including special characters spaces and punctuation but not counting the enclosing quotation marks The text appears on the remote user s bro...

Page 681: ...webvpn Specifying the User Home Page Specify a URL for the web page that displays when a user in this group logs in by using the homepage command in group policy webvpn configuration mode There is no default home page To remove a configured home page including a null value created by issuing the homepage none command enter the no form of this command The no option allows inheritance of a value fro...

Page 682: ...stname config group policy webvpn hostname config group webvpn auto signon allow uri https example com auth type all hostname config group webvpn The following example commands configure auto signon for users of clientless SSL VPN sessions using either basic or NTLM authentication to the server with the IP address 10 1 1 0 using subnet mask 255 255 255 0 hostname config group policy ExamplePolicy ...

Page 683: ...RL list use the url list none command Using the command a second time overrides the previous setting hostname config group webvpn url list value name none index hostname config group webvpn no url list Table 30 5 shows the url list command parameters and their meanings The following example sets a URL list called FirstGroupURLs for the group policy named FirstGroup and specifies that this should b...

Page 684: ... enter the port forward command with the none keyword The none keyword indicates that there is no filtering It sets a null value thereby disallowing a filtering and prevents inheriting filtering values The syntax of the command is as follows hostname config group webvpn port forward value listname none hostname config group webvpn no port forward The listname string following the keyword value ide...

Page 685: ...size hostname config group webvpn The no form of the command removes this specification from the configuration hostname config group webvpn no keep alive ignore hostname config group webvpn The following example sets the maximum size of objects to ignore as 5 KB hostname config group webvpn keep alive ignore 5 hostname config group webvpn Specifying HTTP Compression Enable compression of http data...

Page 686: ... VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers The SVC uses the SSL encryption that is already present on the remote computer as well as the clientless SSL VPN sessions login and authentication of the security appliance To establish an SVC session the remote user enters the IP address of an interface of the security appliance ...

Page 687: ...mand and cause the value to be inherited use the no form of the command hostname config group webvpn svc compression deflate none hostname config group webvpn The following example disables SVC compression for the group policy named sales hostname config group policy sales attributes hostname config group policy webvpn hostname config group webvpn svc compression none hostname config group webvpn ...

Page 688: ...keepalive 300 hostname config group webvpn Step 5 To enable the permanent installation of an SVC onto a remote computer use the svc keep installer command with the installed keyword To remove the command from the configuration use the no form of this command hostname config group webvpn svc keep installer installed none hostname config group webvpn no svc keep installer installed none hostname con...

Page 689: ...m the assigned group policy The security appliance also lets you assign individual attributes at the user level overriding values in the group policy that applies to that user For example you can specify a group policy giving all users access during business hours but give a specific user 24 hour access Viewing the Username Configuration To display the configuration for all usernames including def...

Page 690: ... Table 30 6 describes the meaning of the keywords and variables used in this command Table 30 6 username Command Keywords and Variables By default VPN users that you add with this command have no attributes or group policy association You must explicitly configure all values The following example shows how to configure a user named anyuser with an encrypted password of pw_12345678 and a privilege ...

Page 691: ...uring Access Hours Associate the hours that this user is allowed to access the system by specifying the name of a configured time range policy To remove the attribute from the running configuration enter the no form of this command This option allows inheritance of a time range value from another group policy To prevent inheriting a value enter the vpn access hours none command The default is unre...

Page 692: ... config username Configuring the Maximum Connect Time Specify the maximum user connection time in minutes or enter none to allow unlimited connection time and prevent inheriting a value for this attribute At the end of this period of time the security appliance terminates the connection The range is 1 through 35791394 minutes There is no default timeout To allow an unlimited timeout period and thu...

Page 693: ...ample shows how to set an IP address of 10 92 166 7 for a user named anyuser hostname config username anyuser attributes hostname config username vpn framed ip address 10 92 166 7 hostname config username Specify the network mask to use with the IP address specified in the previous step If you used the no vpn framed ip address command do not specify a network mask To remove the subnet mask enter t...

Page 694: ...re group lock the security appliance authenticates users without regard to the assigned group To remove the group lock attribute from the running configuration enter the no form of this command This option allows inheritance of a value from the group policy To disable group lock and to prevent inheriting a group lock value from a default or specified group policy enter the group lock command with ...

Page 695: ...cess to files URLs and TCP applications over clientless SSL VPN sessions They also identify ACLs and types of traffic to filter Clientless SSL VPN is disabled by default These webvpn commands apply only to the username from which you configure them Notice that the prompt changes indicating that you are now in username webvpn configuration mode hostname config username webvpn hostname config userna...

Page 696: ...The no option allows inheritance of a value from the group policy To prevent inheriting an HTML content filter enter the html content filter none command HTML filtering is disabled by default Using the command a second time overrides the previous setting hostname config username webvpn html content filter java images scripts cookies none hostname config username webvpn no html content filter java ...

Page 697: ...e config username webvpn homepage value www example com hostname config username webvpn Applying Customization Customizations determine the appearance of the windows that the user sees upon login You configure the customization parameters as part of configuring clientless SSL VPN To apply a previously defined web page customization to change the look and feel of the web page that the user sees at ...

Page 698: ...ame mode and configures the attributes for the user named anyuser The subsequent commands enter username webvpn configuration mode and modify the deny message associated with that user hostname config username anyuser attributes hostname config username webvpn hostname config username webvpn deny message value Your login credentials are OK However you have not been granted rights to use the VPN fe...

Page 699: ...layname url none hostname config username webvpn no url list The keywords and variables used in this command are as follows displayname Specifies a name for the URL This name appears on the portal page in the clientless SSL VPN session listname Identifies a name by which to group URLs none Indicates that there is no list of URLs Sets a null value thereby disallowing a URL list Prevents inheriting ...

Page 700: ...an access Enter the port forward command in configuration mode to define the list Using the command a second time overrides the previous setting Before you can enter the port forward command in username webvpn configuration mode to enable application access you must define a list of applications that you want users to be able to use in a clientless SSL VPN session Enter the port forward command in...

Page 701: ... sign on method for users of clientless SSL VPN sessions It passes the login credentials username and password to internal servers for authentication using NTLM authentication basic authentication or both Multiple auto signon commands can be entered and are processed according to the input order early commands take precedence You can use the auto signon feature in three modes webvpn configuration ...

Page 702: ...onfig username testuser attributes hostname config username webvpn hostname config username webvpn http comp none hostname config username webvpn Specifying the SSO Server Single sign on support available only for clientless SSL VPN sessions lets users access different secure services on different servers without reentering a username and password more than once The sso server value command when e...

Page 703: ... system match at which point it downloads the entire SVC You can order the SVC images to minimize connection setup time with the first image downloaded representing the most commonly encountered remote computer operating system For complete information about installing and using SVC see Chapter 38 Configuring AnyConnect VPN Client Connections After enabling SVC as described in Chapter 38 Configuri...

Page 704: ...g username webvpn hostname config username webvpn svc dpd interval gateway 3000 hostname config username webvpn svc dpd interval client 1000 hostname config username webvpn Step 4 You can adjust the frequency of keepalive messages specified by seconds to ensure that an SVC connection through a proxy firewall or NAT device remains open even if the device limits the time that the connection can be i...

Page 705: ...efault SVC rekey is disabled Specifying the method as new tunnel specifies that the SVC establishes a new tunnel during SVC rekey Specifying the method as none disables SVC rekey Specifying the method as ssl specifies that SSL renegotiation takes place during SVC rekey instead of specifying the method you can specify the time that is the number of minutes from the start of the session until the re...

Page 706: ...30 90 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 30 Configuring Connection Profiles Group Policies and Users Configuring User Attributes ...

Page 707: ...oint This chapter includes the following sections Configuring an IP Address Assignment Method page 31 1 Configuring Local IP Address Pools page 31 2 Configuring AAA Addressing page 31 2 Configuring DHCP Addressing page 31 3 Configuring an IP Address Assignment Method The security appliance can use one or more of the following methods for assigning IP addresses to remote access clients If you confi...

Page 708: ...st address mask mask The following example configures an IP address pool named firstpool The starting address is 10 20 30 40 and the ending address is 10 20 30 50 The network mask is 255 255 255 0 hostname config ip local pool firstpool 10 20 30 40 10 20 30 50 mask 255 255 255 0 hostname config Configuring AAA Addressing To use a AAA server to assign addresses for VPN remote access clients you mus...

Page 709: ...u define the DHCP server on a tunnel group basis Optionally you can also define a DHCP network scope in the group policy associated with the tunnel group or username This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use The following examples define the DHCP server at IP address 172 33 44 19 for the tunnel group named firstgroup They...

Page 710: ...er the dhcp server command The following example configures a DHCP server at IP address 172 33 44 19 hostname config general dhcp server 172 33 44 19 hostname config general Step 5 Exit tunnel group mode hostname config general exit hostname config Step 6 To define the group policy called remotegroup as an internally or externally configured group enter the group policy command with the internal o...

Page 711: ...ow to configure a remote access connection Later sections provide step by step instructions hostname config interface ethernet0 hostname config if ip address 10 10 4 200 255 255 0 0 hostname config if nameif outside hostname config if no shutdown hostname config isakmp policy 1 authentication pre share hostname config isakmp policy 1 encryption 3des hostname config isakmp policy 1 hash sha hostnam...

Page 712: ...n the examples Step 1 To enter Interface configuration mode in global configuration mode enter the interface command with the default name of the interface to configure In the following example the interface is ethernet0 hostname config interface ethernet0 hostname config if Step 2 To set the IP address and subnet mask for the interface enter the ip address command In the following example the IP ...

Page 713: ...ses an encryption key before replacing it See on page 27 3 in the Configuring IPSec and ISAKMP chapter of this guide for detailed information about the IKE policy keywords and their values To configure ISAKMP policies in global configuration mode enter the isakmp policy command with its various arguments The syntax for ISAKMP policy commands is isakmp policy priority attribute_name attribute_value...

Page 714: ...ss users to the security appliance configure usernames and passwords Step 1 To add users enter the username command The syntax is username username password password In the following example the username is testuser and the password is 12345678 hostname config username testuser password 12345678 hostname config Step 2 Repeat Step 1 for each additional user Creating a Transform Set A transform set ...

Page 715: ...em The security appliance uses these groups to configure default tunnel parameters for remote access and LAN to LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation To establish a basic remote access connection you must set three attributes for a tunnel group Set the connection type to IPSec remote access Configure the address assignment method in the follo...

Page 716: ...nce uses dynamic crypto maps to define a policy template where all the parameters do not have to be configured These dynamic crypto maps let the security appliance receive connections from peers that have unknown IP addresses Remote access clients fall in this category Dynamic crypto map entries identify the transform set for the connection You also enable reverse routing which lets the security a...

Page 717: ...e sequence number is 1 and the name of the dynamic crypto map is dyn1 which you created in the previous section Creating a Dynamic Crypto Map Enter these commands in global configuration mode Step 1 To create a crypto map entry that uses a dynamic crypto map enter the crypto map command The syntax is crypto map map name seq num ipsec isakmp dynamic dynamic map name hostname config crypto map mymap...

Page 718: ...32 8 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 32 Configuring Remote Access IPSec VPNs Creating a Crypto Map Entry to Use the Dynamic Crypto Map ...

Page 719: ...tion can include the verification that the applications running on the remote hosts are updated with the latest patches NAC occurs only after user authentication and the setup of the tunnel NAC is especially useful for protecting the enterprise network from hosts that are not subject to automatic network policy enforcement such as home PCs The establishment of a tunnel between the endpoint and the...

Page 720: ...oup policy The NAC Framework policy can however identify operating systems that are exempt from posture validation and specify an optional ACL to filter such traffic Uses Requirements and Limitations When configured to support NAC the security appliance functions as a client of a Cisco Secure Access Control Server requiring that you install a minimum of one Access Control Server on the network to ...

Page 721: ...ws the text is not in use next to the policy type if the policy is not assigned to any group policies Otherwise the CLI displays the policy name and type on the first line and the usage data for the group policies in subsequent lines Table 2 explains the fields in the show nac policy command Table 1 show running config nac policy Command Fields Field Description default acl NAC default ACL applied...

Page 722: ... nac framework specifies that a NAC Framework configuration will provide a network access policy for remote hosts A Cisco Access Control Server must be present on the network to provide NAC Framework services for the security appliance When you specify this type the prompt indicates you are in nac policy nac framework configuration mode This mode lets you configure the NAC Framework policy You can...

Page 723: ... Use the no form of the command if you want to remove the command from the NAC policy server group must match the server tag variable specified in the aaa server host command It is optional if you are using the no version of the command For example enter the following command to specify acs group1 as the authentication server group to be used for NAC posture validation hostname config nac policy n...

Page 724: ...ff this timer and enter show running config nac policy the CLI displays a 0 next to the sq period attribute which means the timer is turned off seconds must be in the range is 300 to 86400 seconds 5 minutes to 24 hours It is optional if you are using the no version of the command For example enter the following command to change the revalidation timer to 86400 seconds hostname config nac policy na...

Page 725: ...nd ACL you want to exempt os exempts an operating system from posture validation os name is the operating system name Use quotation marks if the name includes a space for example Windows XP filter applies an ACL to filter the traffic if the computer s operating system matches the os name The filter acl name pair is optional disable performs one of two functions as follows If you enter it after the...

Page 726: ... policy command By default the nac settings command is not present in the configuration of each group policy The security appliance automatically enables NAC for a group policy when you assign a NAC policy to it The following example command assigns the NAC policy named framework1 to the group policy hostname config group policy nac settings value framework1 hostname config group policy Changing G...

Page 727: ...clientless authentication is enabled and the security appliance fails to receive a response to a validation request from the remote host it sends a clientless authentication request on behalf of the remote host to the Access Control Server The request includes the login credentials that match those configured for clientless authentication on the Access Control Server The default username and passw...

Page 728: ...ssion Attributes The ASA provides default settings for the attributes that specify communications between the security appliance and the remote host These attributes specify the port no to communicate with posture agents on remote hosts and the expiration counters that impose limits on the communications with the posture agents These attributes the default settings and the commands you can enter t...

Page 729: ... to the remote host it waits for a response If it fails to receive a response it resends the EAP over UDP message By default it retries up to 3 times To change this value enter the following command in global configuration mode eou max retry retries retries is a value in the range 1 to 3 The following example limits the number of EAP over UDP retransmissions to 1 hostname config eou max retry 1 ho...

Page 730: ...enter the following command to change the wait period before initiating a new EAP over UDP association to 120 seconds hostname config eou timeout hold period 120 hostname config To change the session reinitialization to its default value use the no form of this command as follows no eou timeout hold period For example hostname config no eou timeout hold period hostname config ...

Page 731: ...Easy VPN server An ASA 5505 cannot however function as both a client and a server simultaneously To configure an ASA 5505 as a server see Specifying the Client Server Role of the Cisco ASA 5505 section on page 34 2 Then configure the ASA 5505 as you would any other ASA beginning with the Getting Started section on page 2 1 of this guide This chapter includes the following sections Specifying the C...

Page 732: ...er to hardware client depending on whether the elements are present in the configuration Table 34 1 lists the data elements that are permitted in both client and server configurations and not permitted in client configurations An ASA 5505 configured as an Easy VPN hardware client retains the commands listed in the first column within its configuration however some have no function in the client ro...

Page 733: ...lative to the Easy VPN Client are accessible from the Enterprise network over the tunnel Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode Client mode also called Port Address Translation PAT mode isolates the IP addresses of all devices on the Easy VPN Client private network from those on the enterprise network The Easy VPN...

Page 734: ...user and password ppurkm1 hostname config vpnclient username testuser password ppurkm1 hostname config To remove the username and password from the running configuration enter the following command no vpnclient username For example hostname config no vpnclient username hostname config Configuring IPSec Over TCP By default the Easy VPN hardware client and server encapsulate IPSec in User Datagram P...

Page 735: ...The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a combination of the following factors Use of the split tunnel network list and the split tunnel policy commands on the headend to permit restrict or prohibit split tunneling See the Creating a Network List for Split Tunneling page 30 45 and Setting the Split Tunneling Policy section on page 30 45 resp...

Page 736: ...nt to use Specifying the Tunnel Group Specifying the Trustpoint Specifying the Tunnel Group Enter the following command in global configuration mode to specify the name of the VPN tunnel group and password for the Easy VPN client connection to the server vpnclient vpngroup group_name password preshared_key group_name is the name of the VPN tunnel group configured on the Easy VPN server You must co...

Page 737: ...e parameters specify how the security appliance obtains its certificate from the CA and define the authentication policies for user certificates issued by the CA First define the trustpoint using the crypto ca trustpoint command as described in Configuring Trustpoints section on page 39 7 Then enter the following command in global configuration mode to name the trustpoint identifying the RSA certi...

Page 738: ...on Enter the following command in global configuration mode to exempt such devices from authentication thereby providing network access to them if individual user authentication is enabled no vpnclient mac exempt mac_addr_1 mac_mask_1 mac_addr_2 mac_mask_2 mac_addr_n mac_mask_n no removes the command from the running configuration mac_addr is the MAC address in dotted hexadecimal notation of the d...

Page 739: ...and in global configuration mode if you want to automate the creation of IPSec tunnels to provide management access from the corporate network to the outside interface of the ASA 5505 The Easy VPN hardware client and server create the tunnels automatically after the execution of the vpnclient server command The syntax of the vpnclient management tunnel command follows vpnclient management tunnel i...

Page 740: ...A 5505 Configured as an EasyVPN Hardware Client Command Description backup servers Sets up backup servers on the client in case the primary server fails to respond banner Sends a banner to the client after establishing a tunnel client access rule Applies access rules client firewall Sets up the firewall parameters on the VPN client default domain Sends a domain name to the client dns server Specif...

Page 741: ...nnel policy Indicates that you are setting rules for tunneling traffic excludespecified Defines a list of networks to which traffic goes in the clear tunnelall Specifies that no traffic goes in the clear or to any other destination than the Easy VPN server Remote users reach Internet networks through the corporate network and do not have access to local networks tunnelspecified Tunnels all traffic...

Page 742: ...rk By default IUA is disabled Caution Do not use IUA if the client might have a NAT device You can use the user authentication enable command in group policy configuration mode to enable IUA See Configuring User Authentication page 30 48 Caution Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device is operating between the server and the Easy VPN hardware client...

Page 743: ...ides a standard method of employing the authentication methods of the Point to Point Protocol PPP over an Ethernet network When used by ISPs PPPoE allows authenticated assignment of IP addresses In this type of implementation the PPPoE client and server are interconnected by Layer 2 bridging protocols running over a DSL or other broadband connection PPPoE is composed of two main phases Active Disc...

Page 744: ...Replace group_name with the same group name you defined in the previous step Enter the appropriate keyword for the type of authentication used by your ISP CHAP Challenge Handshake Authentication Protocol MS CHAP Microsoft Challenge Handshake Authentication Protocol Version 1 PAP Password Authentication Protocol Note When using CHAP or MS CHAP the username may be referred to as the remote system na...

Page 745: ... automatically set to 1492 bytes which is the correct value to allow PPPoE transmission within an Ethernet frame Reenter this command to reset the DHCP lease and request a new lease Note If PPPoE is enabled on two interfaces such as a primary and backup interface and you do not configure dual ISP support see the Configuring Static Route Tracking section on page 9 4 then the security appliance can ...

Page 746: ...ug pppoe event error packet The following summarizes the function of each keyword event Displays protocol event information error Displays error messages packet Displays packet information Use the following command to view the status of PPPoE sessions hostname show vpdn session l2tp pppoe id sess_id packets state window The following example shows a sample of information provided by this command h...

