background image

 

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide. 
Addresses, phone numbers, and fax numbers 
are listed on the Cisco website at 
www.cisco.com/go/offices.

Cisco ASA Series CLI Configuration Guide

Software Version 9.0 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, 
ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 
5585-X, and the ASA Services Module

Released: October 29, 2012
Updated: February 25, 2013

Text Part Number: N/A, Online only 

Summary of Contents for 5505 - ASA Firewall Edition Bundle

Page 1: ...o website at www cisco com go offices Cisco ASA Series CLI Configuration Guide Software Version 9 0 for the ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 ASA 5512 X ASA 5515 X ASA 5525 X ASA 5545 X ASA 5555 X ASA 5580 ASA 5585 X and the ASA Services Module Released October 29 2012 Updated February 25 2013 Text Part Number N A Online only ...

Page 2: ...T LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO ...

Page 3: ...s You can also configure and monitor the ASA by using ASDM a web based GUI application ASDM includes configuration wizards to guide you through some common configuration scenarios and online help for less common scenarios This guide applies to the Cisco ASA series Throughout this guide the term ASA applies generically to supported models unless specified otherwise Audience This guide is for networ...

Page 4: ... are a free service Convention Indication bold font Commands and keywords and user entered text appear in bold font italic font Document titles new or emphasized terms and arguments for which you supply values are in italic font Elements in square brackets are optional x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are g...

Page 5: ...echnologies and tools used to create mobile or portable programs An ActiveX program is roughly equivalent to a Java applet Address Resolution Protocol See ARP address translation The translation of a network address and or port to another network address or port See also IP address interface PAT NAT PAT Static PAT xlate AES Advanced Encryption Standard A symmetric block cipher that can encrypt and...

Page 6: ...s and the integrity of data One of the functions of the IPsec framework Authentication establishes the integrity of the datastream and ensures that it is not tampered with in transit It also provides confirmation about the origin of the datastream See also AAA encryption and VPN Auto Applet Download Automatically downloads the clientless SSL VPN port forwarding applet when the user first logs in t...

Page 7: ...des users with network access to files printers and other machine resources Microsoft implemented CIFS for networks of Windows computers however open source implementations of CIFS provide file access to servers running other operating systems such as Linux UNIX and Mac OS X Citrix An application that virtualizes client server applications and optimizes web applications CLI command line interface ...

Page 8: ... also VPN and IPsec crypto map A data structure with a unique name and sequence number that is used for configuring VPNs on the ASA A crypto map selects data flows that need security processing and defines the policy for these flows and the crypto peer that traffic needs to go to A crypto map is applied to an interface Crypto maps contain the ACLs encryption standards peers and other parameters ne...

Page 9: ...ography using asymmetric encryption based on large prime numbers to establish both Phase 1 and Phase 2 SAs Group 1 provides a smaller prime number than Group 2 but may be the only version supported by some IPsec peers Diffe Hellman Group 5 uses a 1536 bit prime number is the most secure and is recommended for use with AES Group 7 has an elliptical curve field size of 163 bits and is for use with t...

Page 10: ...ended SMTP Extended version of SMTP that includes additional functionality such as delivery notification and session delivery ESMTP is described in RFC 1869 SMTP Service Extensions ESP Encapsulating Security Payload An IPsec protocol ESP provides authentication and encryption services for establishing a secure tunnel over an insecure network For more information refer to RFCs 2406 and 1827 F failo...

Page 11: ...d 1702 GRE is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels creating a virtual point to point link to routers at remote points over an IP network By connecting multiprotocol subnetworks in a single protocol backbone environment IP tunneling using GRE allows network expansion across a single protocol backbone environment GSM Global System for Mo...

Page 12: ...PN HMAC A mechanism for message authentication using cryptographic hashes such as SHA 1 and MD5 host The name for any device on a TCP IP network that has an IP address See also network and node host network An IP address and netmask used with other information to identify a single host or network subnet for ASA configuration such as an address translation xlate or ACE HTTP Hypertext Transfer Proto...

Page 13: ...lt rules or as a result of user defined rules IMSI International Mobile Subscriber Identity One of two components of a GTP tunnel ID the other being the NSAPI See also NSAPI inside The first interface usually port 1 that connects your internal trusted network protected by the ASA See also interface interface name inspection engine The ASA inspects certain application level protocols to identify th...

Page 14: ...he negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec IPsec can protect one or more data flows between a pair of hosts between a pair of security gateways or between a security gateway and a host IPsec Phase 1 The first phase of negotiating IPsec includes the key exchange and the ISAKMP portions of IPsec IPsec Ph...

Page 15: ...n Internet address is divided into network subnet and host parts The mask has ones in the bit positions to be used for the network and subnet parts and zeros for the host part The mask should contain at least the standard network portion and the subnet field should be contiguous with the network portion MCR See multicast MC router Multicast MC routers route multicast data transmissions to the host...

Page 16: ...taneously See also PIM SMR N N2H2 A third party policy oriented filtering application that works with the ASA to control user web access N2H2 can filter HTTP requests based on the destination hostname destination IP address username and password The N2H2 corporation was acquired by Secure Computing in October 2003 NAT Network Address Translation Mechanism for reducing the need for globally unique ...

Page 17: ...object grouping Simplifies access control by letting you apply access control statements to groups of network objects such as protocol services hosts and networks OSPF Open Shortest Path First OSPF is a routing protocol for IP networks OSPF is a routing protocol widely deployed in large networks because of its efficient use of network bandwidth and its rapid convergence after changes in topology T...

Page 18: ...ernet eXchange The Cisco PIX 500 series ASAs ranged from compact plug and play desktop models for small home offices to carrier class gigabit models for the most demanding enterprise and service provider environments Cisco PIX ASAs provided robust enterprise class integrated network security services to create a strong multilayered defense for fast changing network environments The PIX has been re...

Page 19: ...is method is limited in scalability because the key must be configured for each pair of IPsec peers When a new IPsec peer is added to the network the preshared key must be configured for every IPsec peer with which it communicates Using certificates and CAs provides a more scalable method of IKE authentication primary primary unit The ASA normally operating when two units a primary and secondary a...

Page 20: ...n Protocol Interior Gateway Protocol IGP supplied with UNIX BSD systems The most common IGP in the Internet RIP uses hop count as a routing metric RLLA Reserved Link Local Address Multicast addresses range from 224 0 0 0 to 239 255 255 255 however only the range 224 0 1 0 to 239 255 255 255 is available to users The first part of the multicast address range 224 0 0 0 to 224 0 0 255 is reserved and...

Page 21: ... S SA security association An instance of security policy and keying material applied to a data flow SAs are established in pairs by IPsec peers during both phases of IPsec SAs specify the encryption algorithms and other security parameters used to create a secure tunnel Phase 1 SAs IKE SAs establish a secure tunnel for negotiating Phase 2 SAs Phase 2 SAs IPsec SAs establish the secure tunnel used...

Page 22: ...ling SDP specifies the ports for the media stream Using SIP the ASA can support any SIP VoIP gateways and VoIP proxy servers site to site VPN A site to site VPN is established between two IPsec peers that connect remote networks into a single VPN In this type of VPN neither IPsec peer is the destination nor source of user traffic Instead each IPsec peer provides encryption and authentication servi...

Page 23: ...otocol such as guaranteed packet delivery data sequencing flow control and transaction or session IDs Some of the protocol state information is sent in each packet while each protocol is being used For example a browser connected to a web server uses HTTP and supporting TCP IP protocols Each protocol layer maintains state information in the packets it sends and receives The ASA and some other fire...

Page 24: ...CP The use of TDP does not preclude the use of other mechanisms to distribute tag binding information such as piggybacking information on other protocols Telnet A terminal emulation protocol for TCP IP networks such as the Internet Telnet is a common way to control web servers remotely however its security vulnerabilities have led to its replacement by SSH TFTP Trivial File Transfer Protocol TFTP ...

Page 25: ...that matches the correct source interface according to the routing table URL Uniform Resource Locator A standardized addressing scheme for accessing hypertext documents and other services using a browser For example http www cisco com user EXEC mode The lowest privilege level at the ASA CLI The user EXEC mode prompt appears as follows when you first access the ASA hostname See also command specifi...

Page 26: ... WAN wide area network Data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers WCCP Web Cache Communication Protocol Transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times Websense A content filtering solution that manages employee acce...

Page 27: ...eries CLI Configuration Guide xauth See IKE Extended Authentication xlate An xlate also referred to as a translation entry represents the mapping of one IP address to another or the mapping of one IP address port pair to another ...

Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...

Page 29: ... 37 3 web clients 43 9 abbreviating commands A 3 ABR definition of 27 2 Access Control Server 73 4 73 13 Access Group pane description 30 8 access hours username attribute 70 91 accessing the security appliance using SSL 77 7 accessing the security appliance using TKS1 77 7 access list filter username attribute 70 92 access lists about 18 1 ACE logging configuring 23 1 deny flows managing 23 5 dow...

Page 30: ...ers 8 4 Active Directory settings for password management 70 28 Active Directory procedures C 15 to ActiveX filtering 63 2 Adaptive Security Algorithm 1 22 Add Edit Access Group dialog box description 30 8 Add Edit IGMP Join Group dialog box description 30 7 Add Edit OSPF Neighbor Entry dialog box 27 15 27 33 admin context about 5 2 changing 5 26 administrative access using ICMP for 42 11 administ...

Page 31: ...native VLAN support 11 10 non forwarding interface 11 7 power over Ethernet 11 4 protected switch ports 11 8 11 10 Security Plus license 11 2 server headend 74 1 SPAN 11 4 Spanning Tree Protocol unsupported 11 8 ASA 5550 throughput 12 7 13 9 ASA CX module about 65 1 ASA feature compatibility 65 4 authentication proxy about 65 3 port 65 11 troubleshooting 65 21 basic settings 65 8 cabling 65 7 conf...

Page 32: ...DI MDIX 10 2 11 4 auto signon group policy attribute for Clientless SSL VPN 70 84 username attribute for Clientless SSL VPN 70 101 Auto Update configuring 84 28 B backup server attributes group policy 70 69 Baltimore Technologies CA server support 40 4 banner message group policy 70 44 basic threat detection See threat detection before configuring KCD 77 46 bits subnet masks B 3 Black Ice firewall...

Page 33: ...Digicert 40 4 Geotrust 40 4 Godaddy 40 4 iPlanet 40 4 Netscape 40 4 RSA Keon 40 4 Thawte 40 4 certificate authentication e mail proxy 77 77 Cisco Unified Mobility 53 5 Cisco Unified Presence 54 4 enrollment protocol 40 11 group matching configuring 67 16 67 17 rule and policy creating 67 17 Certificate Revocation Lists See CRLs certificates phone proxy 51 15 required by phone proxy 51 16 change qu...

Page 34: ...paging A 5 displaying A 5 help A 4 paging A 5 syntax formatting A 3 client VPN 3002 hardware forcing client update 69 4 Windows client update notification 69 4 client access rules group policy 70 79 client firewall group policy 70 74 clientless authentication 73 13 Clientless SSL VPN configuring for specific users 70 95 client mode 74 3 client update performing 69 4 cluster IP address load balanci...

Page 35: ...gement 6 9 master unit 6 3 Policy Based Routing 6 12 spanned EtherChannel 6 10 performance scaling factor 6 2 prerequisites 6 21 rebalancing new connections 6 14 removing a member 6 43 RSA key replication 6 10 software requirements 6 24 spanned EtherChannel benefits 6 11 configuring 6 33 load balancing 6 11 maximum throughput 6 11 overview 6 10 redundancy 6 11 VSS or vPC 6 11 spanning tree portfas...

Page 36: ...30 policy 67 21 crypto show commands table 67 37 CSC SSM about 66 1 loading an image 64 21 64 23 66 14 sending traffic to 66 10 what to scan 66 3 CSC SSM feature history 66 19 custom firewall 70 78 customization Clientless SSL VPN group policy attribute 70 82 login windows for users 70 27 username attribute 70 97 username attribute for Clientless SSL VPN 70 24 custom messages list logging output d...

Page 37: ... 37 70 40 DHCP addressing configuring 71 6 Cisco IP Phones 15 6 options 15 5 relay 15 8 server 15 4 transparent firewall 41 5 DHCP Intercept configuring 70 57 DHCP Relay panel 16 6 DHCP services 14 6 Diffie Hellman Group 5 67 9 67 11 groups supported 67 9 67 11 DiffServ preservation 57 5 digital certificates authenticating WebVPN users 77 31 77 32 SSL 77 11 directory hierarchy search C 3 disabling...

Page 38: ...EIGRP 41 5 DUAL algorithm 29 2 hello interval 29 15 hello packets 29 1 hold time 29 2 29 15 neighbor discovery 29 1 stub routing 29 4 stuck in active 29 2 e mail configuring for WebVPN 77 76 proxies WebVPN 77 77 proxy certificate authentication 77 77 WebVPN configuring 77 76 enable command 2 1 enabling logging 80 6 enabling secure logging 80 16 end user interface WebVPN defining 77 82 Entrust CA s...

Page 39: ...25 Ethernet failover cable 7 3 failover link 7 3 forcing 8 16 9 24 guidelines 66 6 82 17 health monitoring 7 18 interface health 7 19 interface monitoring 7 19 interface tests 7 19 link communications 7 3 MAC addresses about 8 2 automatically assigning 5 12 module placement inter chassis 7 12 intra chassis 7 11 monitoring health 7 18 network tests 7 19 primary unit 8 2 redundant interfaces 10 10 r...

Page 40: ...40 10 global e mail proxy attributes 77 77 global IPsec SA lifetimes changing 67 31 group lock username attribute 70 94 group policy address pools 70 44 backup server attributes 70 69 client access rules 70 79 configuring 70 42 default domain name for tunneled packets 70 56 definition 70 1 70 36 70 39 domain attributes 70 56 Easy VPN client attributes pushed to ASA 5505 74 10 external configuring ...

Page 41: ...ontext mode 14 3 hosts subnet masks for B 3 hosts file errors 77 69 reconfiguring 77 70 WebVPN 77 70 HSRP 4 3 html content filter group policy attribute for Clientless SSL VPN 70 83 username attribute for Clientless SSL VPN 70 96 HTTP filtering 63 1 HTTP S authentication 42 20 filtering 63 7 HTTP compression Clientless SSL VPN enabling 70 88 70 102 HTTP inspection about 46 16 configuring 46 16 HTT...

Page 42: ...ess 72 7 default settings 20 2 21 2 22 2 41 7 66 6 duplex 10 12 11 5 enabling 10 25 failover monitoring 7 19 fiber 10 12 IDs 10 24 IP address 12 8 13 12 MAC addresses automatically assigning 5 24 manually assigning to interfaces 12 12 13 14 mapped name 5 21 naming physical and subinterface 12 8 13 10 13 11 redundant 10 26 SFP 10 12 speed 10 12 11 5 subinterfaces 10 31 turning off 12 18 13 18 turni...

Page 43: ...k 62 5 IPv6 configuring alongside IPv4 12 2 default route 25 5 dual IP stack 12 2 duplicate address detection 31 2 neighbor discovery 31 1 router advertisement messages 31 3 static neighbors 31 4 static routes 25 5 IPv6 addresses anycast B 9 format B 5 multicast B 8 prefixes B 10 required B 10 types of B 6 unicast B 6 IPv6 prefixes 31 12 ISAKMP about 67 2 configuring 67 1 determining an ID method ...

Page 44: ...37 6 user authorization 37 18 LEAP Bypass group policy 70 68 licenses activation key entering 3 36 location 3 34 obtaining 3 35 ASA 5505 3 2 ASA 5510 3 3 3 8 ASA 5520 3 4 ASA 5540 3 5 ASA 5550 3 6 ASA 5580 3 7 3 16 ASA 5585 X 3 13 3 14 3 15 Cisco Unified Communications Proxy features 50 4 52 5 53 6 54 7 55 7 default 3 24 evaluation 3 24 failover 3 33 guidelines 3 33 managing 3 1 preinstalled 3 24 ...

Page 45: ...g the size of 80 15 configuring 80 15 viewing queue statistics 80 19 severity level changing 80 19 timestamp including 80 18 logging feature history 80 20 logging queue configuring 80 15 login banner configuring 42 7 console 2 1 enable 2 1 FTP 43 4 global configuration mode 2 2 local user 42 21 password 14 2 session 2 4 simultaneous username attribute 70 91 SSH 2 4 42 5 Telnet 2 4 14 2 windows cus...

Page 46: ...essages classes 80 4 messages in EMBLEM format 80 14 metacharacters regular expression 17 15 MGCP inspection about 47 11 configuring 47 11 mgmt0 interfaces default settings 20 2 21 2 22 2 41 7 MIBs 82 3 MIBs for SNMP 82 29 Microsoft Access Proxy 54 1 Microsoft Active Directory settings for password management 70 28 Microsoft Internet Explorer client parameters configuring 70 59 Microsoft KCD 77 43...

Page 47: ...bout 32 8 network object NAT 33 7 twice NAT 34 11 identity about 32 10 identity NAT network object NAT 33 14 twice NAT 34 21 implementation 32 13 interfaces 32 19 mapped address guidelines 32 19 network object comparison with twice NAT 32 13 network object NAT about 32 14 configuring 33 1 dynamic NAT 33 5 dynamic PAT 33 7 examples 33 18 guidelines 33 2 identity NAT 33 14 monitoring 33 17 prerequis...

Page 48: ...t 7 19 Network Admission Control ACL default 73 10 clientless authentication 73 13 configuring 70 70 exemptions 73 11 revalidation timer 73 10 uses requirements and limitations 73 1 network extension mode 74 3 network extension mode group policy 70 69 Network Ice firewall 70 78 network object NAT about 32 14 comparison with twice NAT 32 13 configuring 33 1 dynamic NAT 33 5 dynamic PAT 33 7 example...

Page 49: ...packet capture enabling 85 3 packet trace enabling 58 7 paging screen displays A 5 parameter problem ICMP message B 15 password management Active Directory settings 70 28 passwords changing 14 2 recovery 14 12 security appliance 14 2 username setting 70 90 WebVPN 77 104 password storage username attribute 70 95 PAT Easy VPN client mode 74 3 per session and multi session 33 16 See dynamic PAT pause...

Page 50: ...14 phone proxy 51 7 TCP and UDP B 11 port translation about 32 4 posture validation exemptions 73 11 revalidation timer 73 10 uses requirements and limitations 73 1 power over Ethernet 11 4 PPPoE configuring 75 1 to 75 5 prerequisites for use CSC SSM 66 5 pre shared key Easy VPN client on the ASA 5505 74 7 primary unit failover 8 2 printers 74 8 private networks B 2 privileged EXEC mode accessing ...

Page 51: ...miting phone proxy 51 11 RealPlayer 47 15 reboot waiting until active sessions end 67 16 redirect ICMP message B 15 redundancy in site to site VPNs using crypto maps 67 37 redundant interface EtherChannel converting existing interfaces 10 14 redundant interfaces configuring 10 26 failover 10 10 MAC address 10 5 setting the active interface 10 28 Registration Authority description 40 2 regular expr...

Page 52: ...s 41 5 RSA keys generating 39 12 39 14 39 15 39 18 40 10 42 4 RTSP inspection about 47 15 configuring 47 15 rules ICMP 42 10 running configuration copying 84 18 saving 2 23 S same security level communication enabling 12 16 13 17 SAs lifetimes 67 31 SAST keys 51 42 SCCP Skinny inspection about 47 25 configuration 47 25 configuring 47 25 SDI configuring 37 11 support 37 5 secondary unit failover 8 ...

Page 53: ...g messages to a syslog server 80 8 sending messages to a Telnet or SSH session 80 12 sending messages to the console port 80 11 sending messages to the internal log buffer 80 9 service policy applying 35 17 default 35 17 interface 35 18 session management path 1 22 severity levels of system log messages changing 80 1 filtering by 80 1 list of 80 3 severity levels of system messages definition 80 3...

Page 54: ...t interface 64 13 password reset 64 23 66 15 reload 64 24 66 16 reset 64 24 66 16 routing 64 10 sessioning to 64 13 shutdown 64 23 66 17 SSH authentication 42 20 concurrent connections 42 2 login 42 5 password 14 2 RSA key 42 4 username 42 5 SSL certificate 77 11 used to access the security appliance 77 7 SSL TLS encryption protocols configuring 77 11 SSL VPN Client compression 78 18 DPD 78 16 ena...

Page 55: ...bout B 2 address range B 4 determining B 3 dotted decimal B 3 number of hosts B 3 Sun RPC inspection about 48 3 configuring 48 3 SVC See SSL VPN Client switch MAC address table 4 13 switch ports access ports 11 7 protected 11 8 11 10 SPAN 11 4 trunk ports 11 9 Sygate Personal Firewall 70 78 SYN attacks monitoring 5 34 SYN cookies 5 34 syntax formatting A 3 syslogd server program 80 5 syslog messag...

Page 56: ...supported features 56 5 TCP SYN FIN flags attack 62 6 62 9 Telnet allowing management access 42 1 authentication 42 20 concurrent connections 42 2 login 42 4 password 14 2 template timeout intervals configuring for flow export actions 81 7 temporary license 3 24 testing configuration 58 1 threat detection basic drop types 61 2 enabling 61 4 overview 61 2 rate intervals 61 2 rate intervals setting ...

Page 57: ... RAS 47 11 phone proxy 51 28 SIP 47 24 troubleshooting SNMP 82 24 trunk 802 1Q 10 31 trunk ports 11 9 Trusted Flow Acceleration failover 68 8 modes 4 6 4 11 4 14 9 7 41 7 68 8 trustpoint 40 3 trustpoint ASA 5505 client 74 7 trust relationship Cisco Unified Mobility 53 5 Cisco Unified Presence 54 4 tunnel ASA 5505 as Easy VPN client 74 5 IPsec 67 19 security appliance as a tunnel endpoint 67 2 tunn...

Page 58: ...authentication group policy 70 67 user EXEC mode accessing 2 1 prompt A 2 username adding 37 22 clientless authentication 73 14 encrypted 37 26 management tunnels 74 9 password 37 26 WebVPN 77 104 Xauth for Easy VPN client 74 4 username attributes access hours 70 91 configuring 70 89 70 90 group lock 70 94 inheritance 70 91 password setting 70 90 password storage 70 95 privilege level setting 70 9...

Page 59: ...rdware client group policy attributes 70 66 vpn idle timeout username attribute 70 92 vpn load balancing See load balancing 69 7 vpn session timeout username attribute 70 92 vpn tunnel protocol username attribute 70 94 VRRP 4 3 W WCCP 44 1 web caching 44 1 web clients secure authentication 43 9 web e Mail Outlook Web Access Outlook Web Access 77 78 WebVPN authenticating with digital certificates 7...

Page 60: ...ide WebVPN Application Access Panel 77 83 webvpn attributes group policy 70 81 welcome message group policy 70 44 WINS server configuring 70 53 X Xauth Easy VPN client 74 4 XOFF frames 10 23 Z Zone Labs firewalls 70 78 Zone Labs Integrity Server 70 75 ...

Page 61: ...P A R T 1 Getting Started with the ASA ...

Page 62: ......

Page 63: ...ocumentation might include features that are not supported in your version Similarly if a feature was added into a maintenance release for an older major or minor version then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases Please refer to the feature history table for each chapter to determine when features were added For t...

Page 64: ...e the following issues When using Java 7 when launching ASDM you must have the strong encryption license 3DES AES on the ASA With only the base encryption license DES you cannot launch ASDM Even if you can connect with a browser to the ASDM splash screen and download the launcher or web start application you cannot then launch ASDM You must uninstall Java 7 and install Java 6 When using Java 6 for...

Page 65: ...me using the disable ssl false start flag according to http www chromium org developers how tos run chromium with flags For Internet Explorer 9 0 for servers the Do not save encrypted pages to disk option is enabled by default See Tools Internet Options Advanced This option causes the initial ASDM download to fail Be sure to disable this option to allow ASDM to download On MacOS you may be prompte...