Page 747: ...re vpdn username command hostname config clear configure vpdn username Entering either of these commands has no affect upon active PPPoE connections Using Related Commands Use the following command to cause the DHCP server to use the WINS and DNS addresses provided by the access concentrator as part of the PPP IPCP negotiations hostname config dhcpd auto_config client_ifx_name This command is only...

Page 748: ...35 6 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 35 Configuring the PPPoE Client Using Related Commands ...

Page 749: ...ter creates Later sections provide step by step instructions hostname config interface ethernet0 hostname config if ip address 10 10 4 100 255 255 0 0 hostname config if no shutdown hostname config isakmp policy 1 authentication pre share hostname config isakmp policy 1 encryption 3des hostname config isakmp policy 1 hash sha hostname config isakmp policy 1 group 2 hostname config isakmp policy 1 ...

Page 750: ...address is 10 10 4 100 and the subnet mask is 255 255 0 0 hostname config if ip address 10 10 4 100 255 255 0 0 hostname config if Step 3 To name the interface enter the nameif command maximum of 48 characters You cannot change this name after you set it In the following example the name of the ethernet0 interface is outside hostname config if nameif outside hostname config if Step 4 To enable the...

Page 751: ...guments The syntax for ISAKMP policy commands is as follows isakmp policy priority attribute_name attribute_value integer Perform the following steps and use the command syntax in the following examples as a guide Step 1 Set the authentication method The following example configures a preshared key The priority is 1 in this and all following steps hostname config isakmp policy 1 authentication pre...

Page 752: ...a transform set perform the following steps Step 1 In global configuration mode enter the crypto ipsec transform set command The following example configures a transform set with the name FirstSet esp 3des encryption and esp md5 hmac authentication The syntax is as follows crypto ipsec transform set transform set name encryption method authentication method hostname config crypto ipsec transform s...

Page 753: ...group which is the default IPSec LAN to LAN tunnel group You can modify them but not delete them You can also create one or more new tunnel groups to suit your environment The security appliance uses these groups to configure default tunnel parameters for remote access and LAN to LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation To establish a basic LAN ...

Page 754: ...set in common If you create more than one crypto map entry for a given interface use the sequence number seq num of each entry to rank it the lower the seq num the higher the priority At the interface that has the crypto map set the security appliance evaluates traffic against the entries of higher priority maps first Create multiple crypto map entries for a given interface if either of the follow...

Page 755: ...You must apply a crypto map set to each interface through which IPSec traffic travels The security appliance supports IPSec on all interfaces Applying the crypto map set to an interface instructs the security appliance to evaluate all interface traffic against the crypto map set and to use the specified policy during connection or security association negotiations Binding a crypto map to an interf...

Page 756: ...36 8 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 36 Configuring LAN to LAN IPSec VPNs Creating a Crypto Map and Applying It To an Interface ...

Page 757: ... 37 45 Using E Mail over Clientless SSL VPN page 37 45 Optimizing Clientless SSL VPN Performance page 37 47 Clientless SSL VPN End User Setup page 37 52 Capturing Data page 37 78 Getting Started Clientless SSL VPN lets users establish a secure remote access VPN tunnel to a security appliance using a web browser Users do not need a software or hardware client Clientless SSL VPN provides secure and ...

Page 758: ... Clientless SSL VPN Security Precautions Clientless SSL VPN connections on the security appliance differ from remote access IPSec connections particularly with respect to how they interact with SSL enabled servers and precautions to reduce security risks In a clientless SSL VPN connection the security appliance acts as a proxy between the end user web browser and target web servers When a user con...

Page 759: ...es SSL and its successor TLS1 to provide a secure connection between remote users and specific supported internal resources at a central site This section includes the following topics Using HTTPS for Clientless SSL VPN Sessions Configuring Clientless SSL VPN and ASDM Ports Configuring Support for Proxy Servers Configuring SSL TLS Encryption Protocols Using HTTPS for Clientless SSL VPN Sessions Es...

Page 760: ...ostname config http 192 168 3 0 255 255 255 0 outside hostname config webvpn hostname config webvpn enable outside Configuring Support for Proxy Servers The security appliance can terminate HTTPS connections and forward HTTP and HTTPS requests to proxy servers These servers act as intermediaries between users and the Internet Requiring Internet access via a server that the organization controls pr...

Page 761: ... the http proxy host command supports this keyword username Enter the username the password to send to the proxy server with each HTTP or HTTPS request The security appliance clientless SSL VPN configuration supports only one http proxy and one http proxy command each For example if one instance of the http proxy command is already present in the running configuration and you enter another the CLI...

Page 762: ... clients only Other e mail clients such as MS Outlook MS Outlook Express and Eudora lack the ability to access the certificate store For more information on authentication and authorization using digital certificates see Using Certificates and User Login Credentials in the Configuring AAA Servers and the Local Database chapter Enabling Cookies on Browsers for Clientless SSL VPN Browser cookies are...

Page 763: ...tication server However from the security appliance perspective it is talking only to a RADIUS server Note For LDAP the method to change a password is proprietary for the different LDAP servers on the market Currently the security appliance implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers Native LDAP requires an SSL connection You must e...

Page 764: ...es within the domain protected by the SSO server This section describes the three SSO authentication methods supported by clientless SSL VPN HTTP Basic and NTLMv1 NT LAN Manager authentication the Computer Associates eTrust SiteMinder SSO server formerly Netegrity SiteMinder and Version 1 1 of Security Assertion Markup Language SAML the POST type SSO server authentication This section includes Con...

Page 765: ...tname config group policy webvpn hostname config group webvpn auto signon allow uri https example com auth type all Specific User IP Address Range HTTP Basic To configure auto signon for a user named Anyuser to servers with IP addresses ranging from 10 1 1 0 to 10 1 1 255 using HTTP Basic authentication for example enter the following commands hostname config username Anyuser attributes hostname c...

Page 766: ...r example to send authentication requests to the URL http www Example com webvpn enter the following hostname config webvpn sso siteminder web agent url http www Example com webvpn hostname config webvpn sso siteminder Step 3 Specify a secret key to secure the authentication communications between the security appliance and SiteMinder using the policy server secret command in webvpn sso siteminder...

Page 767: ...tion request to sso server Example for user Anyuser INFO STATUS Success hostname Adding the Cisco Authentication Scheme to SiteMinder In addition to configuring the security appliance for SSO with SiteMinder you must also configure your CA SiteMinder Policy Server with the Cisco authentication scheme a Java plug in you download from the Cisco web site Note Configuring the SiteMinder Policy Server ...

Page 768: ...ML Communication Flow Note The SAML Browser Artifact profile method of exchanging assertions is not supported Task Overview Configuring SSO with SAML Post Profile This section presents an overview of the tasks necessary to configure SSO with SAML Browser Post Profile These tasks are Specify the SSO server with the sso server command Specify the URL of the SSO server for authentication requests the...

Page 769: ...th the trust point command An example follows hostname config tunnel group 209 165 200 225 type IPSec_L2L hostname config tunnel group 209 165 200 225 ipsec attributes hostname config tunnel ipsec trust point mytrustpoint Optionally you can configure the number of seconds before a failed SSO authentication attempt times out using the request timeout command in webvpn sso saml configuration mode Th...

Page 770: ... how the SAML server identifies the user Subject Name Type is DN Subject Name format is uid user Configuring SSO with the HTTP Form Protocol This section describes using the HTTP Form protocol for SSO HTTP Form protocol is a common approach to SSO authentication that can also qualify as a AAA method It provides a secure method for exchanging authentication information between users of clientless S...

Page 771: ...erver from your browser without the security appliance in the middle acting as a proxy Analyzing the web server response using an HTTP header analyzer reveals hidden parameters in a format similar to the following param name URL encoded value param name URL encoded Some hidden parameters are mandatory and some are optional If the web server requires data for a hidden parameter it rejects any authe...

Page 772: ... GET SMAGENTNAME SM 5FZmjnk3DRNwNjk2KcqVCFbIrNT9 2b J0H0KPshFtg6rB1UV2PxkHqLw 3d 3d TARGET https 3A 2F 2Fwww example com 2Femco 2Fmyemco 2F HTTP 1 1 Host www example com BODY SMENC ISO 8859 1 SMLOCALE US EN USERID Anyuser USER_PASSWORD XXXXXX target https 3A 2F 2Fw ww example com 2Femco 2Fmyemco 2F smauthreason 0 Step 4 Examine the POST request and copy the protocol host and the complete URL to co...

Page 773: ...41hsE49XlKc 1twie0gqnjbhkTkUnR8XWP3hvDH6PZPbHIHtWLDKTa8 ngDB lbYTjIxrbDx8WPWwaG3CxVa3adOxHFR8yjD55GevK3ZF4ujgU1lhO6fta0dSSOSepWvnsCb7IFxCw MGiw0o8 8uHa2t4l SillqfJvcpuXfiIAO06D gtDF40Ow5YKHEl2KhDEvv yQzxwfEz2cl7Ef5iMr8LgGcDK7qvMcvrgUqx68 JQOK2 RSwtHQ15bCZmsDU5vQVCvSQWC8OMHNGwpS253XwRLvd h6S tM0k98QMv i3N8oOdj1V7flBqecH7 kVrU01 F6oFzr0zM1kMyLr5HhlVDh7B0k9wp0dUFZiAzaf43jupD5f6CEkuLeudYW1xgNzsR8eqtPK...

Page 774: ...lyzer output Step 7 In some cases the server may set the same cookie regardless of whether the authentication was successful or not and such a cookie is unacceptable for SSO purposes To confirm that the cookies are different repeat Step 1 through Step 6 using invalid login credentials and then compare the failure cookie with the success cookie You now have the necessary parameter data to configure...

Page 775: ...d in aaa server host configuration mode A URI can be entered on multiple sequential lines The maximum number of characters per line is 255 The maximum number of characters for a complete URI is 2048 An example action URI follows http www example com auth index html appdir authc forms MCOlogin fcc TYPE 33554433 REA LMOID 06 000a1311 a828 1185 ab41 8333b16a0008 GUID SMAUTHREASON 0 METHOD GET SMAGENT...

Page 776: ...NG smauthreason with a value of 0 To specify this hidden parameter enter the following commands hostname config aaa server testgrp1 host example com hostname config aaa server host hidden parameter SMENC ISO 8859 1 SMLOCALE US EN targe hostname config aaa server host hidden parameter t https 3A 2F 2Fwww example com 2Femc hostname config aaa server host hidden parameter o 2Fappdir 2FAreaRoot do 3FE...

Page 777: ...authentication server and assign these users to a group policy on the security appliance Using a RADIUS Server Using a RADIUS server to authenticate users assign users to group policies by following these steps Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group policy Step 2 Set the class attribute to the group policy name in the format O...

Page 778: ... retries and timeout values hic fail group policy Specifies a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group Based Policy attribute to Use Failure Group Policy or Use Success Group Policy if criteria match override svc downlo ad Overrides downloading the group policy or username attributes configured for downloading the AnyConnect VPN client to the remote user radi...

Page 779: ...r from the HTML for this group policy http comp Configures compression http proxy Configures the security appliance to use an external proxy server to handle HTTP requests keep alive ignore Sets the maximum object size to ignore for updating the session timer port forward Applies a list of clientless SSL VPN TCP ports to forward The user interface displays the applications on this list post max si...

Page 780: ...ion to the drop down menu next to the Address field of the portal page Table 3 shows the changes to the main menu and address field of the portal page when you add the plug ins described in the following sections When the user in a clientless SSL VPN session clicks the associated menu option on the portal page the portal page displays a window to the interface and displays a help pane The user can...

Page 781: ...s the following open source Java based components to be accessed as plug ins for web browsers in clientless SSL VPN sessions rdp plugin jar The Remote Desktop Protocol plug in lets the remote user connect to a computer running Microsoft Terminal Services Cisco redistributes this plug in without any changes to it per the GNU General Public License The web site containing the source of the redistrib...

Page 782: ... remove any import webvpn plug in protocol commands that deviate from these requirements vnc to provide plug in access to Virtual Network Computing services Then specify the path to the vnc plugin jar file in the URL field URL is the remote path to the source of the plug in Enter the host name or address of the TFTP or FTP server and the path to the plug in The following example command adds clien...

Page 783: ...esentation Server Client Plug in The open framework that the security appliance provides lets you add plug ins to support third party Java client server applications As an example of how to provide clientless SSL VPN browser access to plug ins that are not redistributed by Cisco this section describes how to add clientless SSL VPN support for the Citrix Presentation Server Client Caution Cisco doe...

Page 784: ...x Plug in Create and install the Citrix plug in as follows Step 1 Download the ica plugin zip file from the Cisco web site to your workstation This zip file contains files that Cisco customized for use with the Citrix plug in After you import the Citrix plug in into the security appliance and the remote browser downloads it the portal page displays the icon gif image contained in the ica plugin zi...

Page 785: ...nd choose Configuration Clientless SSL VPN Access Portal Bookmarks Step 2 Do one of the following Click Add to create a new list enter the bookmark list name in the Add Bookmark List window and click Add Select a list within which to insert a bookmark and click Edit then click Add in the Edit Bookmark List window Step 3 Choose ica from the drop down list next to URL Value Step 4 Do one of the foll...

Page 786: ...ientless SSL VPN sessions specify the applications to be provided with such access and provide notes on using it Configuring Port Forwarding Configuring Smart Tunnel Access Application Access User Notes Configuring Port Forwarding The following sections describe port forwarding and how to configure it About Port Forwarding Why Port Forwarding Adding Applications to Be Eligible for Port Forwarding ...

Page 787: ...ecutable file You may choose to configure port forwarding because you have built earlier configurations that support this technology Port Forwarding Restrictions The following restrictions apply to port forwarding Port forwarding supports only TCP applications that use static TCP ports Applications that use dynamic ports or multiple TCP ports are not supported For example SecureFTP which uses port...

Page 788: ...number only once for each port forwarding list Enter a port number in the range 1 65535 or port name To avoid conflicts with existing services use a port number greater than 1024 remote_server DNS name or IP address of the remote server for an application We recommend using hostnames so that you do not have to configure the client applications for specific IP addresses If you enter the IP address ...

Page 789: ...To start port forwarding automatically upon user login enter the following command in group policy webvpn configuration mode or username webvpn configuration mode port forward auto start list_name list_name names the port forwarding list already present in the security appliance webvpn configuration You cannot assign more than one port forwarding list to a group policy or username To display the p...

Page 790: ...forward enable list_name disable list_name is the name of the port forwarding list already present in the security appliance webvpn configuration You cannot assign more than one port forwarding list to a group policy or username To view the port forwarding list entries enter the show running config port forward command in privileged EXEC mode To remove the port forward command from the group polic...

Page 791: ... the remote user experience by not requiring the user connection of the local application to the local port Therefore smart tunnels do not require users to have administrator privileges Smart Tunnel Requirements and Restrictions Smart tunnels have the following requirements The remote host originating the smart tunnel connection must be running a 32 bit version of Microsoft Windows 2000 or Microso...

Page 792: ...the application to be granted smart tunnel access To support multiple versions of an application for which you choose to specify different paths or hash values you can use this attribute to differentiate entries specifying both the name and version of the application supported by each list entry The string can be up to 64 characters To change an entry already present in a smart tunnel list enter t...

Page 793: ...e list string but specifying a unique application string and a unique hash value Note You must maintain the smart tunnel list in the future if you enter hash values and you want to support future versions or patches of an application with smart tunnel access A sudden problem with smart tunnel access may be an indication that the application list containing hash values is not up to date with an app...

Page 794: ...configuration mode smart tunnel auto start list list is the name of the smart tunnel list already present in the security appliance webvpn configuration You cannot assign more than smart tunnel list to a group policy or username To view the smart tunnel list entries in the SSL VPN configuration enter the show running config webvpn command in privileged EXEC mode To remove the smart tunnel command ...

Page 795: ...eged EXEC mode To remove the smart tunnel command from the group policy or username and inherit the no smart tunnel command from the default group policy use the no form of the command no smart tunnel The following commands assign the smart tunnel list named apps1 to the group policy hostname config group policy webvpn hostname config group webvpn smart tunnel enable apps1 The following command di...

Page 796: ...ion Access Improperly Reconfiguring a hosts File Automatically Using Clientless SSL VPN Reconfiguring hosts File Manually Understanding the hosts File The hosts file on your local system maps IP addresses to host names When you start Application Access clientless SSL VPN modifies the hosts file adding clientless SSL VPN specific entries Stopping Application Access by properly closing the Applicati...

Page 797: ...VPN If you are able to connect to your remote access server follow these steps to reconfigure the hosts file and reenable both Application Access and the applications Step 1 Start clientless SSL VPN and log in The home page opens Step 2 Click the Applications Access link A Backup HOSTS File Found message appears See Figure 37 5 Figure 37 5 Backup HOSTS File Found Message Step 3 Choose one of the f...

Page 798: ...23 0 0 4 server2 added by WebVpnPortForward 123 0 0 4 server2 example com vpn3000 com added by WebVpnPortForward 123 0 0 5 server3 added by WebVpnPortForward 123 0 0 5 server3 example com vpn3000 com added by WebVpnPortForward Copyright c 1993 1999 Microsoft Corp This is a sample HOSTS file used by Microsoft TCP IP for Windows This file contains the mappings of IP addresses to host names Each entr...

Page 799: ... of servers when the remote user clicks Browse Networks in the menu of the portal page or on the toolbar displayed during the Clientless SSL VPN session The master browser or DNS server provides the CIFS FTP client on the security appliance with a list of the resources on the network which clientless SSL VPN serves to the remote user Note Before configuring file access you must configure the share...

Page 800: ...o 40 characters and equal to one of the valid character sets identified in http www iana org assignments character sets You can use either the name or the alias of a character set listed on that page Examples include iso 8859 1 shift_jis and ibm850 Note The character encoding and file encoding values do not exclude the font family to be used by the browser You need to complement the setting of one...

Page 801: ...bar icon is not included on the main Clientless SSL VPN portal page Upon Clientless SSL VPN logout a warning message provides instructions for closing the PIE browser properly If you do not follow these instructions and you close the browser window in the common way PIE does not disconnect from Clientless SSL VPN or any secure website that uses HTTPS Clientless SSL VPN supports OWA 2000 and OWA 20...

Page 802: ...cifies the previously configured authentication servers to use with e mail proxy authentication server group LOCAL Specifies the previously configured authorization servers to use with Clientless SSL VPN authorization server group None Requires users to authorize successfully to connect authorization required Disabled Identifies the DN of the peer certificate to use as a username for authorization...

Page 803: ... The following sections explain these features Configuring Caching Configuring Content Transformation Configuring Caching Caching enhances Clientless SSL VPN performance It stores frequently reused objects in the system cache which reduces the need to perform repeated rewriting and compressing of content It reduces traffic between Clientless SSL VPN and the remote servers with the result that many...

Page 804: ... using a PKCS12 digital certificate associated with a trustpoint You import and employ the certificate using a combination of the crypto ca import and java trustpoint commands The following example commands show the creation of a trustpoint named mytrustpoint and its assignment to signing Java objects hostname config crypto ca import mytrustpoint pkcs12 mypassphrase Enter the base 64 encoded PKCS1...

Page 805: ...tiple times by using the wildcard as follows hr To configure proxy bypass use the proxy bypass command in webvpn mode Configuring Application Profile Customization Framework An APCF profile for Clientless SSL VPN lets the security appliance handle non standard applications and web resources so that they display correctly over a Clientless SSL VPN connection An APCF profile contains a script that s...

Page 806: ...that specifies the APCF implementation version Currently the only version is 1 0 application application The mandatory tag that wraps the body of the XML description id text id The mandatory tag that describes this particular APCF functionality apcf entities apcf entities The mandatory tag that wraps a single or multiple APCF entities js object js object html object html object process request hea...