Page 66: ...4 4 x 8 4 5 and 8 4 6 are not included in 9 0 3 unless they were listed in the 9 0 1 feature table New Features in ASA 9 0 2 ASDM 7 1 2 Released February 25 2013 Table 1 2 New Features for ASA Version 9 0 3 ASDM Version 7 1 3 Feature Description Monitoring Features Smart Call Home We added a new type of Smart Call Home message to support ASA clustering A Smart Call Home clustering message is sent ...

Page 67: ...op only Firefox all supported Windows 8 versions Chrome all supported Windows 8 versions See the following limitations Internet Explorer 10 The Modern AKA Metro browser is not supported If you enable Enhanced Protected Mode we recommend that you add the ASA to the trusted zone If you enable Enhanced Protected Mode Smart Tunnel and Port Forwarder are not supported A Java Remote Desktop Protocol RDP...

Page 68: ...2 continued Feature Description Table 1 4 New Features for ASA Version 8 4 5 Feature Description Firewall Features EtherType ACL support for IS IS traffic transparent firewall mode In transparent firewall mode the ASA can now pass IS IS traffic using an EtherType ACL We modified the following command access list ethertype permit deny is is This feature is not available in 8 5 1 8 6 1 8 7 1 9 0 1 o...

Page 69: ...berOfEnt ries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count Support was added for the NAT MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP This data is equivalent to the show xlate count command This feature is not available in 8 5 1 8 6 1 8 7 1 9 0 1 or 9 1 1 NSEL Flow update events have been introduced to p...

Page 70: ...her types of security group based policies such as application inspection for example you can configure a class map containing an access policy based on a security group We introduced or modified the following commands access list extended cts sxp enable cts server group cts sxp default cts sxp retry period cts sxp reconcile period cts sxp connection peer cts import pac cts refresh environment dat...

Page 71: ... Configuration Firewall Objects Class Maps Cloud Web Security Add Edit Configuration Firewall Objects Inspect Maps Cloud Web Security Configuration Firewall Objects Inspect Maps Cloud Web Security Add Edit Configuration Firewall Objects Inspect Maps Cloud Web Security Add Edit Manage Cloud Web Security Class Maps Configuration Firewall Identity Options Configuration Firewall Service Policy Rules M...

Page 72: ...ced the following screen Configuration Firewall Advanced Per Session NAT Rules ARP cache additions for non connected subnets The ASA ARP cache only contains entries from directly connected subnets by default You can now enable the ARP cache to also include non directly connected subnets We do not recommend enabling this feature unless you know the security risks This feature could facilitate denia...

Page 73: ... is disabled by default For more information see the service command in the ASA command reference This behavior ensures that a reset action will reset the connections on the ASA and on inside servers therefore countering denial of service attacks For outside hosts the ASA does not send a reset by default and information is not revealed through a TCP reset Also available in 8 4 4 1 Increased maximu...

Page 74: ...uster show running config cluster We introduced or modified the following screens Home Device Dashboard Home Cluster Dashboard Home Cluster Firewall Dashboard Configuration Device Management Advanced Address Pools MAC Address Pools Configuration Device Management High Availability and Scalability ASA Cluster Configuration Device Management Logging Syslog Setup Advanced Configuration Device Setup I...

Page 75: ...cates connections to the standby unit when using Stateful Failover By default connections are replicated to the standby unit during a 15 second period However when a bulk sync occurs for example when you first enable failover 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second For example the maximum connections on the ASA is ...

Page 76: ...esses can be reached by VPN clients when they are configured to use the SSL protocol This feature is not supported for clients configured to use the IKEv2 IPsec protocol We modified the following command dns server value We modified the following screen Configuration Remote Access VPN Network Client Access Group Policies Edit group policy Servers Remote Access VPN support for IPv6 Split tunneling ...

Page 77: ...ly an IPv4 address to an AnyConnect connection and the endpoint is dual stacked When the endpoint attempts to reach an IPv6 address if Client Bypass Protocol is disabled the IPv6 traffic is dropped however if Client Bypass Protocol is enabled the IPv6 traffic is sent from the client in the clear This feature can be used by clients configured to use the SSL or IKEv2 IPsec protocol We introduced the...

Page 78: ... a Cisco AAA attribute IPv6 TCP and UDP ports as part of a Device endpoint attribute Network ACL Filters client This feature can be used by clients configured to use the SSL or IKEv2 IPsec protocol We modified the following screens Configuration Remote Access VPN Network Client Access Dynamic Access Policies Add Cisco AAA attribute Configuration Remote Access VPN Network Client Access Dynamic Acce...

Page 79: ...ration Firewall Objects Network Objects Group Configuration Firewall NAT Rules DHCPv6 relay DHCP relay is supported for IPv6 We introduced the following commands ipv6 dhcprelay server ipv6 dhcprelay enable ipv6 dhcprelay timeout clear config ipv6 dhcprelay ipv6 nd managed config flag ipv6 nd other config flag debug ipv6 dhcp debug ipv6 dhcprelay show ipv6 dhcprelay binding clear ipv6 dhcprelay bin...

Page 80: ...terval ipv6 ospf transmit delay ipv6 router ospf ipv6 router ospf area ipv6 router ospf default ipv6 router ospf default information ipv6 router ospf distance ipv6 router ospf exit ipv6 router ospf ignore ipv6 router ospf log adjacency changes ipv6 router ospf no ipv6 router ospf redistribute ipv6 router ospf router id ipv6 router ospf summary prefix ipv6 router ospf timers area range area virtual...

Page 81: ...ddresses Now network object groups can support a mix of both IPv4 and IPv6 addresses Note You cannot use a mixed object group for NAT We modified the following command object group network We modified the following screen Configuration Firewall Objects Network Objects Groups Range of IPv6 addresses for a Network object You can now configure a range of IPv6 addresses for a network object We modifie...

Page 82: ... Server s address and credentials users enter the ASA s SSL VPN IP address and credentials We modified the following command vdi We modified the following screen Configuration Remote Access VPN Clientless SSL VPN Access Group Policy Edit More Options VDI Access Add VDI Server Clientless SSL VPN Enhanced Auto sign on This feature improves support for web applications that require dynamic parameters...

Page 83: ...es customer visible performance gains in AnyConnect smart tunnels and port forwarding We modified the following commands crypto engine accelerator bias and show crypto accelerator We modified the following screen Configuration Remote Access VPN Advanced Crypto Engine Custom Attributes Custom attributes define and configure AnyConnect features that have not yet been added to ASDM You add custom att...

Page 84: ...ntication Hardware and software supported only on multi core platforms ECDH support groups 19 20 and 21 IKEv2 key exchange IKEv2 PFS Software only supported on single or multi core platforms ECDSA support 256 384 and 521 bit elliptic curves IKEv2 user authentication PKI certificate enrollment PKI certificate generation and verification Software only supported on single or multi core platforms New ...

Page 85: ...ew resource type for routing table entries A new resource class routes was created to set the maximum number of routing table entries in each context We modified the following commands limit resource show resource types show resource usage show resource allocation We modified the following screen Configuration Context Management Resource Class Add Resource Class Mixed firewall mode support in mult...

Page 86: ... on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees We introduced or modified the following commands capture cxsc cxsc auth proxy debug cxsc hw module module password reset hw module module reload hw module module reset hw module module shutdown session do setup host ip session do get config session do password reset show a...

Page 87: ...hind the firewall in the example shown on the left side of Figure 1 1 because you assigned VLAN 201 to the inside interface of the ASASM The router is in front of the firewall in the example shown on the right side of Figure 1 1 because you assigned VLAN 200 to the outside interface of the ASASM In the left hand example the MSFC or router routes between VLANs 201 301 302 and 303 and no inside traf...

Page 88: ...rces on a separate network behind the firewall called a demilitarized zone DMZ The firewall allows limited access to the DMZ but because the DMZ only includes the public servers an attack there only affects the servers and does not affect the other inside networks You can also control when inside users access outside networks for example access to the Internet by allowing only certain addresses ou...

Page 89: ...P HTTPS or FTP Filtering page 1 28 Applying Application Inspection page 1 28 Sending Traffic to the IPS Module page 1 28 Sending Traffic to the Content Security and Control Module page 1 28 Applying QoS Policies page 1 28 Applying Connection Limits and TCP Normalization page 1 29 Enabling Threat Detection page 1 29 Enabling the Botnet Traffic Filter page 1 29 Configuring Cisco Unified Communicatio...

Page 90: ...information in the user data packet or that open secondary channels on dynamically assigned ports These protocols require the ASA to do a deep packet inspection Sending Traffic to the IPS Module If your model supports the IPS module for intrusion prevention then you can send traffic to the module for inspection The IPS module monitors and performs real time analysis of network traffic by looking f...

Page 91: ...ns host statistics that can be analyzed for scanning activity The host database tracks suspicious activity such as connections with no return activity access of closed service ports vulnerable TCP behaviors such as non random IPID and many more behaviors You can configure the ASA to send system log messages about an attacker or you can automatically shun the host Enabling the Botnet Traffic Filter...

Page 92: ... A stateful firewall like the ASA however takes into consideration the state of a packet Is this a new connection If it is a new connection the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied To perform this check the first packet of the session goes through the session management path and depending on the type of traffic it ...

Page 93: ...parameters create and manage tunnels encapsulate packets transmit or receive them through the tunnel and unencapsulate them The ASA functions as a bidirectional tunnel endpoint it can receive plain packets encapsulate them and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination It can also receive encapsulated packets unencapsulate them and se...

Page 94: ...ings for itself rather when the system needs to access network resources such as downloading the contexts from the server it uses one of the contexts that is designated as the admin context The admin context is just like any other context except that when a user logs into the admin context then that user has system administrator rights and can access the system and all other contexts ASA Clusterin...

Page 95: ... as a Directly Connected Router page 1 5 Configuring the Switch for ASA Failover page 1 9 Resetting the ASA Services Module page 1 11 Monitoring the ASA Services Module page 1 11 Feature History for the Switch for Use with the ASA Services Module page 1 13 Information About the Switch You can install the ASASM in the Catalyst 6500 series or Cisco 7600 series switches The switch includes a switch t...

Page 96: ...al VLANs so it is possible that VLANs in the 1020 1100 range might already be in use You cannot use reserved VLANs You cannot use VLAN 1 If you are using ASASM failover within the same switch chassis do not assign the VLAN s that you are reserving for failover and stateful communications to a switch port However if you are using failover between chassis you must include the VLANs in the trunk port...

Page 97: ... 4 0022 bdd3 f64e to 0022 bdd3 f655 0 109 12 2 2010080 12 2 2010121 PwrDown 5 0019 e8bb 7b0c to 0019 e8bb 7b13 2 0 8 5 2 12 2 2010121 Ok 6 f866 f220 5760 to f866 f220 576f 1 0 12 2 18r S1 12 2 2010121 Ok Mod Sub Module Model Serial Hw Status 2 0 ASA Application Processor SVC APP PROC 1 SAD1436015D 0 202 Other 4 0 ASA Application Processor SVC APP INT 1 SAD141002AK 0 106 PwrDown 5 Policy Feature Ca...

Page 98: ...ng them to switch ports Guidelines You can assign up to 16 firewall VLAN groups to each ASASM You can create more than 16 VLAN groups in Cisco IOS software but only 16 can be assigned per ASASM For example you can assign all the VLANs to one group or you can create an inside group and an outside group or you can create a group for each customer There is no limit on the number of VLANs per group bu...

Page 99: ... section includes the following topics Information About SVIs page 1 6 Configuring SVIs page 1 8 Command Purpose Step 1 firewall vlan group firewall_group vlan_range Example Router config firewall vlan group 50 55 57 Assigns VLANs to a firewall group The firewall_group argument is an integer The vlan_range argument can be one or more VLANs 2 to 1000 and from 1025 to 4094 identified in one of the f...

Page 100: ...lt you can configure one SVI between the MSFC and the ASASM you can enable multiple SVIs but be sure you do not misconfigure your network For example with multiple SVIs you could accidentally allow traffic to pass around the ASASM by assigning both the inside and outside VLANs to the MSFC See Figure 1 1 Figure 1 1 Multiple SVI Misconfiguration ASA SM MSFC VLAN 200 VLAN 100 VLAN 201 VLAN 201 Inside...