Page 807: ...t post webdav http scheme http https other server regexp regular expression containing a z A Z 0 9 _ server fnmatch regular expression containing a z A Z 0 9 _ user agent regexp user agent fnmatch request uri regexp request uri fnmatch If more than one of condition tags are present the security appliance performs a logical AND for all tags action action Wraps one or more actions to perform on the ...

Page 808: ...t describes how to customize the end user interface This section summarizes configuration requirements and tasks for a remote system It specifies information to communicate to users to get them started using Clientless SSL VPN It includes the following topics Defining the End User Interface Customizing Clientless SSL VPN Pages page 37 56 Customizing Help page 37 65 Requiring Usernames and Password...

Page 809: ...Setup Defining the End User Interface The Clientless SSL VPN end user interface consists of a series of HTML panels A user logs on to Clientless SSL VPN by entering the IP address of a security appliance interface in the format https address The first panel that displays is the login screen Figure 37 6 Figure 37 6 Clientless SSL VPN Login Screen ...

Page 810: ...lientless SSL VPN Home Page The home page displays all of the Clientless SSL VPN features you have configured and its appearance reflects the logo text and colors you have selected This sample home page includes all available Clientless SSL VPN features with the exception of identifying specific file shares It lets users browse the network enter URLs access specific websites and use Application Ac...

Page 811: ...s the Go button in the Application Access box The Application Access window opens Figure 37 8 Figure 37 8 Clientless SSL VPN Application Access Window This window displays the TCP applications configured for this Clientless SSL VPN connection To use an application with this panel open the user starts the application in the normal way Note A stateful failover does not retain sessions established us...

Page 812: ...SL VPN Pages You can change the appearance of the portal pages displayed to Clientless SSL VPN users This includes the Login page displayed to users when they connect to the security appliance the Home page displayed to users after the security appliance authenticates them the Application Access window displayed when users launch an application and the Logout page displayed when users logout of Cl...

Page 813: ...how the logon screen appears If the connection profile list is enabled and the user selects a different group and that group has its own customization the screen changes to reflect the customization object for that new group After the remote user is authenticated the screen appearance is determined by whether a customization object that has been assigned to the group policy The following sections ...

Page 814: ...ext language language code zh code text ä å Chinese text language language code ja code text æ æœ Japanese text language language code ru code text РуÑÑкРРRussian text language language code ua code text Ð ÐºÑ Ð Ñ Ð ÑькРUkrainian text language language selector logon form title text l10n yes CDATA Login title text title background color CDATA 666666 title background color title font color ...

Page 815: ...es CDATA SSL VPN Service text logo url l10n yes CSCOU csco_logo gif logo url gradient yes gradient style style background color CDATA ffffff background color font size CDATA larger font size font color CDATA 800000 font color font weight CDATA bold font weight title panel info panel mode disable mode image url l10n yes CSCOU clear gif image url image position above image position text l10n yes tex...

Page 816: ...10n yes CDATA Application Access tab title order 4 order application application mode enable mode id net access id tab title l10n yes AnyConnect tab title order 4 order application application mode enable mode id help id tab title l10n yes Help tab title order 1000000 order application toolbar mode enable mode logout prompt text l10n yes Logout logout prompt text prompt box title l10n yes Address ...

Page 817: ...l these tags are nested within the higher level tag auth page Figure 37 10 Logon Page and Associated XML Tags Figure 37 11 shows the Language Selector drop down list that is available on the Logon page and the XML tags for customizing this feature All these tags are nested within the higher level auth page tag 191904 title panel logo url title panel text front color font weight font gradient style...

Page 818: ...eature This information can appear to the left or right of the login box These tags are nested within the higher level auth page tag Figure 37 12 Information Panel on Logon Screen and Associated XML Tags Figure 37 13 shows the Portal page and the XML tags for customizing this feature These tags are nested within the higher level auth page tag localization default language language selector title l...

Page 819: ...a hidden location in cache memory The following example imports the customization object General xml from the URL 209 165 201 22 customization and names it custom1 hostname import webvpn customization custom1 tftp 209 165 201 22 customization General xml Accessing tftp 209 165 201 22 customization General xml Writing file disk0 csco_config 97 custom1 329994 bytes copied in 5 350 secs 65998 bytes s...

Page 820: ...p webvpn mode and enables the customization cisco for the connection profile cisco_telecommuters hostname config tunnel group cisco_telecommuters webvpn attributes hostname tunnel group webvpn customization cisco Applying Customizations to Groups and Users To apply a customization to a group or user use the customization command from group policy webvpn mode or username webvpn mode In these modes ...

Page 821: ...the file To specify a particular language code copy the language abbreviation from the list of languages rendered by your browser For example a dialog window displays the languages and associated language codes when you use one of the following procedures Open Internet Explorer and choose Tools Internet Options Languages Add Open Mozilla Firefox and choose Tools Options Advanced General click Choo...

Page 822: ...preferred HTML editor to modify the file Note You can use most HTML tags but do not use tags that define the document and its structure e g do not use html title body head h1 h2 etc You can use character tags such as the b tag and the p ol ul and li tags to structure content Step 6 Save the file as HTML only using the original filename and extension Step 7 Make sure the filename matches the one in...

Page 823: ...urce_url is the string in URL of Help File in Flash Memory of the Security Appliance in Table 37 8 destination_url is the target URL Valid prefixes are ftp and tftp The maximum number of characters is 255 The following example command copies the English language help file file access hlp inc displayed on the Browse Networks panel to TFTP Server 209 165 200 225 hostname export webvpn webcontent CSC...

Page 824: ...setting up remote systems to use clientless SSL VPN Starting clientless SSL VPN Using the clientless SSL VPN Floating Toolbar Web Browsing Network Browsing and File Management Using Applications Port Forwarding Using E mail via Port Forwarding Using E mail via Web Access Using E mail via e mail proxy Table 37 10 also provides information about the following Clientless SSL VPN requirements by featu...

Page 825: ...ers supported by clientless SSL VPN We have tested clientless SSL VPN on the following operating systems and browsers however it may work on others Microsoft Windows XP with Internet Explorer 6 0 or 7 0 or Firefox 1 5 or 2 0 Microsoft Windows Vista with Internet Explorer 7 0 or Firefox 2 0 Macintosh OS X with Safari 2 0 or Firefox 2 0 Linux with Firefox 1 5 or 2 0 Cookies enabled on browser Cookie...

Page 826: ... during the clientless SSL VPN session Web Browsing Usernames and passwords for protected websites Using clientless SSL VPN does not ensure that communication with every site is secure See Communicating Security Tips The look and feel of web browsing with clientless SSL VPN might be different from what users are accustomed to For example The title bar for clientless SSL VPN appears above each web ...

Page 827: ...ed file servers Domain workgroup and server names where folders and files reside Users might not be familiar with how to locate their files through your organization network Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress Interrupting the operation can cause an incomplete file to be saved on the server Table 37 10 Remote System Co...

Page 828: ...ear the browser cache and close the browser 2 Verify that no JAVA icons are in the computer task bar Close all instances of JAVA 3 Establish a clientless SSL VPN session and launch the port forwarding JAVA applet Client applications configured if necessary Note The Microsoft Outlook client does not require this configuration step All non Windows client applications require configuration To see if ...

Page 829: ...SL VPN Other mail clients We have tested Microsoft Outlook Express versions 5 5 and 6 0 Clientless SSL VPN should support other SMTPS POP3S or IMAP4S e mail programs via port forwarding such as Netscape Mail Lotus Notes and Eudora but we have not verified them Using E mail via Web Access Web based e mail product installed Supported Outlook Web Access For best results use OWA on Internet Explorer 6...

Page 830: ...guration of the security appliance Because you can customize the logon and logout pages portal page and URL bookmarks for clientless users the security appliance generates the customization and url list translation domain templates dynamically and the template automatically reflects your changes to these functional areas After creating translation tables they are available to customization objects...

Page 831: ...hostname export webvpn translation table customization template tftp 209 165 200 225 portal Step 2 Edit the translation table XML file The following example shows a portion of the template that was exported as portal The end of this output includes a message ID field msgid and a message string field msgstr for the message SSL VPN which is displayed on the portal page when a user establishes a clie...

Page 832: ...e you need to refer to this table in a customization object Steps 4 through 6 describe how to export the customization template edit it and import it as a customization object Step 4 Export a customization template to a URL where you can edit it using the export webvpn customization template command from privileged EXEC mode The example below exports the template and creates the copy sales at the ...

Page 833: ...code es us code text Spanish text language language selector The language selector group of tags includes the mode tag that enables and disables the displaying of the Language Selector and the title tag that specifies the title of the drop down box listing the languages The language group of tags includes the code and text tags that map the language name displayed in the Language Selector drop dow...

Page 834: ...e how to capture and view clientless SSL VPN session data Creating a Capture File Using a Browser to Display Capture Data Note Enabling clientless SSL VPN capture affects the performance of the security appliance Be sure to disable the capture after you generate the capture files needed for troubleshooting Creating a Capture File Perform the following steps to capture data about a clientless SSL V...

Page 835: ...pture capture_name type webvpn user webvpn_username where capture_name is a name you assign to the capture which is also prepended to the name of the capture files webvpn_user is the username to match for capture The capture utility starts Step 2 A user logs in to begin a clientless SSL VPN session The capture utility is capturing packets Stop the capture by using the no version of the command Ste...

Page 836: ...37 80 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 37 Configuring Clientless SSL VPN Capturing Data ...

Page 837: ...nnection with the security appliance it connects using Transport Layer Security TLS and optionally Datagram Transport Layer Security DTLS DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real time applications that are sensitive to packet delays The AnyConnect client can be downloaded from the security appliance or it can be installed ...

Page 838: ...to the security appliance and identifying the file as a client image With multiple clients you must also assign the order that the security appliance downloads the clients to the remote PC Perform the following steps to install the client Step 1 Copy the client image package to the security appliance using the copy command from privileged EXEC mode or using another method In this example the image...

Page 839: ... k9 pkg 1 CISCO STC win2k 2 0 0310 Tue 03 27 2007 4 16 21 09 2 disk0 anyconnect macosx i386 2 0 0310 k9 pkg 2 CISCO STC Darwin_i386 2 0 0 Tue Mar 27 05 09 16 MDT 2007 3 disk0 anyconnect linux 2 0 0310 k9 pkg 3 CISCO STC Linux 2 0 0 Tue Mar 27 04 06 53 MST 2007 3 SSL VPN Client s installed Enabling AnyConnect Client Connections After installing the client enable the security appliance to allow SSL ...

Page 840: ... tunnel group telecommuters and creates the group alias sales_department hostname config tunnel group telecommuters webvpn attributes hostname config tunnel webvpn group alias sales_department enable Step 6 Enable the display of the tunnel group list on the WebVPN Login page from webvpn mode tunnel group list enable First exit to global configuration mode and then enter webvpn mode In the followin...

Page 841: ...g an SSL VPN connection to use two simultaneous tunnels an SSL tunnel and a DTLS tunnel Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of real time applications that are sensitive to packet delays By default DTLS is enabled when SSL VPN access is enabled on an interface If you disable DTLS SSL VPN connections connect with an SSL VPN tu...

Page 842: ...mer then notices excessive loss and re establishment of the DTLS channel This might also be perceived as poor performance of the tunnel To correct this problem do the following steps Step 1 Enable the client DTLS DPD and configure it to be twice the interval of the firewall idle timer For example set this value to 2 minutes when using the default setting with the third party firewall 40 seconds Th...

Page 843: ...ecurity appliance to prompt the user to download the client or go to the WebVPN portal page and wait 10 seconds for a response before downloading the client hostname config group webvpn svc ask enable default svc timeout 10 Enabling AnyConnect Client Profile Downloads An AnyConnect client profile is a group of configuration parameters stored in an XML file that the client uses to configure the con...

Page 844: ...s HostProfile Configuration The HostProfile tags are frequently edited so that the AnyConnect client displays the names and addresses of host computers for remote users The following example shows the HostName and HostAddress tags with the name and address of a host computer inserted HostProfile HostName Sales_gateway HostName HostAddress 209 165 200 225 HostAddress HostProfile Step 3 Load the pro...

Page 845: ...008 bytes free hostname config webvpn Step 4 Enter group policy webvpn or username attributes webvpn configuration mode and specify a profile for the group or user with the svc profiles command no svc profiles value profile none In the following example the user follows the svc profiles value command with a question mark view the available profiles Then the user configures the group policy to use ...

Page 846: ...n of the profiles file for each operating system see Table 38 1 on page 38 8 Step 3 Edit the profiles file to specify that SBL is enabled The example below shows the relevant portion of the profiles file AnyConnectProfile tmpl for Windows Configuration ClientInitialization UseStartBeforeLogon false UseStartBeforeLogon ClientInitialization The UseStartBeforeLogon tag determines whether the client u...

Page 847: ...translation tables for the AnyConnect domain Step 1 Export a translation table template to a computer with the export webvpn translation table command from privileged EXEC mode In the following example the show webvpn translation table command shows available translation table templates and tables hostname show import webvpn translation table Translation Tables Templates customization AnyConnect C...

Page 848: ...AgentIfc cpp 22 msgid Connected msgstr The msgid contains the default translation The msgstr that follows msgid provides the translation To create a translation enter the translated text between the quotes of the msgstr string For example to translate the message Connected with a Spanish translation insert the Spanish text between the quotes msgid Connected msgstr Conectado Be sure to save the fil...

Page 849: ... that the client establishes a new tunnel during rekey method none disables rekey method ssl specifies that SSL renegotiation takes place during rekey time minutes specifies the number of minutes from the start of the session or from the last rekey until the rekey takes place from 1 to 10080 1 week In the following example the client is configured to renegotiate with SSL during rekey which takes p...

Page 850: ...policy svc dpd interval gateway 30 hostname config group policy svc dpd interval client 10 Enabling Keepalive You can adjust the frequency of keepalive messages to ensure that an SSL VPN connection through a proxy firewall or NAT device remains open even if the device limits the time that the connection can be idle Adjusting the frequency also ensures that the client does not disconnect and reconn...

Page 851: ...anging Compression for Groups and Users To change compression for a specific group or user use the svc compression command in the group policy and username webvpn modes svc compression deflate none no svc compression deflate none By default for groups and users SSL compression is set to deflate enabled To remove the svc compression command from the configuration and cause the value to be inherited...

Page 852: ...Port 54230 Bytes Tx 20178 Bytes Rx 8662 Pkts Tx 27 Pkts Rx 19 Client Ver Cisco STC 1 1 0 117 Client Type Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 0 Q312461 Group DfltGrpPolicy Login Time 14 32 03 UTC Wed Mar 20 2007 Duration 0h 00m 04s Filter Name Logging Off SVC Sessions To log off all SSL VPN sessions use the vpn sessiondb logoff svc command in global configuration mode vpn sessiondb logoff ...

Page 853: ...ommand hostname vpn sessiondb logoff name tester Do you want to logoff the VPN session s confirm INFO Number of sessions with name mkrupp logged off 0 hostname Updating SSL VPN Client Images You can update the client images on the security appliance at any time using the following procedure Step 1 Copy the new client images to the security appliance using the copy command from privileged EXEC mode...

Page 854: ...38 18 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 38 Configuring AnyConnect VPN Client Connections Configuring Advanced SSL VPN Features ...

Page 855: ... 39 16 Public Key Cryptography This section includes the following topics About Public Key Cryptography page 39 1 Certificate Scalability page 39 2 About Key Pairs page 39 2 About Trustpoints page 39 3 About CRLs page 39 3 Supported CA Servers page 39 5 About Public Key Cryptography Digital signatures enabled by public key cryptography provide a means to authenticate devices and users In public ke...

Page 856: ...forming some public key cryptography Each peer sends its unique certificate which was issued by the CA This process works because each certificate encapsulates the public key for the associated peer and each certificate is authenticated by the CA and all participating peers recognize the CA as an authenticating authority This is called IKE with an RSA signature The peer can continue sending its ce...

Page 857: ...n CAs periodically issue a signed list of revoked certificates Enabling revocation checking forces the security appliance to check that the CA has not revoked a certificate every time it uses that certificate for authentication When you enable revocation checking during the PKI certificate validation process the security appliance checks certificate revocation status It can use either CRL checking...

Page 858: ...r a Trustpoint section on page 39 13 About OCSP Online Certificate Status Protocol provides the security appliance with a means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA OCSP configuration is a part of the configuration of a trustpoint OCSP localizes certificate status on a Validation Authority an OCSP server also called the respond...

Page 859: ...nder certificate validating trustpoint while configuring revocation check ocsp for the client certificate Supported CA Servers The security appliance supports the following CA servers Cisco IOS CS Baltimore Technologies Entrust Microsoft Certificate Services Netscape CMS RSA Keon VeriSign Certificate Configuration This section describes how to configure the security appliance with certificates and...

Page 860: ...Key Pairs page 39 6 Removing Key Pairs page 39 7 Generating Key Pairs Key pairs are RSA keys as discussed in the About Key Pairs section on page 39 2 You must generate key pairs for the types of certification you want to use To generate key pairs perform the following steps Step 1 Generate the types of key pairs needed for your PKI implementation To do so perform the following steps as applicable ...

Page 861: ...ng Trustpoints For information about trustpoints see the About Trustpoints section on page 39 3 To configure a trustpoint perform the following steps Step 1 Create a trustpoint corresponding to the CA from which the security appliance needs to receive its certificate hostname contexta config crypto ca trustpoint trustpoint For example to declare a trustpoint called Main hostname contexta config cr...

Page 862: ...enrollment asks the CA to include the specified email address in the Subject Alternative Name extension of the certificate enrollment retry period Optional Specifies a retry period in minutes This characteristic only applies if you are using SCEP enrollment enrollment retry count Optional Specifies a maximum number of permitted retries This characteristic only applies if you are using SCEP enrollm...

Page 863: ...ith SCEP and with manual enrollment which lets you paste a base 64 encoded certificate directly into the terminal For site to site VPNs you must enroll each security appliance For remote access VPNs you must enroll each security appliance and each remote access VPN client This section includes the following topics Obtaining Certificates with SCEP page 39 9 Obtaining Certificates Manually page 39 1...

Page 864: ...fully qualified domain name of the security appliance including the case of the characters a warning appears If needed you can exit the enrollment process make any necessary corrections and enter the crypto ca enroll command again The following enrollment example performs enrollment with the trustpoint named Main hostname config crypto ca enroll Main Start certificate enrollment Create a challenge...

Page 865: ...rpose exclusively Note Whether a trustpoint requires that you manually obtain certificates is determined by the use of the enrollment terminal command when you configure the trustpoint see the Configuring Trustpoints section on page 39 7 To obtain certificates manually perform the following steps Step 1 Obtain a base 64 encoded CA certificate from the CA represented by the trustpoint Step 2 Import...

Page 866: ...m the CA use the crypto ca import certificate command The security appliance prompts you to paste the certificate to the terminal in base 64 format Note If you use separate RSA key pairs for signing and encryption perform this step for each certificate separately The security appliance determines automatically whether the certificate is for the signing or encryption key pair The order in which you...

Page 867: ...ration if you want to start over enter this command and restart this procedure Step 4 Configure the retrieval policy with the policy command The following keywords for this command determine the policy cdp CRLs are retrieved only from the CRL distribution points specified in authenticated certificates Note SCEP retrieval is not supported by distribution points specified in certificates static CRLs...

Page 868: ...ault of 389 For example the following command configures the security appliance to retrieve CRLs from an LDAP server whose hostname is ldap1 hostname contexta config ca crl ldap defaults ldap1 Note If you use a hostname rather than an IP address to specify the LDAP server be sure you have configured the security appliance to use DNS For information about configuring DNS see the dns commands in the...

Page 869: ...For example if an exported trustpoint used an RSA key labeled Default RSA Key creating trustpoint named Main by importing the PKCS12 creates a key pair named Main not Default RSA Key Note If a security appliance has trustpoints that share the same CA only one of the trustpoints sharing the CA can be used to validate user certificates The crypto ca import pkcs12 command can create this situation Us...

Page 870: ...owing example specifies that within the Subject field an Organizational Unit attribute must exactly match the string Engineering hostname config ca cert map subject name attr ou eq Engineering hostname config ca cert map Map rules appear in the output of the show running config command crypto ca certificate map 1 issuer name co asc subject name attr ou eq Engineering Step 3 When you have finished ...

Page 871: ... CA server on the security appliance and includes the following topics The Default Local CA Server page 39 17 Customizing the Local CA Server page 39 19 Certificate Characteristics page 39 20 The Default Local CA Server The default Local CA server requires only a few configuration commands to set up with the following characteristics Once you use the crypto ca server command to access config ca se...

Page 872: ...u enable the Local CA initially Be sure to review all optional parameters carefully before you enable the configured Local CA Table 39 1 Local CA Local CA Server Default Characteristics Local CA Server Characteristic Default Value CLI Configuration Command s Storage Location for database and configuration On board flash memory in the directory LOCAL CA SERVER mount global config mode database path...

Page 873: ... various parameters of the Local CA server on the security appliance Typically to configure a customized Local CA server on a security appliance you would perform the following steps Step 1 Enter the crypto ca server command to access the Local CA Server Configuration mode CLI command set which allows you to configure and manage a Local CA An example follows hostname config crypto ca server hostna...

Page 874: ...hostname config ca server subject name default cn engineer o ABC Systems c US hostname config ca server Note that there are additional Local CA server commands that allow you to customize your server further These commands are described in the following sections Certificate Characteristics Configurable Local CA certificate characteristics include the following The name of the certificate issuer as...

Page 875: ...e Local CA certificate after expiration of the current Local CA certificate The pre expiration Syslog message ASA 1 717049 Local CA Server certificate is due to expire in days days and a replace ment certificate is available for export Note When notified of this automatic rollover the administrator must take action to ensure the new Local CA certificate is imported to all necessary devices prior t...

Page 876: ...ollowing example hostname config crypto ca server hostname config ca server keysize server 2048 hostname config ca server For both the keysize command and the keysize server command key pair size options are 512 768 1024 2048 bits and both commands have default values of 1024 bits Note The Local CA keysize cannot be changed once the Local CA is enabled without deleting the Local CA and reconfiguri...

Page 877: ...al CA server database hostname config crypto ca server hostname config ca server database path mydata newuser hostname config ca server Note Only the user who mounts a file system can un mount it with the no mount command CRL Storage The Certificate Revocation List CRL exists for other devices to validate the revocation of certificates issued by the Local CA In addition the Local CA tracks all iss...

Page 878: ...ple the CDP URL could be configured to be http 10 10 10 100 user8 my_crl_file In this case only the interface with that IP address configured listens for CRL requests and when a request comes in the security appliance matches the path user8 my_crl_file to the configured CDP URL When the path matches the security appliance returns the CRL file stored in storage Note that the protocol must be http s...

Page 879: ... to retrieve the file a second or subsequent times as needed When the time period expires the file is removed from storage automatically and is no longer available for downloading Setting Up Enrollment Parameters For a secure enrollment process the Local CA automatically generates one time passwords OTPs which are e mailed to enrolling users at the e mail address the administrator configures OTPs ...

Page 880: ...umber of hours an already enrolled user can retrieve a PKCS12 enrollment file with the enrollment retrieval command This time period begins when the user is successfully enrolled This command modifies the default 24 hours retrieval period to any value between one and 720 hours Note that enrollment retrieval period is independent of the OTP expiration period The following example sets the retrieval...

Page 881: ...the initial startup you can issue no shutdown and shutdown commands that enable and disable the Local CA without being prompted for the passphrase Note Once you enable the Local CA Server be sure to save the configuration to ensure that the Local CA certificate and keypair are not lost after a reboot At initial startup you are prompted for the passphrase in the CLI as illustrated in the example th...

Page 882: ...r during shutdown and then restart it with the no shutdown command To disable the Local CA server on a security appliance perform the following asa1 config ca server asa1 config ca server shutdown INFO Local CA Server has been shutdown asa1 config ca server Managing the Local CA User Database The Local CA server keeps track of user certificates so the administrator can revoke or restore privileges...

Page 883: ...tname config ca server crypto ca server user db allow user6 hostname config ca server Step 3 Notify a user in the Local CA database to enroll and download a user certificate with the crypto ca server user db email otp command which automatically e mails the one time password to that user hostname config hostname config ca server crypto ca server user db email otp username hostname config ca server...

Page 884: ...hostname config crypto ca server hostname config ca server renewal reminder 7 hostname config ca server There are three reminders in all and an automatic e mail goes out to the certificate owner for each of the three reminders provided an e mail address is specified in the user database If no e mail address exists for the user a syslog message alerts you of the renewal requirement The security app...

Page 885: ...ertificates issued by the Local CA use the show crypto ca server cert db command in Privileged EXEC mode The following is a sample show crypto ca server cert db command display showing just two of the user certificates in the database Command Display show crypto ca server Local CA configuration and status show crypto ca server cert db User certificate s show crypto ca server certificate Local CA c...

Page 886: ...ted as an import into other devices that need the local CA certificate A sample display follows The base64 encoded local CA certificate follows MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAY JKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy GGG2dJnB4OLphsUM IG3SDO iDwZG9n1SvtMieoxd7Hxknxbum06JDrujWKtHBIqkrm td34qlNE1iGeP2YC94 NQ2z 4kS uZzwcRhl...

Page 887: ...hout a certificate and not currently allowed to enroll The following example shows the resulting display edited for the entire database with no qualifiers hostname config show crypto ca server user db username wilma24 email wilma24 xxrown com dn CN mycn OU Sales O ASC com L Franklin ST Mass C US allowed 12 29 08 UTC Sun Jan 6 2008 notified 1 username wilma98 email wilma98 xxrown com dn CN mycn OU ...

Page 888: ...abase information is saved from the security appliance to mydata newuser every time you save the security appliance configuration Note For flash memory database storage the user information is saved automatically to the default location for the start up configuration Maintaining the Local CA Certificate Database The certificate database file LOCAL CA SERVER cdb is to be saved anytime there is a ch...

Page 889: ...ys both the current and the rollover certificates This command shows information about the rollover certificate when available including the thumbprint of the rollover certificate for verification of the new certificate during import on other devices Archiving the Local CA Server Certificate and Keypair For backup purposes you can use FTP or TFTP to copy the Local CA Server certificate and keypair...

Page 890: ...39 36 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 39 Configuring Certificates The Local CA ...

Page 891: ...P A R T 4 System Administration ...

Page 892: ......

Page 893: ...configure management access according to the sections in this chapter Allowing Telnet Access The security appliance allows Telnet connections to the security appliance for management purposes You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel The security appliance allows a maximum of 5 concurrent Telnet connections per context if available with a m...

Page 894: ...s per context if available with a maximum of 100 connections divided between all contexts SSH is an application running on top of a reliable transport layer such as TCP IP that provides strong authentication and encryption capabilities The security appliance supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and supports DES and 3DES ciphers Note XML management over SSL a...

Page 895: ... the security appliance on the inside interface the following command hostname config ssh 192 168 3 0 255 255 255 0 inside By default SSH allows both version one and version two To specify the version number enter the following command hostname config ssh version version_number The version_number can be 1 or 2 Using an SSH Client To gain access to the security appliance console using SSH at the SS...

Page 896: ... default the port is 443 If you change the port number be sure to include the new port in the ASDM access URL For example if you change it to port 444 enter https 10 1 1 1 444 Step 3 To specify the location of the ASDM image enter the following command hostname config asdm image disk0 asdmfile For example to enable the HTTPS server and let a host on the inside interface with an address of 192 168 ...

Page 897: ...pport This section includes the following topics Configuring Authentication for CLI and ASDM Access page 40 5 Configuring Authentication To Access Privileged EXEC Mode the enable Command page 40 6 Limiting User CLI and ASDM Access with Management Authorization page 40 7 Configuring Command Authorization page 40 8 Configuring Command Accounting page 40 17 Viewing the Current Logged In User page 40 ...

Page 898: ...ot give any indication which method is being used You can alternatively use the local database as your main method of authentication with no fallback by entering LOCAL alone Configuring Authentication To Access Privileged EXEC Mode the enable Command You can configure the security appliance to authenticate users with a AAA server or the local database when they enter the enable command Alternative...

Page 899: ...Command Authorization section on page 40 10 for more information Caution If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged EXEC mode you should configure command authorization Without command authorization users can access privileged EXEC mode and all commands at the CLI using their own password if their privilege level is 2 or great...

Page 900: ...e shell and the server responds with PASS or FAIL PASS privilege level 1 Allows full access to any services specified by the aaa authentication console commands PASS privilege level 2 and higher Allows access to the CLI when you configure the aaa authentication telnet ssh console command but denies ASDM configuration access if you configure the aaa authentication http console command ASDM monitori...

Page 901: ...evel n These levels are not used unless you turn on local command authorization see Configuring Local Command Authorization below See the Cisco Security Appliance Command Reference for more information about enable TACACS server privilege levels On the TACACS server configure the commands that a user or group can use after they authenticate for CLI access Every command that a user enters at the CL...

Page 902: ...onfiguring Local Command Authorization Local command authorization lets you assign commands to one of 16 privilege levels 0 to 15 By default each command is assigned either to privilege level 0 or 15 You can define each user to be at a specific privilege level and each user can enter any command at their privilege level or below The security appliance supports user privilege levels defined in the ...

Page 903: ...e sure to move the configure command to that level as well otherwise the user will not be able to enter configuration mode To view all privilege levels see the Viewing Command Privilege Levels section on page 40 13 Assigning Privilege Levels to Commands and Enabling Authorization To assign a command to a new privilege level and enable authorization follow these steps Step 1 To assign a command to ...

Page 904: ...h can be checked against the privilege level of users in the local database RADIUS server or LDAP server with mapped attributes enter the following command hostname config aaa authorization command LOCAL When you set command privilege levels command authorization does not take place unless you configure command authorization with this command For example the filter command has the following forms ...

Page 905: ...ig all privilege all privilege show level 15 command aaa privilege clear level 15 command aaa privilege configure level 15 command aaa privilege show level 15 command aaa server privilege clear level 15 command aaa server privilege configure level 15 command aaa server privilege show level 15 command access group privilege clear level 15 command access group privilege configure level 15 command ac...

Page 906: ...Configuring Local Command Authorization section on page 40 10 Configure enable authentication see the Configuring Authentication To Access Privileged EXEC Mode the enable Command section on page 40 6 Configuring Commands on the TACACS Server You can configure commands on a Cisco Secure Access Control Server ACS TACACS server as a shared profile component for a group or for individual users For thi...

Page 907: ...unmatched arguments even if there are no arguments for the command for example enable or help see Figure 40 2 Figure 40 2 Permitting Single Word Commands To disallow some arguments enter the arguments preceded by deny For example to allow enable but not enable password enter enable in the commands box and deny password in the arguments box Be sure to select the Permit Unmatched Args check box so t...

Page 908: ... you enter them For example if you enter sh log then the security appliance sends the entire command to the TACACS server show logging However if you enter sh log mess then the security appliance sends show logging mess to the TACACS server and not the expanded command show logging message You can configure multiple spellings of the same argument to anticipate abbreviations see Figure 40 4 Figure ...

Page 909: ...Command Authorization section on page 40 8 and command privilege levels see the Configuring Local Command Authorization section on page 40 10 Configuring Command Accounting You can send accounting messages to the TACACS accounting server when you enter any command other than show commands at the CLI If you customize the command privilege level using the privilege command see the Assigning Privileg...

Page 910: ...evels 2 to 15 P_CONF Configuration mode Table 40 2 CLI Authentication and Command Authorization Lockout Scenarios Feature Lockout Condition Description Workaround Single Mode Workaround Multiple Mode Local CLI authentication No users in the local database If you have no users in the local database you cannot log in and you cannot add any users Log in and reset the passwords and aaa commands Sessio...

Page 911: ...ne precede each line by the banner command For example to add a message of the day banner enter hostname config banner motd Welcome to hostname hostname config banner motd Contact me at admin example com for any hostname config banner motd issues TACACS command authorization You are logged in as a user without enough privileges or as a user that does not exist You enable command authorization but ...

Page 912: ...40 20 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 40 Managing System Access Configuring a Login Banner ...

Page 913: ...page 41 8 Configuring Auto Update Support page 41 19 Managing Licenses When you install the software the existing activation key is extracted from the original image and stored in a file in the security appliance file system Obtaining an Activation Key To obtain an activation key you will need a Product Authorization Key which you can purchase from your Cisco account representative After obtaining...

Page 914: ... multiple context mode enter this command in the system execution space Before entering the activation key ensure that the image in Flash memory and the running image are the same You can do this by rebooting the security appliance before entering the new activation key Note The activation key is not stored in your configuration file The key is tied to the serial number of the device You must rebo...

Page 915: ...files with the same name but with different letter case in the same directory in Flash memory For example if you attempt to dowload the file Config cfg to a location that contains the file config cfg you recieve the error Error opening disk0 Config cfg File exists This section includes the following topics Downloading a File to a Specific Location page 41 3 Downloading a File to the Startup or Run...

Page 916: ...name To copy from an HTTP or HTTPS server enter the following command hostname copy http s user password server port path filename flash disk0 disk1 path filename To use secure copy first enable SSH then enter the following command hostname ssh scopy enable Then from a Linux client enter the following command scp v pw password filename username asa_address The v is for verbose and if pw is not spe...

Page 917: ...of none exists there then in external Flash memory If you have more than one image you should specify the image you want to boot In the case of the ASDM image if you do not specify the image to boot even if you have only one image installed then the security appliance inserts the asdm image command into the running configuration To avoid problems with Auto Update if configured and to avoid the ima...

Page 918: ...on the software running on each unit and still maintain failover support To ensure long term compatibility and stability we recommend upgrading both units to the same version as soon as possible Table 41 1 shows the supported scenarios for performing zero downtime upgrades on a failover pair For more details about upgrading the software on a failover pair refer to the following topics Upgrading an...

Page 919: ... newstandby reload Step 5 When the new standby unit has finished reloading and is in the Standby Ready state return the original active unit to active status by entering the following command newstandby failover active Upgrading and Active Active Failover Configuration To upgrade two units in an Active Active failover configuration perform the following steps Step 1 Download the new software to bo...

Page 920: ...ration or Multiple Mode System Configuration page 41 8 Backing Up a Context Configuration in Flash Memory page 41 9 Backing Up a Context Configuration within a Context page 41 9 Copying the Configuration from the Terminal Display page 41 9 Backing up the Single Mode Configuration or Multiple Mode System Configuration In single context mode or from the system configuration in multiple mode you can ...

Page 921: ...Context In multiple context mode from within a context you can perform the following backups To copy the running configuration to the startup configuration server connected to the admin context enter the following command hostname contexta copy running config startup config To copy the running configuration to a TFTP server connected to the context network enter the following command hostname cont...

Page 922: ...he CSD configuration XML files and the DAP configuration XML file For security reasons we do not recommend that you perform automated backups of digital keys and certificates or the Local CA key This section provides instructions for doing so and includes a sample script that you can use as is or modify as your environment requires The sample script is specific to a Linux system To use it for a Mi...

Page 923: ...ularly useful if you want to restore only one or two files Sample Script usr bin perl Function Backup restore configuration extensions to from a TFTP server Description The objective of this script is to show how to back up configurations extensions before the backup restore command is developed It currently backs up the running configuration all extensions imported via import webvpn command the C...

Page 924: ...d enable prompt date date F chop date my exp new Expect getopts h u p w e s r options do process_options do login exp do enable exp if restore do restore exp restore_file else restore_file prompt restore date cli open OUT restore_file or die Can t open restore_file n do running_config exp do lang_trans exp do customization exp do plugin exp do url_list exp do webcontent exp do dap exp do csd exp c...

Page 925: ...ut waiting for prompt n sub lang_trans obj shift obj clear_accum obj send show import webvpn translation table n obj expect 15 prompt output obj before items split n output for items s s s s next if show import or Translation Tables next unless s lang transtable split s _ cli export webvpn translation table transtable language lang storage prompt date transtable lang po ocli cli ocli s export impo...

Page 926: ...bj shift obj clear_accum obj send show import webvpn customization n obj expect 15 prompt output obj before items split n output for items chop next if Template or show import or s cli export webvpn customization _ storage prompt date cust _ xml ocli cli ocli s export import print cli n print OUT ocli n obj send cli n obj expect 15 prompt sub plugin obj shift obj clear_accum obj send show import w...

Page 927: ...int cli n print OUT ocli n obj send cli n obj expect 15 prompt sub url_list obj shift obj clear_accum obj send show import webvpn url list n obj expect 15 prompt output obj before items split n output for items chop next if Template or show import or s or No bookmarks cli export webvpn url list _ storage prompt date urllist _ xml ocli cli ocli s export import print cli n print OUT ocli n obj send ...

Page 928: ...n print OUT ocli n obj send cli n obj expect 15 prompt sub csd obj shift obj clear_accum obj send dir sdesktop n obj expect 15 prompt output obj before return 0 if output Error cli copy noconfirm sdesktop data xml storage prompt date data xml ocli copy noconfirm storage prompt date data xml disk0 sdesktop data xml print cli n print OUT ocli n obj send cli n obj expect 15 prompt sub webcontent obj ...

Page 929: ...t webvpn webcontent url storage prompt date turl ocli cli ocli s export import print cli n print OUT ocli n obj send cli n obj expect 15 prompt sub login obj shift obj raw_pty 1 obj log_stdout 0 turn off console logging obj spawn usr bin ssh user asa or die can t spawn ssh n unless obj expect 15 password die timeout waiting for password n obj send password n unless obj expect 15 prompt die timeout...

Page 930: ...output open IN file or die can t open file n while IN obj send _ obj expect 15 prompt output obj before print output n close IN sub process_options if defined options s tstr options s storage tftp tstr else print Enter TFTP host name or IP address chop tstr storage tftp tstr if defined options h asa options h else print Enter ASA host name or IP address chop asa if defined options u user options u...

Page 931: ...if defined options p prompt options p else print Enter ASA prompt chop prompt if defined options e enable options e else print Enter enable password chop enable if defined options r restore 1 restore_file options r Configuring Auto Update Support Auto Update is a protocol specification that allows an Auto Update server to download configurations and software images to many security appliances and ...

Page 932: ...n when logging in to the server If you use the write terminal show configuration or show tech support commands to view the configuration the user and password are replaced with The default port is 80 for HTTP and 443 for HTTPS The source interface argument specifies which interface to use when sending requests to the AUS If you specify the same interface specified by the management access command ...

Page 933: ... start time The range is from 1 to 1439 minutes retry_count specifies how many times to try reconnecting to the Auto Update Server if the first attempt fails The default is 0 retry_period specifies how long to wait between connection attempts The default is 5 minutes The range is from 1 and 35791 minutes Step 5 Optional If the Auto Update Server has not been contacted for a certain period of time ...

Page 934: ...client uses to identify itself It can be asa pix or a text string with a maximum length of 7 characters rev nums rev nums specifies the software or firmware images for this client Enter up to 4 in any order separated by commas type type specifies the type of clients to notify of a client update Because this command is also used to update Windows clients the list of clients includes several Windows...