Page 101: ...et segment as IP hosts Because the ASASM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX transparent firewall mode can optionally allow non IP traffic you might want to bypass the ASASM for IPX traffic Make sure that you configure the MSFC with an access list that allows only IPX traffic to pass on VLAN 201 Figure 1 2 Multiple SVIs for IPX ASA SM MSFC Insi...

Page 102: ... outside interface Figure 1 3 Multiple SVIs in Multiple Context Mode Configuring SVIs To add an SVI to the MSFC perform the following steps Detailed Steps Context A Context B Context C VLAN 204 VLAN 203 VLAN 202 VLAN 100 Admin Context VLAN 201 VLAN 153 VLAN 150 VLAN 152 VLAN 151 92885 Inside Customer A Inside Customer B Inside Customer C Admin Network Internet Command Purpose Step 1 Optional firew...

Page 103: ... Router config if interface vlan 56 Router config if ip address 10 1 2 1 255 255 255 0 Router config if no shutdown Router config if end Router Configuring the Switch for ASA Failover This section includes the following topics Assigning VLANs to the Secondary ASA Services Module page 1 10 Adding a Trunk Between a Primary Switch and Secondary Switch page 1 10 Ensuring Compatibility with Transparent...

Page 104: ...SASM is in transparent mode LoopGuard is automatically applied to the internal EtherChannel between the switch and the ASASM so after a failover and a failback LoopGuard causes the secondary unit to be disconnected because the EtherChannel goes into the err disable state Enabling Autostate Messaging for Rapid Link Failure Detection The supervisor engine can send autostate messages to the ASASM abo...

Page 105: ...wing is sample output from the show firewall module mod num state command Command Purpose hw module switch 1 2 module slot reset Example Router hw module module 9 reset Resets the ASASM For a switch in a VSS enter the switch argument The slot argument indicates the slot number in which the module is installed To view the slots where the ASASM is installed enter the show module command Note To rese...

Page 106: ...nknown input flow control is on output flow control is on Members in this channel Gi11 1 Gi11 2 Gi11 3 Gi11 4 Gi11 5 Gi11 6 Last input never output never output hang never Last clearing of show interface counters never Input queue 0 2000 0 0 size max drops flushes Total output drops 0 Queuing strategy fifo Output queue 0 40 size max 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate...

Page 107: ... output rate 0 bits sec 0 packets sec L2 Switched ucast 196 pkt 13328 bytes mcast 4 pkt 256 bytes L3 in Switched ucast 0 pkt 0 bytes mcast 0 pkt 0 bytes mcast L3 out Switched ucast 0 pkt 0 bytes 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 4 packets output 256 bytes 0 underruns 0 output errors 0 interface re...

Page 108: ...1 14 Cisco ASA Series ASDM Configuration Guide Chapter 1 Configuring the Switch for Use with the ASA Services Module Feature History for the Switch for Use with the ASA Services Module ...

Page 109: ...y from the console port Later you can configure remote access using Telnet or SSH according to Chapter 1 Configuring Management Access If your system is already in multiple context mode then accessing the console port places you in the system execution space See Chapter 1 Configuring Multiple Context Mode for more information about multiple context mode Detailed Steps Step 1 Connect a PC to the co...

Page 110: ...ices Module Command Line Interface For initial configuration access the command line interface by connecting to the switch either to the console port or remotely using Telnet or SSH and then connecting to the ASASM This section describes how to access the ASASM CLI and includes the following sections Logging Into the ASA Services Module page 1 2 Logging Out of a Console Session page 1 5 Logging Ou...

Page 111: ...erminal server prompt If you reconnect the terminal server to the switch the ASASM console session is still active you can never exit to the switch prompt You must use a direct serial connection to return the console to the switch prompt In this case either change the terminal server or switch escape character in Cisco IOS or use the Telnet session command instead Note Because of the persistence o...

Page 112: ...itch CLI enter this command to Telnet to the ASASM over the backplane For a switch in a VSS enter the switch argument Note The session slot processor 0 command which is supported on other services modules is not supported on the ASASM the ASASM does not have a processor 0 To view the module slot numbers enter the show module command at the switch prompt Enter the login password to the ASASM Set th...

Page 113: ...r as a standalone character you can temporarily or permanently change the escape character to a different character In Cisco IOS before you session to the ASASM use the terminal escape character ascii_number command to change temporarily or the default escape character ascii_number command to change permanently For example to temporarily change the sequence to Ctrl w x enter terminal escape charac...

Page 114: ... sequence lets you resume the Telnet session by pressing the Enter key at the switch prompt To disconnect your Telnet session from the switch enter disconnect at the switch CLI If you do not disconnect the session it will eventually time out according to the ASASM configuration Configuring ASDM Access for Appliances ASDM access requires some minimal configuration so you can communicate over the ne...

Page 115: ...ge 1 14 Note To change to multiple context mode see the Enabling or Disabling Multiple Context Mode section on page 1 15 After changing to multiple context mode you can access ASDM from the admin context using the network settings above Accessing ASDM Using a Non Default Configuration ASA 5505 If you do not have a factory default configuration want to change the configuration or want to change to ...

Page 116: ...irtual interface and assigns a management VLAN to the bridge group The security level is a number between 1 and 100 where 100 is the most secure Step 3 interface ethernet 0 n switchport access vlan number no shutdown Example hostname config interface ethernet 0 1 hostname config if switchport access vlan 1 hostname config if no shutdown Enables the management switchport and assigns it to the manag...

Page 117: ...92 168 1 5 192 168 1 254 inside dhcpd enable inside http server enable http 192 168 1 0 255 255 255 0 inside Accessing ASDM Using a Non Default Configuration ASA 5510 and Higher If you do not have a factory default configuration or want to change the firewall or context mode perform the following steps Prerequisites Access the CLI according to the Accessing the Appliance Command Line Interface sec...

Page 118: ...en 1 and 100 where 100 is the most secure Step 3 For directly connected management hosts dhcpd address ip_address ip_address interface_name dhcpd enable interface_name Example hostname config dhcpd address 192 168 1 2 192 168 1 254 management hostname config dhcpd enable management Enables DHCP for the management host on the management interface network Make sure you do not include the Management ...

Page 119: ...for ASDM access you must configure ASDM access using the CLI on the ASASM To configure the ASASM for ASDM access perform the following steps Prerequisites Assign a VLAN interface to the ASASM according to the Assigning VLANs to the ASA Services Module section on page 1 4 Connect to the ASASM and access global configuration mode according to the Accessing the ASA Services Module Command Line Interf...

Page 120: ...100 where 100 is the most secure Transparent mode interface bvi number ip address ip_address mask interface vlan number bridge group bvi_number nameif name security level level Example hostname config interface bvi 1 hostname config if ip address 192 168 1 1 255 255 255 0 hostname config interface vlan 1 hostname config if bridge group 1 hostname config if nameif inside hostname config if security...

Page 121: ...nside Step 4 For remote management hosts route management_ifc management_host_ip mask gateway_ip 1 Example hostname config route management 10 1 1 0 255 255 255 0 192 168 1 50 Configures a route to the management hosts Step 5 http server enable Example hostname config http server enable Enables the HTTP server for ASDM Step 6 http ip_address mask interface_name Example hostname config http 192 168...

Page 122: ...how to connect to ASDM initially and then launch ASDM using the Launcher or the Java Web Start application This section includes the following topics Connecting to ASDM for the First Time page 1 14 Starting ASDM from the ASDM IDM Launcher page 1 15 Starting ASDM from the Java Web Start Application page 1 16 Using ASDM in Demo Mode page 1 16 Note ASDM allows multiple PCs or workstations to each hav...

Page 123: ...e the application to your PC when prompted You can optionally open it instead of saving it c See the Starting ASDM from the Java Web Start Application section on page 1 16 to use the Java Web Start application to connect to ASDM Starting ASDM from the ASDM IDM Launcher To start ASDM from the ASDM IDM Launcher perform the following steps Prerequisites Download the ASDM IDM Launcher according to the...

Page 124: ...password The main ASDM window appears Using ASDM in Demo Mode The ASDM Demo Mode a separately installed application lets you run ASDM without having a live device available In this mode you can do the following Perform configuration and selected monitoring tasks via ASDM as though you were interacting with a real device Demonstrate ASDM or ASA features using the ASDM interface Perform configuratio...

Page 125: ... Local PC System Reload Toolbar Status bar Save Configuration Interface Edit Interface Renew DHCP Lease Configuring a standby device after failover Operations that cause a rereading of the configuration in which the GUI reverts to the original configuration Switching contexts Making changes in the Interface pane NAT pane changes Clock pane changes To run ASDM in Demo Mode perform the following ste...

Page 126: ...r the ASA 5505 a sample transparent mode configuration is provided in this section Note In addition to the image files and the hidden default configuration the following folders and files are standard in flash memory log crypto_archive and coredumpinfo coredump cfg The date on these files may not match the date of the image files in flash memory These files aid in potential troubleshooting they do...

Page 127: ...de using interface PAT Command Purpose Step 1 configure factory default ip_address mask Example hostname config configure factory default 10 1 1 1 255 255 255 0 Restores the factory default configuration If you specify the ip_address then you set the inside or management interface IP address depending on your model instead of using the default IP address of 192 168 1 1 The http command uses the su...

Page 128: ...ed Figure 1 1 ASA 5505 Routed Mode The configuration consists of the following commands interface Ethernet 0 0 switchport access vlan 2 no shutdown interface Ethernet 0 1 switchport access vlan 1 no shutdown interface Ethernet 0 2 switchport access vlan 1 no shutdown interface Ethernet 0 3 switchport access vlan 1 no shutdown interface Ethernet 0 4 switchport access vlan 1 no shutdown interface Et...

Page 129: ...rom inside to outside by enabling ICMP inspection Add the following commands to the default configuration policy map global_policy class inspection_default inspect icmp ASA 5505 Transparent Mode Sample Configuration When you change the mode to transparent mode the configuration is erased You can copy and paste the following sample configuration at the CLI to get started This configuration uses the...

Page 130: ... interface Ethernet 0 5 switchport access vlan 1 no shutdown interface Ethernet 0 6 switchport access vlan 1 no shutdown interface Ethernet 0 7 switchport access vlan 1 no shutdown interface bvi 1 ip address 192 168 1 1 255 255 255 0 interface vlan2 nameif outside security level 0 bridge group 1 no shutdown interface vlan1 nameif inside security level 100 bridge group 1 no shutdown http server ena...

Page 131: ...100 asdm history enable http server enable http 192 168 1 0 255 255 255 0 management dhcpd address 192 168 1 2 192 168 1 254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management Working with the Configuration This section describes how to work with the configuration The ASA loads the configuration from a text file called the startup configuration This file resides by default ...

Page 132: ...ime This section includes the following topics Saving Each Context and System Separately page 1 24 Saving All Context Configurations at the Same Time page 1 25 Saving Each Context and System Separately To save the system or context configuration enter the following command within the system or context Command Purpose write memory Example hostname write memory Saves the running configuration to the...

Page 133: ... the configuration or in the process of deleting the context For contexts that are not saved because the startup configuration is read only for example on an HTTP server the following message report is printed at the end of all other messages Unable to save the configuration for the following contexts as these contexts have read only config urls context a context b context c For contexts that are ...

Page 134: ... reload Command Purpose show running config Views the running configuration show running config command Views the running configuration of a specific command show startup config Views the startup configuration Command Purpose clear configure configurationcommand level2configurationcommand Example hostname config clear configure aaa Clears all the configuration for a specified command If you only w...

Page 135: ... you make security policy changes to the configuration all new connections use the new security policy Existing connections continue to use the policy that was configured at the time of the connection establishment show command output for old connections reflect the old configuration and in some cases will not include data about the old connections For example if you remove a QoS service policy fr...

Page 136: ...on use the all keyword To clear connections to and from a particular IP address use the ip_address argument clear conn all protocol tcp udp address src_ip src_ip netmask mask port src_port src_port address dest_ip dest_ip netmask mask port dest_port dest_port Example hostname config clear conn all This command terminates connections in any state See the show conn command to view all current connec...

Page 137: ...omizing the MAC Address Table for the Transparent Firewall page 1 12 Monitoring the Transparent Firewall page 1 13 Firewall Mode Examples page 1 14 Feature History for the Firewall Mode page 1 25 Information About the Firewall Mode Information About Routed Firewall Mode page 1 1 Information About Transparent Firewall Mode page 1 2 Information About Routed Firewall Mode In routed mode the ASA is co...