Page 935: ...te Status To view the Auto Update status enter the following command hostname config show auto update The following is sample output from the show auto update command hostname config show auto update Server https 209 165 200 224 1742 management cgi 1276 Certificate will be verified Poll period 720 minutes retry count 2 retry period 5 minutes Timeout none Device ID host name corporate Next poll in ...

Page 936: ...41 24 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 41 Managing Software Licenses and Configurations Configuring Auto Update Support ...

Page 937: ...ess but does not support SNMP write access You can configure the adaptive security appliance to send traps event notifications to an NMS or you can use the NMS to browse the MIBs on the adaptive security appliance MIBs are a collection of definitions and the adaptive security appliance maintains a database of values for each definition Browsing a MIB entails issuing an SNMP get request from the NM...

Page 938: ...ifTable ifXTable RFC1213 MIB The adaptive security appliance supports browsing of the following table ip ipAddrTable SNMPv2 MIB The adaptive security appliance supports browsing the following snmp ENTITY MIB The adaptive security appliance supports browsing of the following groups and tables entPhysicalTable entLogicalTable The adaptive security appliance supports browsing of the following traps c...

Page 939: ...trap or poll if you want to limit the NMS to receiving traps only or browsing polling only By default the NMS can use both functions SNMP traps are sent on UDP port 162 by default You can change the port number using the udp port keyword Step 3 To specify the community string enter the following command hostname config snmp server community key Cisco Firewall MIB The adaptive security appliance su...

Page 940: ...lt configuration has all SNMP traps enabled snmp server enable traps snmp authentication linkup linkdown coldstart You can disable these traps using the no form of this command with the snmp keyword However use the clear configure snmp server command to restore the default enabling of SNMP traps If you enter this command and do not specify a trap type then the default is the syslog trap The defaul...

Page 941: ... or change the severity level of a system log message Specify one or more locations where system log messages should be sent including an internal buffer one or more syslog servers ASDM an SNMP management station specified e mail addresses or to Telnet and SSH sessions Configure and manage system log messages in groups such as by severity level or class of message Specify what happens to the conte...

Page 942: ...ration page 42 6 Enabling Logging to All Configured Output Destinations The following command enables logging however you must also specify at least one output destination so that you can view or save the logged messages If you do not specify an output destination the adaptive security appliance does not save system log messages generated when events occur For more information about configuring lo...

Page 943: ...e the records to another file for reporting or track statistics using a site specific script To view logs generated by the adaptive security appliance you must specify a log output destination If you enable logging without specifying a log output destination the adaptive security appliance generates messages but does not save them to a location from which you can view them The syslog server must r...

Page 944: ...page 42 24 For example if you set the level to 3 then the adaptive security appliance sends system log messages for level 3 2 1 and 0 The message_list argument specifies a customized message list that identifies the system log messages to send to the syslog server For information about creating custom message lists see the Filtering System Log Messages with Custom Message Lists section on page 42 ...

Page 945: ...notify administrators of system log messages with high severity levels such as critical alert and emergency Note To start logging to an e mail address you define in this procedure be sure to enable logging for all output locations See the Enabling Logging to All Configured Output Destinations section on page 42 6 To disable logging see the Disabling Logging to All Configured Output Destinations se...

Page 946: ...aptive security appliance sets aside a buffer area for system log messages waiting to be sent to ASDM and saves messages in the buffer as they occur The ASDM log buffer is a different buffer than the internal log buffer For information about the internal log buffer see the Sending System Log Messages to the Log Buffer section on page 42 13 When the ASDM log buffer is full the adaptive security app...

Page 947: ...ns in the ASDM log buffer The following example shows how to set the ASDM log buffer size to 200 system log messages hostname config logging asdm buffer size 200 Configuring Secure Logging Note You must use TCP only Secure logging does not support UDP an error occurs if you try to use this protocol To enable secure logging enter the following command hostname config logging host interface_name sys...

Page 948: ...r SSH sessions enter the following command hostname config logging monitor severity_level message_list Where the severity_level argument specifies the severity levels of messages to be sent to the session You can specify the severity level number 0 through 7 or name For severity level names see the Severity Levels section on page 42 24 For example if you set the level to 3 then the security applia...

Page 949: ...ut Destinations section on page 42 6 To disable logging see the Disabling Logging to All Configured Output Destinations section on page 42 6 To enable the log buffer as a log output destination enter the following command hostname config logging buffered severity_level message_list Where the severity_level argument specifies the severity levels of messages to be sent to the buffer You can specify ...

Page 950: ...nt to another location the adaptive security appliance creates log files with names that use a default time stamp format as follows LOG YYYY MM DD HHMMSS TXT where YYYY is the year MM is the month DD is the day of the month and HHMMSS is the time in hours minutes and seconds While the adaptive security appliance writes the log buffer contents to internal Flash memory or an FTP server the adaptive ...

Page 951: ...e config logging savelog latest logfile txt Clearing the Contents of the Log Buffer To erase the contents of the log buffer enter the following command hostname config clear logging buffer Filtering System Log Messages This section describes how to specify which system log messages should go to output destinations and includes the following topics Message Filtering Overview page 42 15 Filtering Sy...

Page 952: ...em log messages with a single command You can use system log message classes in two ways Issue the logging class command to specify an output location for an entire category of system log messages Create a message list using the logging list command that specifies the message class See the Filtering System Log Messages with Custom Message Lists section on page 42 18 for this method All system log ...

Page 953: ...ty level of 1 alerts should be sent to the internal logging buffer hostname config logging class ha buffered alerts Table 42 2 lists the system log message classes and the ranges of system log message IDs associated with each class Table 42 2 System Log Message Classes and Associated Message ID Numbers Class Definition System Log Message ID Numbers ha High Availability Failover 101 102 103 104 210...

Page 954: ...pecifies the name of the list Do not use the names of severity levels as the name of a system log message list Prohibited names include emergencies alert critical error warning notification informational and debugging Similarly do not use the first three characters of these words at the beginning of a file name For example do not use a filename that starts with the characters err The level level a...

Page 955: ...em Log Messages page 42 20 Generating System Log Messages in EMBLEM Format page 42 21 Disabling a System Log Message page 42 21 Changing the Severity Level of a System Log Message page 42 22 Changing the Amount of Internal Flash Memory Available for Logs page 42 23 Configuring the Logging Queue The adaptive security appliance has a fixed number of blocks in memory that can be allocated for bufferi...

Page 956: ...text use the name of the admin context as the device ID The hostname keyword specifies that the hostname of the adaptive security appliance should be used as the device ID The ipaddress interface_name argument specifies that the IP address of the interface specified as interface_name should be used as the device ID If you use the ipaddress keyword the device ID becomes the specified adaptive secur...

Page 957: ...slog server The adaptive security appliance can send system log messages using either the UDP or TCP protocol however you can enable the EMBLEM format only for messages sent over UDP The default protocol and port are UDP and 514 For example hostname config logging host interface_1 122 243 006 123 udp format emblem For more information about syslog servers see the Sending System Log Messages to a S...

Page 958: ...message message_ID To see a list of system log messages with modified severity levels enter the following command hostname config show logging message To reset the severity level of all modified system log messages back to their defaults enter the following command hostname config clear configure logging level The following example shows the use of the logging message command to control both wheth...

Page 959: ...e no files to delete or if after all old files are deleted free memory would still be below the limit the adaptive security appliance fails to save the new log file To modify the settings for the amount of internal Flash memory available for logs perform the following steps Step 1 To specify the maximum amount of internal Flash memory available for saving log files enter the following command host...

Page 960: ...ompatibility with the UNIX system log feature but is not used by the adaptive security appliance PIX ASA Identifies the system log message facility code for messages generated by the security appliance This value is always PIX ASA Level 1 7 The level reflects the severity of the condition described by the system log message The lower the number the more severe the condition See Table 42 3 for more...

Page 961: ... allow hosts on one interface to ping through to hosts on another interface We recommend that you only enable pinging and debug messages during troubleshooting When you are done testing the security appliance follow the steps in Disabling the Test Configuration section on page 43 5 This section includes the following topics Enabling ICMP Debug Messages and System Log Messages page 43 1 Pinging Sec...

Page 962: ...tbound ICMP echo request len 32 id 1 seq 768 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 768 209 165 201 1 209 165 201 2 Outbound ICMP echo request len 32 id 1 seq 1024 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 1024 209 165 201 1 209 165 201 2 This example shows the ICMP packet length 32 bytes the ICMP packet identifier 1 and the ICMP sequence numb...

Page 963: ... If the ping reaches the security appliance and the security appliance responds debug messages similar to the following appear ICMP echo reply len 32 id 1 seq 256 209 165 201 1 209 165 201 2 ICMP echo request len 32 id 1 seq 512 209 165 201 2 209 165 201 1 If the ping reply does not return to the router then a switch loop or redundant IP addresses may exist see Figure 43 3 Routed Security Applianc...

Page 964: ... through the security appliance For routed mode this test shows that NAT is operating correctly if configured For transparent mode which does not use NAT this test confirms that the security appliance is operating correctly If the ping fails in transparent mode contact Cisco TAC To ping between hosts on different interfaces perform the following steps Step 1 To add an access list allowing ICMP fro...

Page 965: ... In this case a system log message appears showing that the NAT failed 305005 or 305006 If the ping is from an outside host to an inside host and you do not have a static translation required with NAT control the following system log message appears 106010 deny inbound icmp Note The security appliance only shows ICMP debug messages for pings to the security appliance interfaces and not for pings t...

Page 966: ...th the CLI commands that caused the rule addition Show a time line of packet changes in a data path Inject tracer packets into the data path The packet tracer command provides detailed information about the packets and how they are processed by the security appliance If a command from the configuration did not cause the packet to drop the packet tracer command will provide information about the ca...

Page 967: ...configuration register value and asks whether you want to change it Current Configuration Register 0x00000041 Configuration Summary boot default image from Flash ignore system configuration Do you wish to change this configuration y n n y Step 6 Record the current configuration register value so you can restore it later Step 7 At the prompt enter Y to change the value The adaptive security applian...

Page 968: ...structions go to the following URL http www cisco com en US products hw vpndevc ps2030 products_password_recovery09186a0080 09478b shtml Step 2 Connect to the security appliance console port according to the instructions in Accessing the Command Line Interface section on page 2 4 Step 3 Power off the security appliance and then power it on Step 4 Immediately after the startup messages appear press...

Page 969: ...OMMON mode the security appliance prompts the user to erase all Flash file systems The user cannot enter ROMMON mode without first performing this erasure If a user chooses not to erase the Flash file system the security appliance reloads Because password recovery depends on using ROMMON mode and maintaining the existing configuration this erasure prevents you from recovering a password However di...

Page 970: ...here 1 is the specified slot number on the SSM hardware module Note On the AIP SSM entering this command reboots the hardware module The module is offline until the rebooting is finished Enter the show module command to monitor the module status The AIP SSM supports this command in version 6 0 and later On the CSC SSM entering this command resets web services on the hardware module after the passw...

Page 971: ...rver by entering the ping server command rommon 7 ping server Sending 20 100 byte ICMP Echoes to server 10 129 0 30 timeout is 4 seconds Success rate is 100 percent 20 20 Step 7 Load the software image by entering the tftp command rommon 8 tftp ROMMON Variable Settings ADDRESS 10 132 44 177 SERVER 10 129 0 30 GATEWAY 10 132 44 1 PORT Ethernet0 0 VLAN untagged IMAGE f1 asa800 232 k8 bin CONFIG LINK...

Page 972: ...is section includes the following topics Viewing Debug Messages page 43 12 Capturing Packets page 43 12 Viewing the Crash Dump page 43 13 Viewing Debug Messages Because debugging output is assigned high priority in the CPU process it can render the system unusable For this reason use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC Moreover it...

Page 973: ... Symptom You cannot make a Telnet or SSH connection to the security appliance interface Possible Cause You did not enable Telnet or SSH to the security appliance Recommended Action Enable Telnet or SSH to the security appliance according to the instructions in Allowing Telnet Access section on page 40 1 or the Allowing SSH Access section on page 40 2 Symptom You cannot ping the security appliance ...

Page 974: ...Traffic does not pass between two interfaces on the same security level Possible Cause You did not enable the feature that allows traffic to pass between interfaces at the same security level Recommended Action Enable this feature according to the instructions in Allowing Communication Between Interfaces on the Same Security Level section on page 7 7 ...

Page 975: ...P A R T 5 Reference ...

Page 976: ......

Page 977: ...d Feature Licenses This software version supports the following platforms see the associated tables for the feature support for each model ASA 5505 Table A 1 ASA 5510 Table A 2 ASA 5520 Table A 3 ASA 5540 Table A 4 ASA 5550 Table A 5 PIX 515 515E Table A 6 PIX 525 Table A 7 PIX 535 Table A 8 Note Items that are in italics are separate optional licenses that you can replace the base license You can...

Page 978: ...pport VPN Sessions2 2 Although the maximum IPSec and WebVPN sessions add up to more than the maximum VPN sessions the combined sessions should not exceed the VPN session limit If you exceed the maximum VPN sessions you can overload the security appliance so be sure to size your network appropriately 10 combined IPSec and WebVPN 25 combined IPSec and WebVPN Max IPSec Sessions 10 25 Max WebVPN Sessi...

Page 979: ...pliance so be sure to size your network appropriately 250 combined IPSec and WebVPN 250 combined IPSec and WebVPN Max IPSec Sessions 250 250 Max WebVPN Sessions 2 Optional Licenses 2 Optional Licenses 10 25 50 100 250 10 25 50 100 250 VPN Load Balancing No support No support TLS Proxy for SIP and Skinny Inspection Supported Supported Failover None Active Standby or Active Active GTP GPRS No suppor...

Page 980: ... you exceed the maximum VPN sessions you can overload the security appliance so be sure to size your network appropriately 750 combined IPSec and WebVPN Max IPSec Sessions 750 Max WebVPN Sessions 2 Optional Licenses 10 25 50 100 250 500 750 VPN Load Balancing Supported TLS Proxy for SIP and Skinny Inspection Supported Failover Active Standby or Active Active GTP GPRS None Optional license Enabled ...

Page 981: ...u exceed the maximum VPN sessions you can overload the security appliance so be sure to size your network appropriately 5000 combined IPSec and WebVPN Max IPSec Sessions 5000 Max WebVPN Sessions 2 Optional Licenses 10 25 50 100 250 500 750 1000 2500 VPN Load Balancing Supported TLS Proxy for SIP and Skinny Inspection Supported Failover Active Standby or Active Active GTP GPRS None Optional license...

Page 982: ... the maximum VPN sessions you can overload the security appliance so be sure to size your network appropriately 5000 combined IPSec and WebVPN Max IPSec Sessions 5000 Max WebVPN Sessions 2 Optional Licenses 10 25 50 100 250 500 750 1000 2500 5000 VPN Load Balancing Supported TLS Proxy for SIP and Skinny Inspection Supported Failover Active Standby or Active Active GTP GPRS None Optional license En...

Page 983: ...ort VPN Load Balancing No support No support No support No support TLS Proxy for SIP and Skinny Inspection No support No support No support No support Failover No support Active Standby Active Active Active Standby Active Standby Active Active GTP GPRS None Optional license Enabled None Optional license Enabled None Optional license Enabled None Optional license Enabled Max VLANs 10 25 25 25 Concu...

Page 984: ...o support VPN Load Balancing No support No support No support No support TLS Proxy for SIP and Skinny Inspection No support No support No support No support Failover No support Active Standby Active Active Active Standby Active Standby Active Active GTP GPRS None Optional license Enabled None Optional license Enabled None Optional license Enabled None Optional license Enabled Max VLANs 25 100 100 ...

Page 985: ... support VPN Load Balancing No support No support No support No support TLS Proxy for SIP and Skinny Inspection No support No support No support No support Failover No support Active Standby Active Active Active Standby Active Standby Active Active GTP GPRS None Optional license Enabled None Optional license Enabled None Optional license Enabled None Optional license Enabled Max VLANs 50 150 150 1...

Page 986: ...atform SSM Models ASA 5505 No support ASA 5510 AIP SSM 10 AIP SSM 20 CSC SSM 10 CSC SSM 20 4GE SSM ASA 5520 AIP SSM 10 AIP SSM 20 CSC SSM 10 CSC SSM 20 4GE SSM ASA 5540 AIP SSM 10 AIP SSM 20 CSC SSM 101 CSC SSM 201 4GE SSM 1 The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users If you deploy CSC SSM with an ASA 5540 adaptive se...

Page 987: ... Cisco SSL VPN client Version 1 1 or higher Software IPSec VPN clients Cisco VPN client for Windows Version 3 6 or higher Cisco VPN client for Linux Version 3 6 or higher Cisco VPN client for Solaris Version 3 6 or higher Cisco VPN client for Mac OS X Version 3 6 or higher Hardware IPSec VPN clients Cisco Easy VPN remote Cisco VPN 3002 hardware client Version 3 0 or higher Cisco IOS Software Easy ...

Page 988: ...c private key pairs 512 bits to 4096 bits DSA public private key pairs 512 bits to 1024 bits Symmetric encryption algorithms AES 128 192 and 256 bits DES 56 bits 3DES 168 bits RC4 40 56 64 and 128 bits Perfect forward secrecy Diffie Hellman key negotiation Group 1 768 bits Group 2 1024 bits Group 5 1536 bits Group 7 163 bits Elliptic Curve Diffie Hellman Hash algorithms MD5 128 bits SHA 1 160 bits...

Page 989: ...age B 26 Example 11 LAN Based Active Standby Failover Transparent Mode page B 28 Example 12 LAN Based Active Active Failover Transparent Mode page B 30 Example 13 Dual ISP Support Using Static Route Tracking page B 33 Example 14 ASA 5505 Base License page B 34 Example 15 ASA 5505 Security Plus License with Failover and Dual ISP Backup page B 36 Example 1 Multiple Mode Firewall With Outside Access ...

Page 990: ...stem Configuration You must first enable multiple context mode using the mode multiple command The mode is not stored in the configuration file even though it endures reboots Enter the show mode command to view the current mode hostname Farscape password passw0rd enable password chr1cht0n mac address auto customerA outside 209 165 201 3 customerB outside 209 165 201 4 customerC outside 209 165 201...

Page 991: ...onns 20000 class silver limit resource rate conns 1000 limit resource conns 10000 class bronze limit resource rate conns 500 limit resource conns 5000 context admin allocate interface gigabitethernet 0 0 3 allocate interface gigabitethernet 0 1 4 config url disk0 admin cfg member default context customerA description This is the context for customer A allocate interface gigabitethernet 0 0 3 alloc...

Page 992: ...s to the Websense server in Customer C so it needs a static translation for use in Customer C s access list static inside outside 209 165 201 30 10 1 1 75 netmask 255 255 255 255 Example 1 Customer A Context Configuration interface gigabitethernet 0 0 3 nameif outside security level 0 ip address 209 165 201 3 255 255 255 224 no shutdown interface gigabitethernet 0 1 5 nameif inside security level ...

Page 993: ... 4 1 255 255 255 0 no shutdown interface gigabitethernet 0 1 8 nameif dmz security level 50 ip address 192 168 2 1 255 255 255 0 no shutdown passwd fl0wer enable password treeh0u e route outside 0 0 209 165 201 1 1 url server dmz vendor websense host 192 168 2 2 url block block 50 url cache dst 128 filter url http 10 1 4 0 255 255 255 0 0 0 When inside users access an HTTP server the security appl...

Page 994: ...to the security appliance the host uses a VPN connection The security appliance uses RIP on the inside interfaces to learn routes The security appliance does not advertise routes with RIP the upstream router needs to use static routes for security appliance traffic see Figure B 2 The Department networks are allowed to access the Internet and use PAT Figure B 2 Example 2 passwd g00fba11 enable pass...