Page 138: ...and is not seen as a router hop to connected devices Using the Transparent Firewall in Your Network page 1 2 Bridge Groups page 1 3 Management Interface ASA 5510 and Higher page 1 4 Allowing Layer 3 Traffic page 1 4 Allowed MAC Addresses page 1 5 Passing Traffic Not Allowed in Routed Mode page 1 5 BPDU Handling page 1 5 MAC Address vs Route Lookups page 1 6 ARP Inspection page 1 6 MAC Address Tabl...

Page 139: ...ur use of security contexts you can group interfaces together in a bridge group and then configure multiple bridge groups one for each network Bridge group traffic is isolated from other bridge groups traffic is not routed to another bridge group within the ASA and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA Although the bridging func...

Page 140: ...orks only traffic on the same network as the management IP address is supported Management Interface ASA 5510 and Higher In addition to each bridge group management IP address you can add a separate Management slot port interface that is not part of any bridge group and that allows only management traffic to the ASA For more information see the Management Interface section on page 11 2 Allowing La...

Page 141: ...ist for IP traffic or an EtherType access list for non IP traffic Non IP traffic for example AppleTalk IPX BPDUs and MPLS can be configured to go through using an EtherType access list Note The transparent mode ASA does not pass CDP packets packets or any packets that do not have a valid EtherType greater than or equal to 0x600 An exception is made for BPDUs and IS IS which are supported Passing T...

Page 142: ...you enable NAT for the inspected traffic a static route is required to determine the egress interface for the real host address that is embedded in the packet Affected applications include CTIQBE DNS GTP H 323 MGCP RTSP SIP Skinny SCCP ARP Inspection By default all ARP packets are allowed through the ASA You can control the flow of ARP packets by enabling ARP inspection When you enable ARP inspect...

Page 143: ...maintains the MAC address to VLAN interface mapping for traffic that passes between VLANs Because the ASA is a firewall if the destination MAC address of a packet is not in the table the ASA does not flood the original packet on all interfaces as a normal bridge does Instead it generates the following packets for directly connected devices or for remote devices Packets for directly connected devic...

Page 144: ...f the ASA as the default gateway The default route for the transparent firewall which is required to provide a return path for management traffic is only applied to management traffic from one bridge group network This is because the default route specifies an interface in the bridge group as well as the router IP address on the bridge group network and you can only define one default route If you...

Page 145: ...ill have to reconnect to the ASA using the console port in any case Set the mode within the context Table 1 1 Unsupported Features in Transparent Mode Feature Description Dynamic DNS DHCP relay The transparent firewall can act as a DHCP server but it does not support the DHCP relay commands DHCP relay is not required because you can allow DHCP traffic to pass through using two extended access list...

Page 146: ...dentify a packet destination by an IP address the actual delivery of the packet on Ethernet relies on the Ethernet MAC address When a router or host wants to deliver a packet on a directly connected network it sends an ARP request asking for the MAC address associated with the IP address and then delivers the packet to the MAC address according to the ARP response The host or router keeps an ARP t...

Page 147: ... Detailed Steps Examples For example to enable ARP inspection on the outside interface and to drop all non matching ARP packets enter the following command hostname config arp inspection outside enable no flood Command Purpose arp interface_name ip_address mac_address Example hostname config arp outside 10 1 1 1 0009 7cbe 2100 Adds a static ARP entry Command Purpose arp inspection interface_name e...

Page 148: ...ts to send traffic to an interface that does not match the static entry then the ASA drops the traffic and generates a system message When you add a static ARP entry see the Adding a Static ARP Entry section on page 1 10 a static MAC address entry is automatically added to the MAC address table To add a static MAC address to the MAC address table enter the following command Setting the MAC Address...

Page 149: ...s Table You can view the entire MAC address table including static and dynamic entries for both interfaces or you can view the MAC address table for an interface To view the MAC address table enter the following command Examples The following is sample output from the show mac address table command that shows the entire table hostname show mac address table interface mac address type Time Left out...

Page 150: ...s of how traffic moves through the ASA and includes the following topics How Data Moves Through the ASA in Routed Firewall Mode page 1 14 How Data Moves Through the Transparent Firewall page 1 20 How Data Moves Through the ASA in Routed Firewall Mode This section describes how data moves through the ASA in routed firewall mode and includes the following topics An Inside User Visits a Web Server pa...

Page 151: ... 3 The ASA translates the local source address 10 1 2 27 to the global address 209 165 201 10 which is on the outside interface subnet The global address could be on any subnet but routing is simplified when it is on the outside interface subnet 4 The ASA then records that a session is established and forwards the packet from the outside interface 5 When www example com responds to the request the...

Page 152: ...the packet and untranslates the destination address to the local address 10 1 1 3 3 Because it is a new session the ASA verifies that the packet is allowed according to the terms of the security policy access lists filters AAA For multiple context mode the ASA first classifies the packet to a context 4 The ASA then adds a session entry to the fast path and forwards the packet from the DMZ interfac...

Page 153: ...ASA verifies that the packet is allowed according to the terms of the security policy access lists filters AAA For multiple context mode the ASA first classifies the packet to a context 3 The ASA then records that a session is established and forwards the packet out of the DMZ interface 4 When the DMZ web server responds to the request the packet goes through the fast path which lets the packet by...

Page 154: ... inside network without NAT The outside user might attempt to reach an inside user by using an existing NAT session 2 The ASA receives the packet and because it is a new session the ASA verifies if the packet is allowed according to the security policy access lists filters AAA 3 The packet is denied and the ASA drops the packet and logs the connection attempt If the outside user is attempting to a...

Page 155: ...see Figure 1 7 1 A user on the DMZ network attempts to reach an inside host Because the DMZ does not have to route the traffic on the Internet the private addressing scheme does not prevent routing 2 The ASA receives the packet and because it is a new session the ASA verifies if the packet is allowed according to the security policy access lists filters AAA The packet is denied and the ASA drops t...

Page 156: ... access list lets the outside users access only the web server on the inside network Figure 1 8 Typical Transparent Firewall Data Path This section describes how data moves through the ASA and includes the following topics An Inside User Visits a Web Server page 1 21 An Inside User Visits a Web Server Using NAT page 1 22 An Outside User Visits a Web Server on the Inside Network page 1 23 An Outsid...

Page 157: ...security policy access lists filters AAA For multiple context mode the ASA first classifies the packet to a context 3 The ASA records that a session is established 4 If the destination MAC address is in its table the ASA forwards the packet out of the outside interface The destination MAC address is that of the upstream router 209 165 201 2 If the destination MAC address is not in the ASA table th...

Page 158: ... address is not on the same network as the outside interface then be sure the upstream router has a static route to the mapped network that points to the ASA 4 The ASA then records that a session is established and forwards the packet from the outside interface 5 If the destination MAC address is in its table the ASA forwards the packet out of the outside interface The destination MAC address is t...

Page 159: ... security policy access lists filters AAA For multiple context mode the ASA first classifies the packet to a context 3 The ASA records that a session is established 4 If the destination MAC address is in its table the ASA forwards the packet out of the inside interface The destination MAC address is that of the downstream router 209 165 201 1 If the destination MAC address is not in the ASA table ...

Page 160: ...the packet and adds the source MAC address to the MAC address table if required Because it is a new session it verifies if the packet is allowed according to the terms of the security policy access lists filters AAA For multiple context mode the ASA first classifies the packet to a context 3 The packet is denied because there is no access list permitting the outside host and the ASA drops the pack...

Page 161: ...roduced the following commands mac address table static mac address table aging time mac learn disable and show mac address table Transparent firewall bridge groups 8 4 1 If you do not want the overhead of security contexts or want to maximize your use of security contexts you can group interfaces together in a bridge group and then configure multiple bridge groups one for each network Bridge grou...

Page 162: ...1 26 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the Transparent or Routed Firewall Feature History for the Firewall Mode ...

Page 163: ...ting html This chapter includes the following sections Supported Feature Licenses Per Model page 1 1 Information About Feature Licenses page 1 23 Guidelines and Limitations page 1 33 Configuring Licenses page 1 35 Monitoring Licenses page 1 40 Feature History for Licensing page 1 50 Supported Feature Licenses Per Model This section describes the licenses available for each model as well as importa...

Page 164: ...page 1 17 Items that are in italics are separate optional licenses that can replace the Base or Security Plus license version You can mix and match licenses for example the 24 Unified Communications license plus the Strong Encryption license or the 500 AnyConnect Premium license plus the GTP GPRS license or all four licenses together If you have a No Payload Encryption model then some of the featu...

Page 165: ...Premium then the total is the AnyConnect Premium value plus the Other VPN value not to exceed 25 sessions up to 25 VPN Load Balancing No support No support General Licenses Encryption Base DES Opt lic Strong 3DES AES Base DES Opt lic Strong 3DES AES Failover No support Active Standby no stateful failover Security Contexts No support No support Clustering No support No support Inside Hosts concurre...

Page 166: ... Optional license Available 250 sessions AnyConnect for Mobile Disabled Optional license Available Disabled Optional license Available AnyConnect Premium sessions 2 Optional Perm or Time based lic 2 Optional Perm or Time based lic 10 25 50 100 250 10 25 50 100 250 Optional Shared licenses Participant or Server For the Server Optional Shared licenses Participant or Server For the Server 500 50 000 ...

Page 167: ...ed Optional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 750 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 Optional Shared licenses Participant or Server For the Server 500 50 000 in i...

Page 168: ...ional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 2500 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 1000 2500 Optional Shared licenses Participant or Server For the Server 500 50 000...

Page 169: ...nal license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 5000 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 1000 2500 5000 Optional Shared licenses Participant or Server For the Server 500 50 ...

Page 170: ...ssions is 5000 VPN Licenses Adv Endpoint Assessment Disabled Optional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 10000 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 1000 2500 5000 10...

Page 171: ...sabled Optional license Available AnyConnect Essentials Disabled Optional license Available 250 sessions Disabled Optional license Available 250 sessions AnyConnect for Mobile Disabled Optional license Available Disabled Optional license Available AnyConnect Premium sessions 2 Optional Perm or Time based lic 2 Optional Perm or Time based lic 10 25 50 100 250 10 25 50 100 250 Optional Shared licens...

Page 172: ... Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 250 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 Optional Shared licenses Participant or Server For the Server 500 50 000 in increments of 500 50 000 545...

Page 173: ...ailable AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 750 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 Optional Shared licenses Participant or Server For the Server 500 50 000 in increments of 500 50 00...

Page 174: ...le AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 2500 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 1000 2500 Optional Shared licenses Participant or Server For the Server 500 50 000 in increments of 500...

Page 175: ...e AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 5000 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500 750 1000 2500 5000 Optional Shared licenses Participant or Server For the Server 500 50 000 in increments of...

Page 176: ...al licenses 24 50 100 250 500 750 1000 2000 3000 VPN Licenses Adv Endpoint Assessment Disabled Optional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 5000 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 ...

Page 177: ...ssion UC license the total combined sessions can be 10 000 but the maximum number of Phone Proxy sessions is 5000 VPN Licenses Adv Endpoint Assessment Disabled Optional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 10 000 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Pre...

Page 178: ...500 750 1000 2000 3000 5000 10 0001 1 With the 10 000 session UC license the total combined sessions can be 10 000 but the maximum number of Phone Proxy sessions is 5000 VPN Licenses Adv Endpoint Assessment Disabled Optional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 10 000 sessions AnyConnect for M...

Page 179: ...ber of Phone Proxy sessions is 5000 VPN Licenses Adv Endpoint Assessment Disabled Optional license Available AnyConnect for Cisco VPN Phone Disabled Optional license Available AnyConnect Essentials Disabled Optional license Available 10 000 sessions AnyConnect for Mobile Disabled Optional license Available AnyConnect Premium sessions 2 Optional Permanent or Time based licenses 10 25 50 100 250 500...

Page 180: ...he AnyConnect client software offers the same set of client features whether it is enabled by this license or an AnyConnect Premium license The AnyConnect Essentials license cannot be active at the same time as the following licenses on a given ASA AnyConnect Premium license all types or the Advanced Endpoint Assessment license You can however run AnyConnect Essentials and AnyConnect Premium licen...

Page 181: ...ile device AnyConnect Essentials License Functionality Enable or disable mobile device access on a per group basis and to configure that feature using ASDM Display information about connected mobile devices via CLI or ASDM without having the ability to enforce DAP policies or deny or allow remote access to those mobile devices AnyConnect Premium AnyConnect Premium sessions include the following VP...

Page 182: ...K9 refer to whether the license is restricted for export K8 is unrestricted and K9 is restricted You might also use SRTP encryption sessions for your connections For a K8 license SRTP sessions are limited to 250 For a K9 license there is no limit Note Only calls that require encryption decryption for media are counted toward the SRTP limit if passthrough is set for the call even if both legs are S...

Page 183: ...VPN sessions add up to more than the maximum VPN AnyConnect and Other VPN sessions the combined sessions should not exceed the VPN session limit If you exceed the maximum VPN sessions you can overload the ASA so be sure to size your network appropriately If you start a clientless SSL VPN session and then start an AnyConnect client session from the portal 1 session is used in total However if you s...

Page 184: ...der 250 users TLS proxy sessions are limited to 1000 For license part numbers ending in K9 for example licenses 250 users or larger the TLS proxy limit depends on the configuration up to the model limit K8 and K9 refer to whether the license is restricted for export K8 is unrestricted and K9 is restricted If you clear the configuration using the clear configure all command for example then the TLS...

Page 185: ...s value encodes the serial number an 11 character string and the enabled features This section includes the following topics Preinstalled License page 1 24 Permanent License page 1 24 Time Based Licenses page 1 24 Shared AnyConnect Premium Licenses page 1 27 Table 1 17 VPN License and Feature Compatibility Supported with Enable one of the following licenses 1 1 You can only have one license type a...

Page 186: ...icense that has a time limit For example you might buy a time based AnyConnect Premium license to handle short term surges in the number of concurrent SSL VPN users or you might order a Botnet Traffic Filter time based license that is valid for 1 year This section includes the following topics Time Based License Activation Guidelines page 1 24 How the Time Based License Timer Works page 1 25 How P...

Page 187: ... Note Even when the permanent license is used if the time based license is active it continues to count down Table 1 18 Time Based License Combination Rules Time Based Feature Combined License Rule AnyConnect Premium Sessions The higher value is used either time based or permanent For example if the permanent license is 1000 sessions and the time based license is 2500 sessions then 2500 sessions a...

Page 188: ...al for example a 1000 session AnyConnect Premium license vs a 2500 session license then the licenses are not combined Because only one time based license per feature can be active only one of the licenses can be active See the Activating or Deactivating Keys section on page 1 36 for more information about activating licenses Although non identical licenses do not combine when the current license e...

Page 189: ...ver and obtain a shared licensing participant license for each device using each device serial number 3 Optional Designate a second ASA as a shared licensing backup server You can only specify one backup server Note The shared licensing backup server only needs a participant license 4 Configure a shared secret on the shared licensing server any participants with the shared secret can use the share...

Page 190: ...sessions the server responds with as many sessions as can be reassigned to that participant Information About the Shared Licensing Backup Server The shared licensing backup server must register successfully with the main shared licensing server before it can take on the backup role When it registers the main shared licensing server syncs server settings as well as the shared license information wi...

Page 191: ...an have a second pair of units acting as the backup server if desired For example you have a network with 2 failover pairs Pair 1 includes the main licensing server Pair 2 includes the backup server When the primary unit from Pair 1 goes down the standby unit immediately becomes the new main licensing server The backup server from Pair 2 never gets used Only if both units in Pair 1 go down does th...

Page 192: ...n a standby unit that only has the Base license Encryption license Both units must have the same encryption license IPS module license for the ASA 5512 X through ASA 5555 X The IPS module license lets you run the IPS software module on the ASA You must also purchase a separate IPS signature subscription for each unit To obtain IPS signature support you must purchase the ASA with IPS pre installed ...

Page 193: ...fault 2 contexts The combined license allows 152 contexts to be divided up amongst the four cluster members Therefore you can configure up to 38 contexts on the master unit each slave unit will also have 38 contexts through configuration replication For licenses that have a status of enabled or disabled then the license with the enabled status is used For time based licenses that are enabled or di...

Page 194: ...eks on the primary master and 46 weeks on the secondary slave Upgrading Failover Pairs Because failover pairs do not require the same license on both units you can apply new licenses to each unit without any downtime If you apply a permanent license that requires a reload see Table 1 19 on page 1 36 then you can fail over to the other unit while you reload If both units require reloading then you ...

Page 195: ...primary license when it becomes active In the case where you also have a separate license on the secondary unit for example if you purchased matching licenses for pre 8 3 software the licenses are combined into a running failover cluster license up to the model limits Q Can I use a time based or permanent AnyConnect Premium license in addition to a shared AnyConnect Premium license A Yes The share...

Page 196: ...er If you have a new system and do not have an earlier activation key then you need to request a new activation key compatible with the earlier version Downgrading to Version 8 2 or earlier Version 8 3 introduced more robust time based key usage as well as failover license changes If you have more than one time based activation key active when you downgrade only the most recently activated time ba...

Page 197: ...ing an Activation Key page 1 35 Activating or Deactivating Keys page 1 36 Configuring a Shared License page 1 37 Obtaining an Activation Key To obtain an activation key you need a Product Authorization Key which you can purchase from your Cisco account representative You need to purchase a separate Product Activation Key for each feature license For example if you have the Base License you can pur...

Page 198: ... with earlier versions if you downgrade However if you activate feature licenses that were introduced in 8 2 or later then the activation key is not backwards compatible If you have an incompatible license key then see the following guidelines If you previously entered an activation key in an earlier version then the ASA uses that key without any of the new licenses you activated in Version 8 2 or...

Page 199: ...space between each element The leading 0x specifier is optional all values are assumed to be hexadecimal You can install one permanent key and multiple time based keys If you enter a new permanent key it overwrites the already installed one The activate and deactivate keywords are available for time based keys only If you do not enter any value activate is the default The last time based key that ...

Page 200: ...license server refresh interval 100 Sets the refresh interval between 10 and 300 seconds this value is provided to participants to set how often they should communicate with the server The default is 30 seconds Step 3 Optional license server port port Example hostname config license server port 40000 Sets the port on which the server listens for SSL connections from participants between 1 and 6553...

Page 201: ...ddress 10 1 1 1 secret farscape hostname config license server backup enable inside hostname config license server backup enable dmz What to Do Next See the Configuring the Shared Licensing Participant section on page 1 39 Configuring the Shared Licensing Participant This section configures a shared licensing participant to communicate with the shared licensing server Command Purpose Step 1 licens...

Page 202: ...scribes how to view your current license and for time based activation keys how much time the license has left Guidelines If you have a No Payload Encryption model then you view the license VPN and Unified Communications licenses will not be listed See the No Payload Encryption Models section on page 1 32 for more information Command Purpose Step 1 license server address address secret secret port...

Page 203: ...rpetual AnyConnect Essentials Disabled perpetual Other VPN Peers 750 perpetual Total VPN Peers 750 perpetual Shared License Enabled perpetual Shared AnyConnect Premium Peers 12000 perpetual AnyConnect for Mobile Disabled perpetual AnyConnect for Cisco VPN Phone Disabled perpetual Advanced Endpoint Assessment Disabled perpetual UC Phone Proxy Sessions 12 62 days Total UC Proxy Sessions 12 62 days B...

Page 204: ...VPN Peers 25 perpetual AnyConnect for Mobile Disabled perpetual AnyConnect for Cisco VPN Phone Disabled perpetual Advanced Endpoint Assessment Disabled perpetual UC Phone Proxy Sessions 2 perpetual Total UC Proxy Sessions 2 perpetual Botnet Traffic Filter Enabled 39 days Intercompany Media Engine Disabled perpetual This platform has an ASA 5505 Security Plus license Running Permanent Activation Ke...

Page 205: ...4b8b8 0xc4594f9c Running Timebased Activation Key 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Licensed features for this platform Maximum Physical Interfaces Unlimited perpetual Maximum VLANs 150 perpetual Inside Hosts Unlimited perpetual Failover Active Active perpetual VPN DES Enabled perpetual VPN 3DES AES Enabled perpetual Security Contexts 12 perpetual GTP GPRS Enabled perpetual An...

Page 206: ...tual AnyConnect for Mobile Disabled perpetual AnyConnect for Cisco VPN Phone Disabled perpetual Advanced Endpoint Assessment Disabled perpetual UC Phone Proxy Sessions 2 perpetual Total UC Proxy Sessions 2 perpetual Botnet Traffic Filter Disabled perpetual Intercompany Media Engine Disabled perpetual The flash permanent activation key is the SAME as the running permanent key Active Timebased Activ...

Page 207: ...xy Sessions 2 perpetual Total UC Proxy Sessions 2 perpetual Botnet Traffic Filter Disabled perpetual Intercompany Media Engine Disabled perpetual This platform has an ASA 5520 VPN Plus license Failover cluster licensed features for this platform Maximum Physical Interfaces Unlimited perpetual Maximum VLANs 150 perpetual Inside Hosts Unlimited perpetual Failover Active Active perpetual VPN DES Enab...

Page 208: ...d licenses The Failover Cluster license which is the combined licenses from the primary and secondary units This is the license that is actually running on the ASA The values in this license that reflect the combination of the primary and secondary licenses are in bold The primary unit installed time based licenses active and inactive hostname show activation key erial Number SAL144705BF Running P...

Page 209: ...me show activation key detail Serial Number SAD143502E3 Running Permanent Activation Key 0xf404c46a 0xb8e5bd84 0x28c1b900 0x92eca09c 0x4e2a0683 Licensed features for this platform Maximum Interfaces 1024 perpetual Inside Hosts Unlimited perpetual Failover Active Active perpetual DES Enabled perpetual 3DES AES Enabled perpetual Security Contexts 25 perpetual GTP GPRS Disabled perpetual Botnet Traff...

Page 210: ...d perpetual This platform has an ASA 5510 Security Plus license Failover cluster licensed features for this platform Maximum Physical Interfaces Unlimited perpetual Maximum VLANs 100 perpetual Inside Hosts Unlimited perpetual Failover Active Active perpetual Encryption DES Enabled perpetual Encryption 3DES AES Enabled perpetual Security Contexts 4 perpetual GTP GPRS Disabled perpetual AnyConnect P...

Page 211: ...ail command on the license server hostname show shared license detail Backup License Server Info Device ID ABCD Address 10 1 1 2 Registered NO HA peer ID EFGH Registered NO Messages Tx Rx Error Hello 0 0 0 Sync 0 0 0 Update 0 0 0 Shared license utilization SSLVPN Total for network 500 Command Purpose show shared license detail client hostname backup Shows shared license statistics Optional keyword...

Page 212: ...y for Licensing Feature Name Platform Releases Feature Information Increased Connections and VLANs 7 0 5 Increased the following limits ASA5510 Base license connections from 32000 to 5000 VLANs from 0 to 10 ASA5510 Security Plus license connections from 64000 to 130000 VLANs from 10 to 25 ASA5520 connections from 130000 to 280000 VLANs from 25 to 100 ASA5540 connections from 280000 to 400000 VLANs...

Page 213: ...net ports for both licenses Note The interface names remain Ethernet 0 0 and Ethernet 0 1 Use the speed command to change the speed on the interface and use the show interface command to see what speed is currently configured for each interface Advanced Endpoint Assessment License 8 0 2 The Advanced Endpoint Assessment license was introduced As a condition for the completion of a Cisco AnyConnect ...

Page 214: ...ct Essentials License 8 2 1 The AnyConnect Essentials License was introduced This license enables AnyConnect VPN client access to the ASA This license does not support browser based SSL VPN access or Cisco Secure Desktop For these features activate an AnyConnect Premium license instead of the AnyConnect Essentials license Note With the AnyConnect Essentials license VPN users can use a Web browser ...

Page 215: ...for both units is the combined license from the primary and secondary units We modified the following commands show activation key and show version Stackable time based licenses 8 3 1 Time based licenses are now stackable In many cases you might need to renew your time based license and have a seamless transition from the old license to the new one For features that are only available with a time ...