Page 995: ...agement host can access the server static dmz outside 209 165 201 5 192 168 2 2 netmask 255 255 255 255 access list MANAGE remark Allows the management host to access the syslog server access list MANAGE extended permit tcp host 209 165 200 225 host 209 165 201 5 eq telnet access group MANAGE in interface outside Advertises the security appliance IP address as the default gateway for the downstrea...

Page 996: ...shared across all departments These servers are placed on a shared interface see Figure B 3 Department 1 has a web server that outside users who are authenticated by the AAA server can access Figure B 3 Example 3 See the following sections for the configurations for this scenario Example 3 System Configuration page B 9 Example 3 Admin Context Configuration page B 9 Shared Network Admin Context Dep...

Page 997: ...ernet 0 1 shutdown interface gigabitethernet 0 1 201 vlan 201 no shutdown interface gigabitethernet 0 1 202 vlan 202 no shutdown interface gigabitethernet 0 1 300 vlan 300 no shutdown context admin allocate interface gigabitethernet 0 0 200 allocate interface gigabitethernet 0 1 201 allocate interface gigabitethernet 0 1 300 config url disk0 admin cfg context department1 allocate interface gigabit...

Page 998: ...ide to exit shared interface access list SHARED remark but allows the admin host to access any server access list SHARED extended permit ip host 10 1 1 78 any access list SHARED extended permit tcp host 10 1 1 30 host 10 1 1 7 eq smtp Note that the translated addresses are used access group SHARED out interface shared Allows 10 1 0 15 to access the admin context using Telnet From the admin context...

Page 999: ...t tcp host 10 1 1 32 eq smtp host 10 1 1 7 eq smtp access list MAIL extended permit tcp host 10 1 1 33 eq smtp host 10 1 1 7 eq smtp access list MAIL extended permit tcp host 10 1 1 34 eq smtp host 10 1 1 7 eq smtp access list MAIL extended permit tcp host 10 1 1 35 eq smtp host 10 1 1 7 eq smtp access list MAIL extended permit tcp host 10 1 1 36 eq smtp host 10 1 1 7 eq smtp access list MAIL exte...

Page 1000: ... sent to the syslog server on the Shared network logging host shared 10 1 1 8 logging enable Example 4 Multiple Mode Transparent Firewall with Outside Access This configuration creates three security contexts plus the admin context Each context allows OSPF traffic to pass between the inside and outside routers see Figure B 4 Inside hosts can access the Internet through the outside but no outside h...

Page 1001: ...u must first enable multiple context mode using the mode multiple command The mode is not stored in the configuration file even though it endures reboots Enter the show mode command to view the current mode firewall transparent hostname Farscape password passw0rd enable password chr1cht0n asdm image disk0 asdm bin boot system disk0 image bin admin context admin interface gigabitethernet 0 0 10 1 n...

Page 1002: ...ernet 0 0 150 allocate interface gigabitethernet 0 1 4 allocate interface management 0 0 config url disk0 admin cfg context customerA description This is the context for customer A allocate interface gigabitethernet 0 0 151 allocate interface gigabitethernet 0 1 5 config url disk0 contexta cfg context customerB description This is the context for customer B allocate interface gigabitethernet 0 0 1...

Page 1003: ...ustomer A Context Configuration interface gigabitethernet 0 0 151 nameif outside security level 0 no shutdown interface gigabitethernet 0 1 5 nameif inside security level 100 no shutdown passwd hell0 enable password enter55 ip address 10 1 2 1 255 255 255 0 route outside 0 0 10 1 2 2 1 access list OSPF remark Allows OSPF access list OSPF extended permit 89 any any access group OSPF in interface ou...

Page 1004: ... TLS1 to provide a secure connection between remote users and specific supported internal resources that you configure at a central site The security appliance recognizes connections that need to be proxied and the HTTP server interacts with the authentication subsystem to authenticate users Step 1 Configure the security appliance for clientless SSL VPN webvpn WebVPN sessions are allowed on the ou...

Page 1005: ...t can be enforced per user or per group policy port forward Apps1 4001 10 148 1 81 telnet term servr port forward Apps1 4008 router1 example com ssh port forward Apps1 10143 flask example com imap4 port forward Apps1 10110 flask example com pop3 port forward Apps1 10025 flask example com smtp port forward Apps1 11533 sametime im example com 1533 port forward Apps1 10022 secure term example com ssh...

Page 1006: ... dmz161 default group policy DfltGrpPolicy Example 6 IPv6 Configuration This sample configuration shows several features of IPv6 support on the security appliance Each interface is configured with both IPv6 and IPv4 addresses The IPv6 default route is set with the ipv6 route command An IPv6 access list is applied to the outside interface The enforcement of Modified EUI64 format interface identifie...

Page 1007: ... 2001 400 1 1 100 64 ospf mtu ignore auto no shutdown access list allow extended permit icmp any any ssh 10 140 10 75 255 255 255 255 inside logging enable logging buffered debugging ipv6 enforce eui64 inside ipv6 route outside 2001 400 6 1 64 2001 400 3 1 1 ipv6 route outside 0 2001 400 3 1 1 ipv6 access list outacl permit icmp6 2001 400 2 1 64 2001 400 1 1 64 ipv6 access list outacl permit tcp 2...

Page 1008: ... the typical commands in a cable based failover configuration enable password myenablepassword passwd mypassword hostname pixfirewall asdm image flash asdm bin boot system flash image bin interface Ethernet0 nameif outside security level 0 speed 100 duplex full ip address 209 165 201 1 255 255 255 224 standby 209 165 201 2 no shutdown interface Ethernet1 nameif inside security level 100 speed 100 ...

Page 1009: ... Example 8 LAN Based Active Standby Failover Routed Mode Figure B 7 shows the network diagram for a failover configuration using an Ethernet failover link The units are configured to detect unit failures and to fail over in under a second see the failover polltime unit command in the primary unit configuration Figure B 7 LAN Based Failover Configuration See the following sections for the configura...

Page 1010: ...ance only failover polltime unit msec 200 holdtime msec 800 failover key key1 failover link state Ethernet3 failover interface ip failover 192 168 254 1 255 255 255 0 standby 192 168 254 2 failover interface ip state 192 168 253 1 255 255 255 0 standby 192 168 253 2 global outside 1 209 165 201 3 netmask 255 255 255 224 nat inside 1 0 0 0 0 0 0 0 0 static inside outside 209 165 201 5 192 168 2 5 n...

Page 1011: ...mary ctx1 Context Configuration page B 25 Example 9 Primary System Configuration You must first enable multiple context mode using the mode multiple command The mode is not stored in the configuration file even though it endures reboots Enter the show mode command to view the current mode hostname ciscopix enable password farscape password crichton asdm image flash asdm bin 126669 Internet Switch ...

Page 1012: ...over link folink Ethernet0 failover interface ip folink 10 0 4 1 255 255 255 0 standby 10 0 4 11 failover group 1 primary preempt failover group 2 secondary preempt admin context admin context admin description admin allocate interface Ethernet1 allocate interface Ethernet2 config url flash admin cfg join failover group 1 context ctx1 description context 1 allocate interface Ethernet3 allocate int...

Page 1013: ... any any access group 201 in interface outside logging enable logging console informational monitor interface inside monitor interface outside route outside 0 0 0 0 0 0 0 0 192 168 10 71 1 Example 9 Secondary Unit Configuration You only need to configure the secondary security appliance to recognize the failover link The secondary security appliance obtains the context configurations from the prim...

Page 1014: ...parent firewall failover configuration enable password myenablepassword passwd mypassword hostname pixfirewall asdm image flash asdm bin boot system flash image bin firewall transparent interface Ethernet0 speed 100 duplex full nameif outside security level 0 no shutdown interface Ethernet1 speed 100 duplex full nameif inside security level 100 no shutdown interface Ethernet3 description STATE Fai...

Page 1015: ...igurations Example 10 Cable Based Active Standby Failover Transparent Mode ip address 209 165 201 1 255 255 255 0 standby 209 165 201 2 failover failover link state Ethernet3 failover interface ip state 192 168 253 1 255 255 255 0 standby 192 168 253 2 route outside 0 0 0 0 0 0 0 0 209 165 201 4 1 ...

Page 1016: ...ode LAN Based Failover Configuration See the following sections for the configurations for this scenario Example 8 Primary Unit Configuration page B 21 Example 8 Secondary Unit Configuration page B 22 Example 11 Primary Unit Configuration firewall transparent hostname pixfirewall enable password myenablepassword password mypassword interface Ethernet0 nameif outside no shutdown interface Ethernet1...

Page 1017: ...ilover lan enable command is required on the PIX security appliance only failover polltime unit msec 200 holdtime msec 800 failover key key1 failover link state Ethernet3 failover interface ip failover 192 168 254 1 255 255 255 0 standby 192 168 254 2 failover interface ip state 192 168 253 1 255 255 255 0 standby 192 168 253 2 access group acl_out in interface outside route outside 0 0 0 0 0 0 0 ...

Page 1018: ...this scenario Example 9 Primary Unit Configuration Example 9 Secondary Unit Configuration Example 12 Primary Unit Configuration See the following sections for the primary unit configuration Example 9 Primary System Configuration page B 23 Example 9 Primary admin Context Configuration page B 24 Example 9 Primary ctx1 Context Configuration page B 25 153890 Internet Switch Switch Outside 192 168 10 1...

Page 1019: ... Ethernet2 no shutdown interface Ethernet3 no shutdown interface Ethernet4 no shutdown interface Ethernet5 no shutdown interface Ethernet6 no shutdown interface Ethernet7 no shutdown interface Ethernet8 no shutdown interface Ethernet9 no shutdown failover failover lan unit primary failover lan interface folink Ethernet0 failover link folink Ethernet0 failover interface ip folink 10 0 4 1 255 255 2...

Page 1020: ...d permit ip any any access group 201 in interface outside logging enable logging console informational ip address 192 168 10 31 255 255 255 0 standby 192 168 10 32 monitor interface inside monitor interface outside route outside 0 0 0 0 0 0 0 0 192 168 10 1 1 Example 12 Secondary Unit Configuration You only need to configure the secondary security appliance to recognize the failover link The secon...

Page 1021: ...asdm image disk0 asdm bin boot system disk0 image bin interface gigabitethernet 0 0 nameif outside security level 0 ip address 10 1 1 2 255 255 255 0 no shutdown interface gigabitethernet 0 1 description backup isp link nameif backupisp security level 100 ip address 172 16 2 2 255 255 255 0 no shutdown sla monitor 123 type echo protocol ipIcmpEcho 10 2 1 2 interface outside num packets 3 timeout 1...

Page 1022: ...ng DHCP the inside and home VLANs use interface PAT when accessing the Internet Figure B 13 Example 13 passwd g00fba11 enable password gen1u hostname Buster asdm image disk0 asdm bin boot system disk0 image bin interface vlan 2 nameif outside security level 0 ip address dhcp setroute no shutdown interface vlan 1 nameif inside security level 100 ip address 192 168 1 1 255 255 255 0 no shutdown inte...

Page 1023: ...ription PoE for IP phone2 switchport access vlan 1 no shutdown nat inside 1 0 0 nat home 1 0 0 global outside 1 interface The previous NAT statements match all addresses on inside and home so you need to also perform NAT when hosts access the inside or home networks as well as the outside Or you can exempt hosts from NAT for inside home traffic as effected by the following access list natexmpt ins...

Page 1024: ...B 14 Example 15 See the following sections for the configurations for this scenario Example 15 Primary Unit Configuration Example 15 Secondary Unit Configuration Example 15 Primary Unit Configuration passwd g00fba11 enable password gen1u ASA 5505 with Security Plus License Failover ASA 5505 VLAN 4 Backup ISP VLAN 2 Primary ISP VLAN 3 DMZ VLAN 5 Failover Link Host Printer Host Web Server 192 168 2 ...

Page 1025: ...hernet 0 1 switchport access vlan 4 no shutdown interface ethernet 0 2 switchport access vlan 1 no shutdown interface ethernet 0 3 switchport access vlan 3 no shutdown interface ethernet 0 4 switchport access vlan 5 no shutdown failover failover lan unit primary failover lan interface faillink vlan5 failover lan faillink vlan5 failover polltime unit 3 holdtime 10 failover key key1 failover interfa...

Page 1026: ... http 192 168 1 0 255 255 255 0 inside dhcpd address 192 168 1 2 192 168 1 254 inside dhcpd auto_config outside dhcpd enable inside logging asdm informational ssh 192 168 1 0 255 255 255 0 inside Example 15 Secondary Unit Configuration You only need to configure the secondary security appliance to recognize the failover link The secondary security appliance obtains the context configurations from ...

Page 1027: ... Files page C 6 Note The CLI uses similar syntax and other conventions to the Cisco IOS CLI but the security appliance operating system is not a version of Cisco IOS software Do not assume that a Cisco IOS CLI command works with or has the same function on the security appliance Firewall Mode and Security Context Mode The security appliance runs in a combination of the following modes Transparent ...

Page 1028: ...arguments can be any of the following and in any order hostname domain context priority state asa config prompt hostname context priority state When you are within a context the prompt begins with the hostname followed by the context name hostname context The prompt changes depending on the access mode User EXEC mode User EXEC mode lets you see minimum security appliance settings The user EXEC mod...

Page 1029: ...ommands with the show history command or individually with the up arrow or p command Once you have examined a previously entered command you can move forward in the list with the down arrow or n command When you reach a command you wish to reuse you can edit it or press the Enter key to start it You can also delete the word to the left of the cursor with w or erase the line with u The security app...

Page 1030: ...ring you must press Ctrl V before typing the question mark so you do not inadvertently invoke CLI help Filtering show Command Output You can use the vertical bar with any show command and include a filter option and filtering expression The filtering is performed by matching each output line with a regular expression similar to Cisco IOS software By selecting different filter options you can inclu...

Page 1031: ...to completion The pager command lets you choose the number of lines to display before the More prompt appears When paging is enabled the following prompt appears More The More prompt uses syntax similar to the UNIX more command To view another screen press the Space bar To view the next line press the Enter key To return to the command line press the q key Table C 2 Using Special Characters in Reg...

Page 1032: ... C 6 Automatic Text Entries page C 7 Line Order page C 7 Commands Not Included in the Text Configuration page C 7 Passwords page C 7 Multiple Security Context Files page C 7 How Commands Correspond with Lines in the Text File The text configuration file includes lines that correspond with the commands described in this guide In examples commands are preceded by a CLI prompt The prompt in the follo...

Page 1033: ...iguration For example the encrypted form of the password cisco might look like jMorNbK0514fadBh You can copy the configuration passwords to another security appliance in their encrypted form but you cannot unencrypt the passwords yourself If you enter an unencrypted password in a text file the security appliance does not automatically encrypt them when you copy the configuration to the security ap...

Page 1034: ...C 8 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Appendix C Using the Command Line Interface Text Configuration Files ...

Page 1035: ...s The first part of an IP address identifies the network on which the host resides while the second part identifies the particular host on the given network The network number field is called the network prefix All hosts on a given network share the same network prefix but must have a unique host number In classful IP the class of the address determines the boundary between the network prefix and ...

Page 1036: ...asking is easy to understand if you use binary notation instead of dotted decimal The bits in the subnet mask have a one to one correspondence with the Internet address The bits are set to 1 if the corresponding bit in the IP address is part of the extended network prefix The bits are set to 0 if the bit is part of the host number Example 1 If you have the Class B address 129 10 0 0 and you want t...

Page 1037: ... of host addresses starting with 0 For example the 8 host subnets 29 of 192 168 0 x are as follows Table D 1 Hosts Bits and Dotted Decimal Masks Hosts1 1 The first and last number of a subnet are reserved except for 32 which identifies a single host Bits Mask Dotted Decimal Mask 16 777 216 8 255 0 0 0 Class A Network 65 536 16 255 255 0 0 Class B Network 32 768 17 255 255 128 0 16 384 18 255 255 1...

Page 1038: ...number of host addresses you want For example 65 536 divided by 4096 hosts equals 16 Therefore there are 16 subnets of 4096 addresses each in a Class B size network Step 2 Determine the multiple of the third octet value by dividing 256 the number of values for the third octet by the number of subnets In this example 256 16 16 The third octet falls on a multiple of 16 starting with 0 Therefore the ...

Page 1039: ...8 0800 200C 417A Note The hexadecimal letters in IPv6 addresses are not case sensitive It is not necessary to include the leading zeros in an individual field of the address But each field must contain at least one digit So the example address 2001 0DB8 0000 0000 0008 0800 200C 417A can be shortened to 2001 0DB8 0 0 8 800 200C 417A by removing the leading zeros from the third through sixth fields ...

Page 1040: ... is delivered to the interface identified by that address An interface may have more than one unicast address assigned to it Multicast A multicast address is an identifier for a set of interfaces A packet sent to a multicast address is delivered to all addresses identified by that address Anycast An anycast address is an identifier for a set of interfaces Unlike a multicast address a packet sent t...

Page 1041: ...l interfaces are required to have at least one link local address You can configure multiple IPv6 addresses per interfaces but only one link local address A link local address is an IPv6 unicast address that can be automatically configured on any interface using the link local prefix FE80 10 and the interface identifier in modified EUI 64 format Link local addresses are used in the neighbor discov...

Page 1042: ...erface identifier may be used on multiple interfaces of a single node as long as those interfaces are attached to different subnets For all unicast addresses except those that start with the binary 000 the interface identifier is required to be 64 bits long and to be constructed in the Modified EUI 64 format The Modified EUI 64 format is created from the 48 bit MAC address by inverting the univers...

Page 1043: ...ts Note There are no broadcast addresses in IPv6 IPv6 multicast addresses are used instead of broadcast addresses Anycast Address The IPv6 anycast address is a unicast address that is assigned to more than one interface typically belonging to different nodes A packet that is routed to an anycast address is routed to the nearest interface having that address the nearness being determined by the rou...

Page 1044: ...ct as a router The All Routers multicast addresses IPv6 Address Prefixes An IPv6 address prefix in the format ipv6 prefix prefix length can be used to represent bit wise contiguous blocks of the entire address space The IPv6 prefix must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16 bit values between colons The prefix length is a decimal value that in...

Page 1045: ...hentication Header for IPv6 RFC 1826 eigrp 88 Enhanced Interior Gateway Routing Protocol esp 50 Encapsulated Security Payload for IPv6 RFC 1827 gre 47 Generic Routing Encapsulation icmp 1 Internet Control Message Protocol RFC 792 icmp6 58 Internet Control Message Protocol for IPv6 RFC 2463 igmp 2 Internet Group Management Protocol RFC 1112 igrp 9 Interior Gateway Routing Protocol ip 0 Internet Pro...

Page 1046: ... UDP 512 Used by mail system to notify users that new mail is received bootpc UDP 68 Bootstrap Protocol Client bootps UDP 67 Bootstrap Protocol Server chargen TCP 19 Character Generator citrix ica TCP 1494 Citrix Independent Computing Architecture ICA protocol cmd TCP 514 Similar to exec except that cmd has automatic authentication ctiqbe TCP 2748 Computer Telephony Interface Quick Buffer Encoding...

Page 1047: ...otocol ntp UDP 123 Network Time Protocol pcanywhere status UDP 5632 pcAnywhere status pcanywhere data TCP 5631 pcAnywhere data pim auto rp TCP UDP 496 Protocol Independent Multicast reverse path flooding dense mode pop2 TCP 109 Post Office Protocol Version 2 pop3 TCP 110 Post Office Protocol Version 3 pptp TCP 1723 Point to Point Tunneling Protocol radius UDP 1645 Remote Authentication Dial In Use...

Page 1048: ...l Access Controller Access Control System Plus talk TCP UDP 517 Talk telnet TCP 23 RFC 854 Telnet tftp UDP 69 Trivial File Transfer Protocol time UDP 37 Time uucp TCP 540 UNIX to UNIX Copy Program who UDP 513 Who whois TCP 43 Who Is www TCP 80 World Wide Web xdmcp UDP 177 X Display Manager Control Protocol Table D 5 Port Literal Values continued Literal TCP or UDP Value Description Table D 6 Proto...

Page 1049: ...P address 224 0 0 9 SNMP UDP 161 Configurable SSH TCP 22 Stateful Update 105 N A Telnet TCP 23 VPN Load Balancing UDP 9023 Configurable VPN Individual User Authentication Proxy UDP 1645 1646 Port accessible only over VPN tunnel Table D 6 Protocols and Ports Opened by Features and Services continued Feature or Service Protocol Port Number Comments Table D 7 ICMP Types ICMP Number ICMP Name 0 echo r...

Page 1050: ...rity Appliance Command Line Configuration Guide OL 12172 03 Appendix D Addresses Protocols and Ports ICMP Types 18 mask reply 31 conversion error 32 mobile redirect Table D 7 ICMP Types continued ICMP Number ICMP Name ...

Page 1051: ...ns and Attributes Configuring an External LDAP Server Configuring an External RADIUS Server Selecting LDAP RADIUS or Local Authentication and Authorization To help you decide which authentication or authorization method is right for your platform this section describes the LDAP and RADIUS support provided with the security appliance ASA PIX and the VPN 3000 platforms LDAP Authentication Supported ...

Page 1052: ...zation is the aggregate of the DAP access attributes and the group policy inheritance hierarchy The security appliance applies attributes in the following order 1 Dynamic Access Policy attributes Take precedence over all others 2 User attributes The AAA server returns these after successful user authentication or authorization 3 Group policy attributes These attributes come from the group policy a...

Page 1053: ...missions and their respective values for each user who will be authorize use of the server In summary to set up your LDAP server Design your security appliance LDAP authorization schema based on the hierarchical set up of your organization Define the security appliance authorization schema Load the schema on the LDAP server Define permissions for each user on the LDAP server The specific steps of ...

Page 1054: ...search is quicker but a subtree search is more extensive Naming Attribute s defines the RDN that uniquely identifies an entry in the LDAP server Common naming attributes are cn Common Name and ui user identification Figure E 1 shows a possible LDAP hierarchy for Example Corporation Given this hierarchy you could define your search in different ways Table E 1 shows two possible search configuration...

Page 1055: ...User Authorization The class has the object identifier OID 1 2 840 113556 1 8000 795 1 1 Every entry or user in the directory is an object of this class Some LDAP servers for example the Microsoft Active Directory LDAP server do not allow you to reuse the class OID once you have defined it Use the next incremental OID For example if you incorrectly defined the class name as Usr Authorization with ...

Page 1056: ... Integer Single 0 None 1 RADIUS 2 LDAP Auth Service Type Cisco AV Pair Y Y Y 48 String Multi An octet string in the following format Prefix Action Protocol Source Source Wildcard Mask Destination Destination Wildcard Mask Established Log Operator Port For more information see Cisco AV Pair Attribute Syntax Cisco IP Phone Bypass Y Y Y 37 Integer Single 0 Disabled 1 Enabled Cisco LEAP Bypass Y Y Y 5...

Page 1057: ...p Server List Y Y Y 43 String Single Server Addresses space delimited IPSec Backup Servers Y Y Y 42 String Single 1 Use Client Configured list 2 Disabled and clear client list 3 Use Backup Server list IPSec Banner1 Y Y Y 11 String Single Banner string IPSec Banner2 Y Y Y 24 String Single Banner string IPSec Client Firewall Filter Name Y 40 String Single Specifies the name of the filter to be pushe...

Page 1058: ...emote FW Are You There AYT 2 Policy pushed CPP 4 Policy from server IPSec Sec Association Y 9 String Single Name of the security association IPSec Split DNS Names Y Y Y 18 String Single Specifies the list of secondary domain names to send to the client 1 255 characters IPSec Split Tunneling Policy Y Y Y 38 Integer Single 0 Tunnel everything 1 Split tunneling 2 Local LAN permitted IPSec Split Tunne...

Page 1059: ...DAP Login LDAP Password LDAP Request Type LDAP Scope LDAP Version MS Client Subnet Mask Y Y Y 45 String Single An IP address PFS Required Y Y Y 95 Boolean Single 0 No 1 Yes Port Forwarding Name Y Y 60 String Single Name string for example Corporate Apps PPTP Encryption Y 14 Integer Single Bitmap 1 Encryption required 2 40 bits 4 128 bits 8 Stateless Required Example 15 40 128 Encr Stateless Req PP...

Page 1060: ...uct Code Y Y Y 32 Integer Single Cisco Systems Products 1 Cisco Intrusion Prevention Security Agent or Cisco Integrated Client CIC Zone Labs Products 1 Zone Alarm 2 Zone AlarmPro 3 Zone Labs Integrity NetworkICE Product 1 BlackIce Defender Agent Sygate Products 1 Personal Firewall 2 Personal Firewall Pro 3 Security Agent Require HW Client Auth Y Y Y 35 Boolean Single 0 Disabled 1 Enabled Require I...

Page 1061: ...name User Auth Server Port Y 50 Integer Single Port number for server protocol User Auth Server Secret Y 51 String Single Server password WebVPN ACL Filters Y 72 String Single Access List name WebVPN Apply ACL Enable Y Y 84 Integer Single 0 Disabled 1 Enabled WebVPN Citrix Support Enable Y Y 83 Integer Single 0 Disabled 1 Enabled WebVPN Content Filter Parameters Y Y 56 Integer Single 1 Java Active...

Page 1062: ...Auto Download Enable Y Y 82 Integer Single 0 Disabled 1 Enabled WebVPN Port Forwarding Enable Y Y 79 Integer Single 0 Disabled 1 Enabled WebVPN Port Forwarding Exchange Proxy Enable Y Y 80 Integer Single 0 Disabled 1 Enabled WebVPN Port Forwarding HTTP Proxy Enable Y Y 81 Integer Single 0 Disabled 1 Enabled WebVPN Port Forwarding Enable WebVPN Port Forwarding Exchange Proxy Enable WebVPN Port Forw...

Page 1063: ...abled WebVPN SVC Rekey Method Y Y 100 Integer Single 0 None 1 SSL 2 New tunnel 3 Any sets to SSL WebVPN SVC Rekey Period Y Y 99 Integer Single 0 Disabled n Retry period in minutes 4 10080 WebVPN SVC Required Enable Y Y 86 Integer Single 0 Disabled 1 Enabled WebVPN Unix GID WebVPN Unix UID WebVPN URL Entry Enable Y Y 75 Integer Single 0 Disabled 1 Enabled WebVPN URL List Y 70 String Single URL list...

Page 1064: ...t Protocol Number or name of an IP protocol Either an integer in the range 0 255 or one of the following keywords icmp igmp ip tcp udp Source Network or host that sends the packet It is specified as an IP address a hostname or the keyword any If specified as an IP address the source wildcard mask must follow Source Wildcard Mask The wildcard mask applied to the source address Destination Network o...

Page 1065: ...ExampleCorporation DC com objectCategory CN Attribute Schema CN Schema CN Configuration OU People DC ExampleCorporation DC com objectClass attributeSchema oMSyntax 27 name Access Hours showInAdvancedViewOnly TRUE deny Action Denies action Default permit Action Allows action icmp Protocol Internet Control Message Protocol ICMP 1 Protocol Internet Control Message Protocol ICMP IP Protocol Internet P...

Page 1066: ...ization attributes here dn CN Confidence Interval CN Schema CN Configuration OU People DC ExampleCorporation DC com changetype add adminDisplayName Confidence Interval attributeID 1 2 840 113556 1 8000 795 2 52 attributeSyntax 2 5 5 9 cn Confidence Interval instanceType 4 isSingleValued TRUE lDAPDisplayName Confidence Interval distinguishedName CN Confidence Interval CN Schema CN Configuration OU ...

Page 1067: ...nAdvancedViewOnly TRUE subClassOf top systemOnly FALSE DN changetype modify add schemaUpdateNow schemaUpdateNow 1 systemOnly FALSE DN changetype modify add schemaUpdateNow schemaUpdateNow 1 Loading the Schema in the LDAP Server Note The directions in this section are specific to the Microsoft Active Directory LDAP server If you have a different type of server see your server documentation for info...

Page 1068: ...2 IPSec Over UDP TRUE IPSec Over UDP Port 12125 IPSec Banner1 Welcome to the Example Corporation IPSec Banner2 Unauthorized access is prohibited Primary DNS 10 10 4 5 Secondary DNS 10 11 12 7 Primary WINS 10 20 1 44 SEP Card Assignment 1 IPSec Tunnel Type 2 Tunneling Protocols 7 Confidence Interval 300 IPSec Allow Passwd Store TRUE objectClass User Authorization Reviewing Examples of Active Direct...

Page 1069: ...e grp protocol ldap hostname config aaa server group aaa server ldap authorize grp host 10 1 1 4 hostname config aaa server host ldap base dn ou Franklin Altiga dc frdevtestad dc local hostname config aaa server host ldap scope subtree hostname config aaa server host ldap naming attribute cn hostname config aaa server host ldap login password anypassword hostname config aaa server host ldap login ...

Page 1070: ...to exchange messages with the LDAP directory over a SSL connection It also configures the security appliance to interpret the department attribute in the Microsoft AD user record as the group policy to which the user is assigned The authorization attributes for this group are retrieved from a RADIUS server View the user records by clicking the User folder in the Active Directory Users and Computer...

Page 1071: ...ostname config aaa server ldap authenticate grp protocol ldap hostname config aaa server group aaa server ldap authenticate grp host 10 1 1 4 hostname config aaa server host ldap base dn cn Users dc frdevtestad dc local hostname config aaa server host ldap scope subtree hostname config aaa server host ldap naming attribute cn hostname config aaa server host ldap login password anypassword hostname...

Page 1072: ...sword anypassword hostname config aaa server host Step 6 Create a tunnel group that specifies LDAP authentication as shown in the following example commands hostname config tunnel group ipsec tunnelgroup type ipsec ra hostname config tunnel group ipsec tunnelgroup general attributes hostname config tunnel general authentication server group ldap authenticate grp hostname config tunnel general Note...

Page 1073: ...cord for the LDAP authentication server and use the ldap base dn to specify the search location for the Active Directory user records as shown in the following example commands hostname config aaa server ldap authenticate protocol ldap hostname config aaa server group aaa server ldap authenticate host 10 1 1 4 hostname config aaa server host ldap base dn cn Users dc frdevtestad dc local hostname c...

Page 1074: ... In this example the user is assigned to the group Engineering as shown in the following command hostname config aaa server host group policy engineering external server group ldap authorize hostname config aaa server host Step 7 Create a tunnel group that specifies LDAP authentication as shown in the following example commands hostname config tunnel group ipsec tunnelgroup type ipsec ra hostname ...

Page 1075: ...ary DNS banner and so forth Security Appliance RADIUS Authorization Attributes Note Authorization refers to the process of enforcing permissions or attributes A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured Table E 5 lists all the possible security appliance supported attributes that can be used for user authorization Table E 5 Security...

Page 1076: ...bled 1 Enabled PPTP Encryption Y 20 Integer Single Bitmap 1 Encryption required 2 40 bits 4 128 bits 8 Stateless Required 15 40 128 Encr Stateless Req L2TP Encryption Y 21 Integer Single Bitmap 1 Encryption required 2 40 bit 4 128 bits 8 Stateless Req 15 40 128 Encr Stateless Req IPSec Split Tunnel List Y Y Y 27 String Single Specifies the name of the network access list that describes the split t...

Page 1077: ...d IPSec Over UDP Port Y Y Y 35 Integer Single 4001 49151 default 10000 Banner2 Y Y Y 36 String Single A banner string Banner2 string is concatenated to Banner1 string if configured PPTP MPPC Compression Y 37 Integer Single 0 Disabled 1 Enabled L2TP MPPC Compression Y 38 Integer Single 0 Disabled 1 Enabled IPSec IP Compression Y Y Y 39 Integer Single 0 Disabled 1 Enabled IPSec IKE Peer ID Check Y Y...

Page 1078: ...ne AlarmPro 3 Zone Labs Integrity NetworkICE Product 1 BlackIce Defender Agent Sygate Products 1 Personal Firewall 2 Personal Firewall Pro 3 Security Agent Required Client Firewall Description Y Y Y 47 String Single String Require HW Client Auth Y Y Y 48 Boolean Single 0 Disabled 1 Enabled Required Individual User Auth Y Y Y 49 Integer Single 0 Disabled 1 Enabled Authenticated User Idle Timeout Y ...

Page 1079: ...List Y Y Y 60 String Single Server Addresses space delimited DHCP Network Scope Y Y Y 61 String Single IP Address Intercept DHCP Configure Msg Y Y Y 62 Boolean Single 0 Disabled 1 Enabled MS Client Subnet Mask Y Y Y 63 Boolean Single An IP address Allow Network Extension Mode Y Y Y 64 Boolean Single 0 Disabled 1 Enabled Authorization Type Y Y Y 65 Integer Single 0 None 1 RADIUS 2 LDAP Authorizatio...

Page 1080: ... Y 80 String Single IP address IE Proxy Server Policy Y 81 Integer Single 1 No Modify 2 No Proxy 3 Auto detect 4 Use Concentrator Setting IE Proxy Exception List Y 82 String Single newline n separated list of DNS domains IE Proxy Bypass Local Y 83 Integer Single 0 None 1 Local IKE Keepalive Retry Interval Y Y Y 84 Integer Single 2 10 seconds Tunnel Group Lock Y Y 85 String Single Name of the tunne...

Page 1081: ... Proxy Y Y 99 Integer Single 0 Disabled 1 Enabled WebVPN Auto Applet Download Enable Y Y 100 Integer Single 0 Disabled 1 Enabled WebVPN Citrix Metaframe Enable Y Y 101 Integer Single 0 Disabled 1 Enabled WebVPN Apply ACL Y Y 102 Integer Single 0 Disabled 1 Enabled WebVPN SSL VPN Client Enable Y Y 103 Integer Single 0 Disabled 1 Enabled WebVPN SSL VPN Client Required Y Y 104 Integer Single 0 Disabl...

Page 1082: ...Ask Timeout Y 132 Integer Single 5 120 seconds IE Proxy PAC URL Y 133 String Single PAC Address String Strip Realm Y Y Y 135 Boolean Single 0 Disabled 1 Enabled Smart Tunnel Y 136 String Single Name of a Smart Tunnel WebVPN ActiveX Relay Y 137 Integer Single 0 Disabled Otherwise Enabled Smart Tunnel Auto Y 138 Integer Single 0 Disabled 1 Enabled 2 AutoStart VLAN Y 140 Integer Single 0 4094 NAC Set...

Page 1083: ...low these steps to set up the RADIUS server to inter operate with the security appliance Step 1 Load the security appliance attributes into the RADIUS server The method you use to load the attributes depends on which type of RADIUS server you are using If you are using Cisco ACS the server already has these attributes integrated You can skip this step If you are using a FUNK RADIUS server Cisco su...

Page 1084: ...le or Multi Valued Description or Value Access Hours Y Y Y 1 String Single Name of the time range for example Business hours Simultaneous Logins Y Y Y 2 Integer Single An integer from 0 to 2147483647 Primary DNS Y Y Y 5 String Single An IP address Secondary DNS Y Y Y 6 String Single An IP address Primary WINS Y Y Y 7 String Single An IP address Secondary WINS Y Y Y 8 String Single An IP address SE...

Page 1085: ...l List Y Y Y 27 String Single Specifies the name of the network or access list that describes the split tunnel inclusion list IPSec Default Domain Y Y Y 28 String Single Specifies the single default domain name to send to the client 1 255 characters IPSec Split DNS Names Y Y Y 29 String Single Specifies the list of secondary domain names to send to the client 1 255 characters IPSec Tunnel Type Y Y...

Page 1086: ...d 1 Enabled IPSec IP Compression Y Y Y 39 Integer Single 0 Disabled 1 Enabled IPSec IKE Peer ID Check Y Y Y 40 Integer Single 1 Required 2 If supported by peer certificate 3 Do not check IKE Keep Alives Y Y Y 41 Boolean Single 0 Disabled 1 Enabled IPSec Auth On Rekey Y Y Y 42 Boolean Single 0 Disabled 1 Enabled Required Client Firewall Vendor Code Y Y Y 45 Integer Single 1 Cisco Systems with Cisco...

Page 1087: ...Y Y 48 Boolean Single 0 Disabled 1 Enabled Required Individual User Auth Y Y Y 49 Integer Single 0 Disabled 1 Enabled Authenticated User Idle Timeout Y Y Y 50 Integer Single 1 35791394 minutes Cisco IP Phone Bypass Y Y Y 51 Integer Single 0 Disabled 1 Enabled IPSec Split Tunneling Policy Y Y Y 55 Integer Single 0 No split tunneling 1 Split tunneling 2 Local LAN permitted IPSec Required Client Fire...

Page 1088: ... Disabled 1 Enabled Authorization Type Y Y Y 65 Integer Single 0 None 1 RADIUS 2 LDAP Authorization Required Y 66 Integer Single 0 No 1 Yes Authorization DN Field Y Y Y 67 String Single Possible values UID OU O CN L SP C EA T N GN SN I GENQ DNQ SER use entire name IKE KeepAlive Confidence Interval Y Y Y 68 Integer Single 10 300 seconds WebVPN Content Filter Parameters Y Y 69 Integer Single 1 Java ...

Page 1089: ...teger Single 0 None 1 Local IKE Keepalive Retry Interval Y Y Y 84 Integer Single 2 10 seconds Tunnel Group Lock Y Y 85 String Single Name of the tunnel group or none Access List Inbound Y Y 86 String Single Access list ID Access List Outbound Y Y 87 String Single Access list ID Perfect Forward Secrecy Enable Y Y Y 88 Boolean Single 0 No 1 Yes NAC Enable Y 89 Integer 0 No 1 Yes NAC Status Query Tim...

Page 1090: ...ndatory attribute and the mandatory attribute must be applied to the user An optional attribute may or may not be understood or used WebVPN File Server Browsing Enable Y Y 96 Integer Single 0 Disabled 1 Enabled WebVPN Port Forwarding Enable Y Y 97 Integer Single 0 Disabled 1 Enabled WebVPN Outlook Exchange Proxy Enable Y Y 98 Integer Single 0 Disabled 1 Enabled WebVPN Port Forwarding HTTP Proxy Y ...

Page 1091: ...ds only bytes_out Specifies the number of output bytes transferred during this connection stop records only cmd Defines the command executed command accounting only disc cause Indicates the numeric code that identifies the reason for disconnecting stop records only elapsed_time Defines the elapsed time in seconds for the connection stop records only foreign_ip Specifies the IP address of the clien...

Page 1092: ...E 42 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server ...

Page 1093: ...ct oriented programming technologies and tools used to create mobile or portable programs An ActiveX program is roughly equivalent to a Java applet Address Resolution Protocol See ARP address translation The translation of a network address and or port to another network address or port See also IP address interface PAT NAT PAT Static PAT xlate AES Advanced Encryption Standard A symmetric block ci...

Page 1094: ... users and the integrity of data One of the functions of the IPSec framework Authentication establishes the integrity of datastream and ensures that it is not tampered with in transit It also provides confirmation about the origin of the datastream See also AAA encryption and VPN Auto Applet Download Automatically downloads the WebVPN port forwarding applet when the user first logs in to WebVPN au...