Page 216: ...5580 20 1 000 000 to 2 000 000 ASA 5580 40 2 000 000 to 4 000 000 ASA 5585 X with SSP 10 750 000 to 1 000 000 ASA 5585 X with SSP 20 1 000 000 to 2 000 000 ASA 5585 X with SSP 40 2 000 000 to 4 000 000 ASA 5585 X with SSP 60 2 000 000 to 10 000 000 AnyConnect Premium SSL VPN license changed to AnyConnect Premium license 8 4 1 The AnyConnect Premium SSL VPN license name was changed to the AnyConnec...

Page 217: ... software module on the ASA 5512 X ASA 5515 X ASA 5525 X ASA 5545 X and ASA 5555 X requires the IPS module license Clustering license for the ASA 5580 and ASA 5585 X 9 0 1 A clustering license was added for the ASA 5580 and ASA 5585 X Support for VPN on the ASASM 9 0 1 The ASASM now supports all VPN features Unified communications support on the ASASM 9 0 1 The ASASM now supports all Unified Commu...

Page 218: ...1 56 Cisco ASA Series CLI Configuration Guide Chapter 1 Managing Feature Licenses Feature History for Licensing ...

Page 219: ...P A R T 2 Configuring High Availability and Scalability ...

Page 220: ......

Page 221: ... History for Multiple Context Mode page 1 41 Information About Security Contexts You can partition a single ASA into multiple virtual devices known as security contexts Each context acts as an independent device with its own security policy interfaces and administrators Multiple contexts are similar to having multiple standalone devices For unsupported features in multiple context mode see the Gui...

Page 222: ...istrator adds and manages contexts by configuring each context configuration location allocated interfaces and other context operating parameters in the system configuration which like a single mode configuration is the startup configuration The system configuration identifies basic settings for the ASA The system configuration does not include any network interfaces or network settings for itself...

Page 223: ... is used for classification The routing table is not used for packet classification Unique Interfaces If only one context is associated with the ingress interface the ASA classifies the packet into that context In transparent firewall mode unique interfaces for contexts are required so this method is used to classify packets at all times Unique MAC Addresses If multiple contexts share an interface...

Page 224: ...B includes the MAC address to which the router sends the packet Figure 1 1 Packet Classification with a Shared Interface Using MAC Addresses Classifier Context A Context B MAC 000C F142 4CDC MAC 000C F142 4CDB MAC 000C F142 4CDA GE 0 1 3 GE 0 1 2 GE 0 0 1 Shared Interface Admin Context GE 0 1 1 Host 209 165 201 1 Host 209 165 200 225 Host 209 165 202 129 Packet Destination 209 165 201 1 via MAC 00...

Page 225: ... on the Context B inside network accessing the Internet The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0 1 3 which is assigned to Context B Figure 1 2 Incoming Traffic from Inside Networks Host 10 1 1 13 Host 10 1 1 13 Host 10 1 1 13 Classifier Context A Context B GE 0 1 3 GE 0 1 2 GE 0 0 1 Admin Context GE 0 1 1 Inside Customer A Inside Customer B...

Page 226: ...d cascading contexts the outside interface of one context is the same interface as the inside interface of another context You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context Note Cascading contexts requires unique MAC addresses for each context interface the default setting Because of the limitations of ...

Page 227: ...le you access the system execution space which means that any commands you enter affect only the system configuration or the running of the system for run time commands Access the admin context using Telnet SSH or ASDM See Chapter 1 Configuring Management Access to enable Telnet SSH and ASDM access As the system administrator you can access all contexts When you change to a context from admin or t...

Page 228: ...ces which are disabled by default If you find that one or more contexts use too many resources and they cause other contexts to be denied connections for example then you can configure resource management to limit the use of resources per context For VPN resources you must configure resource management to allow any VPN tunnels This section includes the following topics Resource Classes page 1 8 Re...

Page 229: ... class other than the default class those class settings always override the default class settings However if the other class has any settings that are not defined then the member context uses the default class for those limits For example if you create a class with a 2 percent limit for all concurrent connections but no other limits then all other limits are inherited from the default class Conv...

Page 230: ... 100 percent of a resource across all contexts with the exception of non burst VPN resources For example you can set the Bronze class to limit connections to 20 percent per context and then assign 10 contexts to the class for a total of 200 percent If contexts concurrently use more than the system limit then each context gets less than the 20 percent you intended See Figure 1 6 Figure 1 6 Resource...

Page 231: ...rol over how much you oversubscribe the system Figure 1 7 Unlimited Resources Information About MAC Addresses To allow contexts to share interfaces you should assign unique MAC addresses to each shared context interface The MAC address is used to classify packets within a context If you share an interface but do not have unique MAC addresses for the interface in each context then other classificat...

Page 232: ...eenable MAC address autogeneration to use a prefix Interaction with Manual MAC Addresses If you manually assign a MAC address and also enable auto generation then the manually assigned MAC address is used If you later remove the manual MAC address the auto generated address is used Because auto generated addresses when using a prefix start with A2 you cannot start manual MAC addresses with A2 if y...

Page 233: ...enses 5 10 20 50 or 100 contexts ASA 5580 Base License 2 contexts Optional licenses 5 10 20 50 100 or 250 contexts ASA 5512 X Base License No support Security Plus License 2 contexts Optional license 5 contexts ASA 5515 X Base License 2 contexts Optional license 5 contexts ASA 5525 X Base License 2 contexts Optional licenses 5 10 or 20 contexts ASA 5545 X Base License 2 contexts Optional licenses ...

Page 234: ...ive Active mode failover is only supported in multiple context mode IPv6 Guidelines Supports IPv6 Note Cross context IPv6 routing is not supported Model Guidelines Does not support the ASA 5505 Unsupported Features Multiple context mode does not support the following features RIP OSPFv3 OSPFv2 is supported Multicast routing Threat Detection Unified Communications QoS Remote access VPN Site to site...

Page 235: ...y Context page 1 20 Automatically Assigning MAC Addresses to Context Interfaces page 1 25 Task Flow for Configuring Multiple Context Mode To configure multiple context mode perform the following steps Step 1 Enable multiple context mode See the Enabling or Disabling Multiple Context Mode section on page 1 16 Step 2 Optional Configure classes for resource management See the Configuring a Class for ...

Page 236: ...directory of the internal flash memory The original running configuration is saved as old_running cfg in the root directory of the internal flash memory The original startup configuration is not saved The ASA automatically adds an entry for the admin context to the system configuration with the name admin Prerequisites Back up your startup configuration When you convert from single mode to multipl...

Page 237: ... with a new value Prerequisites Perform this procedure in the system execution space Guidelines Table 1 1 lists the resource types and the limits See also the show resource types command Command Purpose Step 1 copy disk0 old_running cfg startup config Example hostname config copy disk0 old_running cfg startup config Copies the backup version of your original running configuration to the current st...

Page 238: ...er second mac addresses Concurrent N A 65 535 For transparent firewall mode the number of MAC addresses allowed in the MAC address table routes Concurrent N A N A Dynamic routes vpn burst other Concurrent N A The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other The number of site to site VPN sessions allowed beyond the amount assigned to ...

Page 239: ...e if you set the xlates limit to 7 and the conns to 9 then the ASA only generates syslog message 321001 Resource xlates limit of 7 reached for context ctx1 and not 321002 Resource conn rate limit of 5 reached for context ctx1 Command Purpose Step 1 class name Example hostname config class gold Specifies the class name and enters the class configuration mode The name is a string up to 20 characters...

Page 240: ...rity context definition in the system configuration identifies the context name configuration file URL interfaces that a context can use and other settings Prerequisites Perform this procedure in the system execution space For the ASASM assign VLANs to the ASASM on the switch according to Chapter 1 Configuring the Switch for Use with the ASA Services Module For the ASA 5500 configure physical inte...

Page 241: ...he name is a string up to 32 characters long This name is case sensitive so you can have two contexts named customerA and CustomerA for example You can use letters digits or hyphens but you cannot start or end the name with a hyphen System or Null in upper or lower case letters are reserved names and cannot be used Step 2 Optional description text Example hostname config ctx description Administra...

Page 242: ...me interfaces to multiple contexts in routed mode if desired Transparent mode does not allow shared interfaces The mapped_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID If you do not specify a mapped name the interface ID is used within the context For security purposes you might not want the context administrator to know which inter...

Page 243: ...ating context with default config For non HTTP S URL locations after you specify the URL you can then change to the context configure it at the CLI and enter the write memory command to write the file to the URL location HTTP S is read only Note The admin context file must be stored on the internal flash memory Available URL types include disknumber for flash memory ftp http https or tftp To chang...

Page 244: ... interface gigabitethernet0 1 200 int1 hostname config ctx allocate interface gigabitethernet0 1 212 int2 hostname config ctx allocate interface gigabitethernet0 1 230 gigabitethernet0 1 235 int3 int8 hostname config ctx config url ftp user1 passw0rd 10 1 1 1 configlets sample cfg hostname config ctx member silver Step 7 Optional join failover group 1 2 Example hostname config ctx join failover gr...

Page 245: ...onfiguring the MAC Address and MTU section on page 1 10 to manually set the MAC address Detailed Steps Changing Between Contexts and the System Execution Space If you log in to the system execution space or the admin context you can change between contexts and perform configuration and monitoring tasks within each context The running configuration that you edit in a configuration mode or that is u...

Page 246: ...ctive unit and when the context is removed on the standby unit You might see an error message indicating that the number of interfaces on the active and standby units are not consistent this error is temporary and can be ignored Prerequisites Perform this procedure in the system execution space Detailed Steps Command Purpose changeto context name Changes to a context The prompt changes to the foll...

Page 247: ...es how to change the context URL Guidelines You cannot change the security context URL without reloading the configuration from the new URL The ASA merges the new configuration with the current running configuration Reentering the same URL also merges the saved configuration with the running configuration A merge adds any new commands from the new configuration to the running configuration If the ...

Page 248: ... be useful for troubleshooting However to add the context back to the system requires you to respecify the URL and interfaces This section includes the following topics Reloading by Clearing the Configuration page 1 29 Command Purpose Step 1 Optional if you do not want to perform a merge changeto context name clear configure all Example hostname config changeto context ctx1 hostname ctx1 config cl...

Page 249: ...his section describes how to view and monitor context information and includes the following topics Viewing Context Information page 1 30 Viewing Resource Allocation page 1 31 Viewing Resource Usage page 1 34 Monitoring SYN Attacks in Contexts page 1 35 Viewing Assigned MAC Addresses page 1 37 Command Purpose Step 1 changeto context name Example hostname config changeto context ctx1 hostname ctx1 ...

Page 250: ...sample output from the show context detail command hostname show context detail Context admin has been created but initial ACL rules not complete Config URL disk0 admin cfg Real Interfaces Management0 0 Mapped Interfaces Management0 0 Flags 0x00000013 ID 1 Context ctx has been created but initial ACL rules not complete Config URL ctx cfg Real Interfaces GigabitEthernet0 0 10 GigabitEthernet0 1 20 ...

Page 251: ...he system execution space you can view the allocation for each resource across all classes and class members To view the resource allocation enter the following command The following sample output shows the total allocation of each resource as an absolute value and as a percentage of the available system resources hostname show resource allocation Resource Total of Avail Conns rate 35000 N A Inspe...

Page 252: ... 0 CA 1500 All Contexts 3 9000 N A Conns default all CA unlimited gold 1 C 200000 200000 20 00 silver 1 CA 100000 100000 10 00 bronze 0 CA 50000 All Contexts 3 300000 30 00 Hosts default all CA unlimited gold 1 DA unlimited silver 1 CA 26214 26214 N A bronze 0 CA 13107 All Contexts 3 26214 N A SSH default all C 5 gold 1 D 5 5 5 00 silver 1 CA 10 10 10 00 bronze 0 CA 5 All Contexts 3 20 20 00 Telne...

Page 253: ...brs The number of contexts assigned to each class Origin The origin of the resource limit as follows A You set this limit with the all option instead of as an individual resource C This limit is derived from the member class D This limit was not defined in the member class but was derived from the default class For a context assigned to the default class the value will be C instead of D The ASA ca...