Page 1095: ...es users with network access to files printers and other machine resources Microsoft implemented CIFS for networks of Windows computers however open source implementations of CIFS provide file access to servers running other operating systems such as Linux UNIX and Mac OS X Citrix An application that virtualizes client server applications and optimizes web applications CLI command line interface T...

Page 1096: ...and IPSec crypto map A data structure with a unique name and sequence number that is used for configuring VPNs on the security appliance A crypto map selects data flows that need security processing and defines the policy for these flows and the crypto peer that traffic needs to go to A crypto map is applied to an interface Crypto maps contain the ACLs encryption standards peers and other paramete...

Page 1097: ...Hellman Group 1 Group 2 Group 5 Group 7 Diffie Hellman refers to a type of public key cryptography using asymmetric encryption based on large prime numbers to establish both Phase 1 and Phase 2 SAs Group 1 provides a smaller prime number than Group 2 but may be the only version supported by some IPSec peers Diffe Hellman Group 5 uses a 1536 bit prime number is the most secure and is recommended fo...

Page 1098: ...so decryption ESMTP Extended SMTP Extended version of SMTP that includes additional functionality such as delivery notification and session delivery ESMTP is described in RFC 1869 SMTP Service Extensions ESP Encapsulating Security Payload An IPSec protocol ESP provides authentication and encryption services for establishing a secure tunnel over an insecure network For more information refer to RFC...

Page 1099: ...ation described in RFCs 1701 and 1702 GRE is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels creating a virtual point to point link to routers at remote points over an IP network By connecting multiprotocol subnetworks in a single protocol backbone environment IP tunneling using GRE allows network expansion across a single protocol backbone envir...

Page 1100: ...P and VPN HMAC A mechanism for message authentication using cryptographic hashes such as SHA 1 and MD5 host The name for any device on a TCP IP network that has an IP address See also network and node host network An IP address and netmask used with other information to identify a single host or network subnet for security appliance configuration such as an address translation xlate or ACE HTTP Hy...

Page 1101: ...two components of a GTP tunnel ID the other being the NSAPI See also NSAPI inside The first interface usually port 1 that connects your internal trusted network protected by the security appliance See also interface interface names inspection engine The security appliance inspects certain application level protocols to identify the location of embedded addressing information in traffic This allows...

Page 1102: ...inside interface IPSec IP Security A framework of open standards that provides data confidentiality data integrity and data authentication between participating peers IPSec provides these security services at the IP layer IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec IPSec can pr...

Page 1103: ...divided into network subnet and host parts The mask has ones in the bit positions to be used for the network and subnet parts and zeros for the host part The mask should contain at least the standard network portion and the subnet field should be contiguous with the network portion MCR See multicast MC router Multicast MC routers route multicast data transmissions to the hosts on each LAN in an in...

Page 1104: ...al connections having the smallest values The MTU is described in RFC 1191 multicast Multicast refers to a network addressing method in which the source transmits a packet to multiple destinations a multicast group simultaneously See also PIM SMR N N2H2 A third party policy oriented filtering application that works with the security appliance to control user web access N2H2 can filter HTTP request...

Page 1105: ...time protocol O Oakley A key exchange protocol that defines how to acquire authenticated keying material The basic mechanism for Oakley is the Diffie Hellman key exchange algorithm Oakley is defined in RFC 2412 object grouping Simplifies access control by letting you apply access control statements to groups of network objects such as protocol services hosts and networks OSPF Open Shortest Path Fi...

Page 1106: ... traffic is forwarded from one MC router to the next until the packets reach every registered host See also PIM Ping An ICMP request sent by a host to determine if a second host is accessible PIX Private Internet eXchange The Cisco PIX 500 series security appliances range from compact plug and play desktop models for small home offices to carrier class gigabit models for the most demanding enterpr...

Page 1107: ...atic number of IPSec peers This method is limited in scalability because the key must be configured for each pair of IPSec peers When a new IPSec peer is added to the network the preshared key must be configured for every IPSec peer with which it communicates Using certificates and CAs provides a more scalable method of IKE authentication primary primary unit The security appliance normally operat...

Page 1108: ...d with authentication and is a standard feature of IPSec RFC Request for Comments RFC documents define protocols and standards for communications over the Internet RFCs are developed and published by IETF RIP Routing Information Protocol Interior gateway protocol IGP supplied with UNIX BSD systems The most common IGP in the Internet RIP uses hop count as a routing metric RLLA Reserved Link Local A...

Page 1109: ...Time Streaming Protocol Enables the controlled delivery of real time data such as audio and video RTSP is designed to work with established protocols such as RTP and HTTP rule Conditional statements added to the security appliance configuration to define security policy for a particular situation See also ACE ACL NAT running configuration The configuration currently running in RAM on the security ...

Page 1110: ...sed to generate a hash value also known as a message digest that acts like a CRC used in lower layer protocols to ensure that message contents are not changed during transmission SHA 1 is generally considered more secure than MD5 SIP Session Initiation Protocol Enables call handling sessions particularly two party audio conferences or calls SIP works with SDP for call signaling SDP specifies the p...

Page 1111: ...ain certain data called state information at each end of a network connection between two hosts State information is necessary to implement the features of a protocol such as guaranteed packet delivery data sequencing flow control and transaction or session IDs Some of the protocol state information is sent in each packet while each protocol is being used For example a browser connected to a web s...

Page 1112: ...ed sequential delivery such as TCP The use of TDP does not preclude the use of other mechanisms to distribute tag binding information such as piggybacking information on other protocols Telnet A terminal emulation protocol for TCP IP networks such as the Internet Telnet is a common way to control web servers remotely however its security vulnerabilities have led to its replacement by SSH TFTP Triv...

Page 1113: ...documents and other services using a browser For example http www cisco com user EXEC mode User EXEC mode lets you to see the security appliance settings The user EXEC mode prompt appears as follows when you first access the security appliance See also command specific configuration mode global configuration mode and privileged EXEC mode UTC Coordinated Universal Time The time zone at zero degrees...

Page 1114: ...ted types of traffic to a group of web cache engines to optimize resource usage and lower response times Websense A content filtering solution that manages employee access to the Internet Websense uses a policy engine and a URL database to control user access to websites WEP Wired Equivalent Privacy A security protocol for wireless LANs defined in the IEEE 802 11b standard WINS Windows Internet Na...

Page 1115: ...ypes 13 3 support summary 13 3 web clients 19 5 abbreviating commands C 3 Access Control Server 33 2 33 5 33 8 access hours username attribute 30 75 accessing the security appliance using SSL 37 3 accessing the security appliance using TKS1 37 3 access list filter username attribute 30 76 access lists about 16 1 ACE logging configuring 16 19 comments 16 17 deny flows managing 16 21 downloadable 19...

Page 1116: ...le based 14 20 failover criteria 14 26 HTTP replication 14 25 interface monitoring 14 25 interface poll times 14 39 LAN based 14 21 prerequisites 14 20 unit poll times 14 39 virtual MAC addresses 14 26 device initialization 14 7 primary unit 14 7 secondary unit 14 7 triggers 14 9 Active Directory settings for password management 30 27 Active Directory procedures E 18 to E 22 Adaptive Security Algo...

Page 1117: ...group 34 6 tunneling 34 5 Xauth 34 4 interfaces about 4 1 MAC addresses 4 4 maximum VLANs 4 2 native VLAN support 4 11 non forwarding interface 4 6 power over Ethernet 4 4 protected switch ports 4 9 Security Plus license 4 2 server headend 34 1 34 2 SPAN 4 4 Spanning Tree Protocol unsupported 4 9 VLAN interface configuration 4 5 ASDM software allowing access 40 3 installing 41 3 ASR 14 35 asymmetr...

Page 1118: ...ts 43 12 cascading access lists 27 15 certificate authentication e mail proxy 37 46 enrollment protocol 39 7 group matching configuring 27 9 rule and policy creating 27 10 Certificate Revocation Lists See CRLs certification authority See CA changing between contexts 6 12 Cisco AV Pair LDAP attributes E 13 Cisco Integrated Firewall 30 59 Cisco IP Phones DHCP 10 4 Cisco IP Phones application inspect...

Page 1119: ... a context 6 9 viewing 2 8 configuration mode accessing 2 5 prompt C 2 connection blocking 23 17 connection limits configuring 23 14 per context 6 6 connect time maximum username attribute 30 76 console port logging 42 8 content transformation WebVPN 37 48 contexts See security contexts conversion error ICMP message D 16 cookies enabling for WebVPN 37 6 CRACK protocol 27 28 crash dump 43 13 crypto...

Page 1120: ...policy keywords table 27 3 device ID including in messages 42 20 device pass through ASA 5505 as Easy VPN client 34 8 DfltGrpPolicy 30 34 DHCP addressing configuring 31 3 Cisco IP Phones 10 4 options 10 3 relay 10 5 server 10 1 10 2 transparent firewall 16 6 DHCP Intercept configuring 30 47 Diffie Hellman Group 5 27 4 groups supported 27 4 digital certificates authenticating WebVPN users 37 20 SSL...

Page 1121: ... 9 23 Overview 9 23 stub routing 9 25 stuck in active 9 24 e mail configuring for WebVPN 37 45 proxies WebVPN 37 46 proxy certificate authentication 37 46 WebVPN configuring 37 45 EMBLEM format using in logs 42 21 enable command 2 5 end user interface WebVPN defining 37 53 Enterprises 10 4 Entrust CA server support 39 5 ESP security protocol 27 2 established command security level requirements 7 2...

Page 1122: ... serial cable 14 4 SNMP syslog traps 14 51 software versions 14 2 Stateful Failover See Stateful Failover state link 14 5 subsecond 14 39 system log messages 14 51 system requirements 14 2 testing 14 49 type selection 14 15 understanding 14 1 unit health 14 17 verifying the configuration 14 40 fast path 1 5 fiber interfaces 5 3 filter access list group policy attribute for Clientless SSL VPN 30 66...

Page 1123: ...ension mode 30 50 security attributes 30 41 split tunneling attributes 30 44 split tunneling domains 30 46 user authentication 30 48 VPN attributes 30 38 VPN hardware client attributes 30 47 webvpn attributes 30 62 WINS and DNS servers 30 37 group policy default 30 33 group policy secure unit authentication 30 48 group policy attributes for Clientless SSL VPN application access 30 68 auto signon 3...

Page 1124: ... 30 49 username attribute 30 76 ID method for ISAKMP peers determining 27 6 IKE benefits 27 2 creating policies 27 4 keepalive setting tunnel group 30 4 pre shared key Easy VPN client on the ASA 5505 34 6 See also ISAKMP ILS inspection 25 52 IM 25 66 inbound access lists 18 1 Individual user authentication 34 12 information reply ICMP message D 15 information request ICMP message D 15 inheritance ...

Page 1125: ... basic configuration with static crypto maps 27 22 Cisco VPN Client 27 2 configuring 27 1 27 11 crypto map entries 27 12 enabling debug 28 8 fragmentation policy 27 8 LAN to LAN configurations 27 2 modes 28 2 over NAT T enabling 27 7 over TCP enabling 27 8 over UDP group policy configuring attributes 30 44 remote access configurations 27 2 remote access tunnel group 30 7 SA lifetimes changing 27 2...

Page 1126: ...transparent firewall Layer 2 forwarding table See MAC address table Layer 2 Tunneling Protocol 28 1 Layer 3 4 matching multiple policy maps 21 15 LDAP AAA support 13 12 application inspection 25 52 attribute mapping 13 14 Cisco attributes E 5 Cisco AV pair E 13 configuring 13 9 configuring a AAA server E 2 to E 18 directory about E 3 directory search E 4 example configuration procedures E 18 to E ...

Page 1127: ...SDM 42 10 console port 42 9 email address 42 9 internal buffer 42 5 SNMP 42 4 syslog serversyslog server configuring as output destination 42 7 Telnet or SSH session 42 5 queue changing the size of 42 19 configuring 42 19 viewing queue statistics 42 19 severity level changing 42 22 severity level changing 42 22 timestamp including 42 20 login banner configuring 40 19 console 2 5 enable 2 5 FTP 19 ...

Page 1128: ...2 24 filtering by message list 42 18 format of 42 24 message list creating 42 18 severity levels 42 24 metacharacters regular expression 21 7 MGCP inspection about 25 54 configuring 25 53 MIBs 42 1 Microsoft Active Directory settings for password management 30 27 Microsoft Internet Explorer client parameters configuring 30 52 Microsoft Windows 2000 CA supported 39 5 mixed cluster scenarios load ba...

Page 1129: ... 13 security level requirements 7 2 static identify configuring 17 31 static NAT about 17 8 configuring 17 26 static PAT about 17 9 configuring 17 27 transparent mode 17 3 types 17 6 native VLAN support 4 11 NAT T enabling IPSec over NAT T 27 7 using 27 7 Netscape CMS CA server support 39 5 Network Activity test 14 17 Network Admission Control Access Control Server 33 5 ACL default 33 6 clientless...

Page 1130: ...ss lists 18 1 Outlook Web Access OWA and WebVPN 37 73 output destinations 42 5 e mail address 42 5 42 9 SNMP management station 42 5 specifying 42 9 syslog server 42 5 42 7 Telnet or SSH session 42 5 viewing logs 42 7 outside definition 1 1 oversubscribing resources 6 2 P packet capture 43 12 classifier 3 3 packet flow routed firewall 15 1 transparent firewall 15 11 paging screen displays C 5 para...

Page 1131: ...tribute for Clientless SSL VPN 30 68 username attribute for Clientless SSL VPN 30 84 ports open on device D 14 redirection NAT 17 36 TCP and UDP D 11 posture validation exemptions 33 7 port 33 10 revalidation timer 33 6 uses requirements and limitations 33 1 power over Ethernet 4 4 PPPoE configuring 35 1 to 35 5 pre shared key Easy VPN client on the ASA 5505 34 6 primary unit failover 14 7 printer...

Page 1132: ...ndancy in site to site VPNs using crypto maps 27 26 redundant interfaces configuring 5 6 failover 5 5 MAC address 5 5 setting the active interface 5 7 Registration Authority description 39 2 regular expression 21 6 reloading context 6 14 security appliance 43 6 remarks 16 17 remote access configuration summary 32 1 IPSec tunnel group configuring 30 7 restricting 30 78 tunnel group configuring defa...

Page 1133: ...bling 7 7 NAT 17 13 SAs lifetimes 27 22 SCCP Skinny inspection about 25 72 configuration 25 72 configuring 25 71 SDI configuring 13 9 support 13 5 secondary device virtual cluster 29 5 secondary unit failover 14 7 secure unit authentication 34 12 secure unit authentication group policy 30 48 security WebVPN 37 2 37 8 Security Agent Cisco 30 59 security appliance CLI C 1 connecting to 2 4 managing ...

Page 1134: ... 24 severity levels of system messages definition 42 24 SHA IKE policy keywords table 27 3 show command filtering output C 4 simultaneous logins username attribute 30 75 single mode backing up configuration 3 10 configuration 3 10 enabling 3 10 restoring 3 11 single sign on See SSO single signon group policy attribute for Clientless SSL VPN 30 70 username attribute for Clientless SSL VPN 30 86 SIP...

Page 1135: ...30 70 username attribute for Clientless SSL VPN 30 86 SSO with WebVPN 37 8 to 37 20 configuring HTTP Basic and NTLM authentication 37 8 configuring HTTP form protocol 37 14 configuring SiteMinder 37 9 37 12 startup configuration copying 41 8 saving 2 6 Stateful Failover about 14 15 state information 14 15 state link 14 5 statistics 14 43 14 47 stateful inspection 1 4 state information 14 15 state ...

Page 1136: ...disabling logging of 42 5 filtering by message class 42 16 managing in groups by message class 42 16 creating a message list 42 16 output destinations 42 5 email address 42 9 SNMP 42 4 syslog message server 42 5 Telnet or SSH session 42 5 severity levels about 42 24 changing the severity level of a message 42 5 timestamp including 42 20 T TACACS command authorization configuring 40 13 configuring ...

Page 1137: ...bVPN 37 56 traffic class QoS 24 3 traffic flow routed firewall 15 1 transparent firewall 15 11 traffic policing verifying the configuration 24 13 Transform 27 12 transform set creating 32 4 definition 27 12 transmit queue ring limit 24 8 transparent firewall about 15 6 ARP inspection about 26 1 enabling 26 2 static entry 26 2 data flow 15 11 DHCP packets allowing 16 6 guidelines 15 9 H 323 guideli...

Page 1138: ...context configuration setting 6 9 filtering about 20 4 filtering configuration 20 6 user VPN definition 30 1 remote access adding 32 4 user access restricting remote 30 78 user authentication group policy 30 48 user EXEC mode accessing 2 5 prompt C 2 username adding 13 7 clientless authentication 33 9 encrypted 13 8 management tunnels 34 9 password 13 8 WebVPN 37 67 Xauth for Easy VPN client 34 4 ...

Page 1139: ...username attribute 30 76 vpn framed ip address username attribute 30 77 VPN hardware client group policy attributes 30 47 vpn idle timeout username attribute 30 76 vpn load balancing See load balancing 29 5 vpn session timeout username attribute 30 76 vpn tunnel protocol username attribute 30 77 VRRP 15 8 W WCCP 10 9 web browsing with WebVPN 37 70 web caching 10 9 web clients secure authentication...

Page 1140: ...y preautions 37 2 37 8 security tips 37 68 setting HTTP HTTPS proxy 37 4 SSL TLS encryption protocols 37 5 supported applications 37 68 supported browsers 37 69 supported types of Internet connections 37 69 troubleshooting 37 40 unsupported features 37 3 URL 37 69 use of HTTPS 37 3 username and password required 37 69 usernames and passwords 37 67 use suggestions 37 52 37 68 WebVPN Application Acc...

Reviews:

No comments

Related manuals for 500 Series

Audio System COFIT EVO Manual preview
COFIT EVO
Brand: Audio System Pages: 2
Clatronic AR 829 DVD Instruction Manual preview
AR 829 DVD
Brand: Clatronic Pages: 38
Audiovox Prestige P-15 Owner'S Manual preview
Prestige P-15
Brand: Audiovox Pages: 8
Grandstream Networks GAC2570 User Manual preview
GAC2570
Brand: Grandstream Networks Pages: 177
Lincoln Electric TOWN CAR Quick Reference Manual preview
TOWN CAR
Brand: Lincoln Electric Pages: 2
Caliber RMD 052DAB-BT Manual preview
RMD 052DAB-BT
Brand: Caliber Pages: 20
ITC TS-0690 User Manual preview
TS-0690
Brand: ITC Pages: 15
Wyrestorm Enado Mini ENA-MINI-010 Quick Start Manual preview
Enado Mini ENA-MINI-010
Brand: Wyrestorm Pages: 2
Technics st-ch510 Service Manual preview
st-ch510
Brand: Technics Pages: 14
Nibe MODBUS 40 Installer Manual preview
MODBUS 40
Brand: Nibe Pages: 32
JVC CA-UXF3B Instructions preview
CA-UXF3B
Brand: JVC Pages: 2
Cisco GW 3340 Specifications preview
GW 3340
Brand: Cisco Pages: 4
BENZER DV-9812 Installation & Owner'S Manual preview
DV-9812
Brand: BENZER Pages: 16
Sony HCD-461 Operating Instructions Manual preview
HCD-461
Brand: Sony Pages: 28
Philips OccuSwitch Wireless Installation Manual preview
OccuSwitch Wireless
Brand: Philips Pages: 2
Philips LDTS07 User Manual preview
LDTS07
Brand: Philips Pages: 10
Philips ILS-CL-6RES User Manual preview
ILS-CL-6RES
Brand: Philips Pages: 22
Philips SBC SK 310 Instructions For Use Manual preview
SBC SK 310
Brand: Philips Pages: 26

Brands by name

Popular brands

Load more brands