Page 254: ...ype and not resource all with this option The summary option shows all context usage combined The system option shows all context usage combined but shows the system limits for resources instead of the combined context limits For the resource resource_name see Table 1 1 for available resource names See also the show resource type command Specify all the default for all types The detail option show...

Page 255: ... contexts but it shows the system limit instead of the combined context limits The counter all 0 option is used to show resources that are not currently in use The Denied statistics indicate how many times the resource was denied due to the system limit if available hostname show resource usage system counter all 0 Resource Current Peak Limit Denied Context Telnet 0 0 100 0 System SSH 0 0 100 0 Sy...

Page 256: ...ed Context memory 843732 847288 unlimited 0 admin chunk channels 14 15 unlimited 0 admin chunk fixup 15 15 unlimited 0 admin chunk hole 1 1 unlimited 0 admin chunk ip users 10 10 unlimited 0 admin chunk list elem 21 21 unlimited 0 admin chunk list hdr 3 4 unlimited 0 admin chunk route 2 2 unlimited 0 admin chunk static 1 1 unlimited 0 admin tcp intercepts 328787 803610 unlimited 0 admin np statics...

Page 257: ... TCP intercept information hostname config show resource usage summary detail Resource Current Peak Limit Denied Context memory 238421312 238434336 unlimited 0 Summary chunk channels 46 48 unlimited 0 Summary chunk dbgtrace 4 4 unlimited 0 Summary chunk fixup 45 45 unlimited 0 Summary chunk global 1 1 unlimited 0 Summary chunk hole 3 3 unlimited 0 Summary chunk ip users 24 24 unlimited 0 Summary c...

Page 258: ...aces Note that because the GigabitEthernet0 0 and GigabitEthernet0 1 main interfaces are not configured with a nameif command inside the contexts no MAC addresses have been generated for them hostname show running config all context admin context admin context admin allocate interface Management0 0 mac address auto Management0 0 a2d2 0400 125a a2d2 0400 125b config url disk0 admin cfg context CTX1...

Page 259: ...e interface GigabitEthernet0 1 allocate interface GigabitEthernet0 1 1 GigabitEthernet0 1 3 mac address auto GigabitEthernet0 1 1 a2d2 0400 120a a2d2 0400 120b mac address auto GigabitEthernet0 1 2 a2d2 0400 120e a2d2 0400 120f mac address auto GigabitEthernet0 1 3 a2d2 0400 1212 a2d2 0400 1213 config url disk0 CTX2 cfg Viewing MAC Addresses Within a Context This section describes how to view MAC ...

Page 260: ... config class limit resource asdm 5 hostname config class limit resource ssh 5 hostname config class limit resource rate syslogs 5000 hostname config class limit resource telnet 5 hostname config class limit resource xlates 36000 hostname config class limit resource routes 700 hostname config class limit resource vpn other 100 hostname config class limit resource vpn burst other 50 hostname config...

Page 261: ...an configure multiple security policies on the AIP SSM You can assign each context or single mode ASA to one or more virtual sensors or you can assign multiple security contexts to the same virtual sensor We introduced the following command allocate ips Automatic MAC address assignment enhancements 8 0 5 8 2 2 The MAC address format was changed to use a prefix to use a fixed starting value A2 and ...

Page 262: ...he ASA does not convert the MAC address method in an existing configuration upon a reload if failover is enabled However we strongly recommend that you manually change to the prefix method of generation when using failover especially for the ASASM Without the prefix method ASASMs installed in different slot numbers experience a MAC address change upon failover and can experience traffic interrupti...

Page 263: ...tiple context mode New resource type for site to site VPN tunnels 9 0 1 New resource types vpn other and vpn burst other were created to set the maximum number of site to site VPN tunnels in each context We modified the following commands limit resource show resource types show resource usage show resource allocation Table 1 5 Feature History for Multiple Context Mode continued Feature Name Platfo...

Page 264: ...1 44 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Multiple Context Mode Feature History for Multiple Context Mode ...

Page 265: ...ents for ASA Clustering page 1 23 Prerequisites for ASA Clustering page 1 23 Guidelines and Limitations page 1 24 Default Settings page 1 27 Configuring ASA Clustering page 1 27 Managing ASA Cluster Members page 1 47 Monitoring the ASA Cluster page 1 52 Configuration Examples for ASA Clustering page 1 56 Feature History for ASA Clustering page 1 71 Information About ASA Clustering How the ASA Clus...

Page 266: ...a single EtherChannel the EtherChannel performs load balancing between units See the Spanned EtherChannel Recommended section on page 1 12 Policy Based Routing Routed firewall mode only The upstream and downstream routers perform load balancing between units using route maps and ACLs See the Policy Based Routing Routed Firewall Mode Only section on page 1 14 Equal Cost Multi Path Routing Routed fi...

Page 267: ...and Slave Unit Roles One member of the cluster is the master unit The master unit is determined by the priority setting in the bootstrap configuration the priority is set between 1 and 100 where 1 is the highest priority All other members are slave units Typically when you first create a cluster the first unit you add becomes the master unit simply because it is the only unit in the cluster so far...

Page 268: ...on page 1 18 for a list of centralized features ASA Cluster Interfaces You can configure data interfaces as either Spanned EtherChannels or as Individual interfaces All data interfaces in the cluster must be one type only Interface Types page 1 4 Interface Type Mode page 1 6 Interface Types Spanned EtherChannel Recommended You can group one or more interfaces per unit into an EtherChannel that spa...

Page 269: ...is always the primary address for routing The Main cluster IP address provides consistent management access to an address when a master unit changes the Main cluster IP address moves to the new master unit so management of the cluster continues seamlessly Load balancing however must be configured separately on the upstream switch in this case For information about load balancing see the Load Balan...

Page 270: ...rface type for all contexts For example if you have a mix of transparent and routed mode contexts you must use Spanned EtherChannel mode for all contexts because that is the only interface type allowed for transparent mode Cluster Control Link Each unit must dedicate at least one hardware interface as the cluster control link Cluster Control Link Traffic Overview page 1 7 Cluster Control Link Netw...

Page 271: ...ink remains up for the healthy unit Sizing the Cluster Control Link You should assign an equal amount of bandwidth to the cluster control link as you assign for through traffic For example if you have the ASA 5585 X with SSP 60 which can pass 14 Gbps per unit maximum in a cluster then you should also assign interfaces to the cluster control link that can pass approximately 14 Gbps In this case you...

Page 272: ...local not a Spanned EtherChannel Cluster Control Link Latency and Reliability To ensure cluster control link functionality be sure the round trip time RTT between units is less than the following 5 ms To check your latency perform a ping on the cluster control link between units The cluster control link must be reliable with no out of order or dropped packets Cluster Control Link Failure If the cl...

Page 273: ...er if it fails or if its interfaces fail If an interface fails on a particular unit but the same interface is active on other units then the unit is removed from the cluster When a unit in the cluster fails the connections hosted by that unit are seamlessly transferred to other units state information for traffic flows is shared over the control cluster link If the master unit fails then another m...

Page 274: ...erface page 1 10 Master Unit Management Vs Slave Unit Management page 1 11 RSA Key Replication page 1 11 ASDM Connection Certificate IP Address Mismatch page 1 11 Management Network We recommend connecting all units to a single management network This network is separate from the cluster control link Management Interface For the management interface we recommend using one of the dedicated manageme...

Page 275: ... only configure one IP address and that IP address is always attached to the master unit You cannot connect directly to a slave unit using the EtherChannel interface we recommend configuring the management interface as an Individual interface so you can connect to each unit Note that you can use a device local EtherChannel for management Master Unit Management Vs Slave Unit Management Aside from t...

Page 276: ...hannel Benefits page 1 12 Guidelines for Maximum Throughput page 1 12 Load Balancing page 1 13 EtherChannel Redundancy page 1 13 Connecting to a VSS or vPC page 1 13 Spanned EtherChannel Benefits The EtherChannel method of load balancing is recommended over other methods for the following benefits Faster failure discovery Faster convergence time Individual interfaces rely on routing protocols to l...

Page 277: ... will be sent to a different unit based on the hash and the cluster will have to redirect most returning traffic to the correct unit See the NAT section on page 1 21 for more information EtherChannel Redundancy The EtherChannel has built in redundancy It monitors the line protocol status of all links If one link fails traffic is re balanced between remaining links If all links in the EtherChannel ...

Page 278: ...he best performance we recommend that you configure the PBR policy so that forward and return packets of a connection are directed to the same physical ASA For example if you have a Cisco router redundancy can be achieved by using IOS PBR with Object Tracking IOS Object Tracking monitors each ASA using ICMP ping PBR can then enable or disable route maps based on reachability of a particular ASA Se...

Page 279: ...e Cluster page 1 17 Connection Roles There are 3 different ASA roles defined for each connection Owner The unit that initially receives the connection The owner maintains the TCP state and processes packets A connection has only one owner Director The unit that handles owner lookup requests from forwarders and also maintains the connection state to serve as a backup if the owner fails When the own...

Page 280: ...des owner information into a SYN cookie and forwards the packet to the server 2 The SYN ACK packet originates from the server and is delivered to a different ASA based on the load balancing method This ASA is the forwarder 3 Because the forwarder does not own the connection it decodes owner information from the SYN cookie creates a forwarding flow to the owner and forwards the SYN ACK to the owner...

Page 281: ...pported Features page 1 17 Centralized Features page 1 18 Features Applied to Individual Units page 1 18 Dynamic Routing page 1 19 NAT page 1 21 Syslog and Netflow page 1 22 SNMP page 1 22 VPN page 1 22 FTP page 1 23 Cisco TrustSec page 1 23 Unsupported Features These features cannot be configured with clustering enabled and the commands will be rejected Unified Communications Remote access VPN SS...

Page 282: ...oss the Cluster section on page 1 17 traffic for centralized features may be rebalanced to non master units before the traffic is classified as a centralized feature if this occurs the traffic is then sent back to the master unit For centralized features if the master unit fails all connections are dropped and you have to re establish the connections on the new master unit Site to site VPN The fol...

Page 283: ...dule There is no configuration sync or state sharing between IPS modules Some IPS signatures require IPS to keep the state across multiple connections For example the port scanning signature is used when the IPS module detects that someone is opening many connections to one server but with different ports In clustering those connections will be balanced between multiple ASA devices each of which h...

Page 284: ... and routes are learned by each unit independently Figure 1 2 Dynamic Routing in Individual Interface Mode In the above diagram Router A learns that there are 4 equal cost paths to Router B each through an ASA ECMP is used to load balance traffic between the 4 paths Each ASA picks a different router ID when talking to external routers You must configure a cluster pool for the router ID so that eac...

Page 285: ...an Individual interface Interface PAT is not supported for Individual interfaces NAT pool address distribution The master unit evenly pre distributes addresses across the cluster If a member receives a connection and they have no addresses left the connection is dropped even if other members still have addresses available Make sure to include at least as many NAT addresses as there are units in th...

Page 286: ...me from a single unit If you configure logging to use the local unit name that is assigned in the cluster bootstrap configuration as the device ID syslog messages look as if they come from different units See the Including the Device ID in Non EMBLEM Format Syslog Messages section on page 1 17 NetFlow Each unit in the cluster generates its own NetFlow stream The NetFlow collector can only treat ea...

Page 287: ...tion before you configure clustering on the ASAs Table 1 2 lists supported external hardware and software to interoperate with ASA clustering ASA Prerequisites Provide each unit with a unique IP address before you join them to the management network See Chapter 1 Getting Started for more information about connecting to the ASA and setting the management IP address Except for the IP address used by...

Page 288: ... routed and transparent firewall modes For single mode the firewall mode must match on all units Failover Guidelines Failover is not supported with clustering IPv6 Guidelines Supports IPv6 However the cluster control link is only supported using IPv4 Model Guidelines Supported on ASA 5585 X For the ASA 5585 X with SSP 10 and SSP 20 which includes two Ten Gigabit Ethernet interfaces we recommend us...

Page 289: ...ning Tree Protocol restarts There will be a delay before traffic starts flowing again EtherChannel Guidelines For detailed EtherChannel guidelines limitations and prerequisites see the Configuring an EtherChannel section on page 1 28 See also the EtherChannel Guidelines section on page 1 11 Spanned vs Device Local EtherChannel Configuration Be sure to configure the switch appropriately for Spanned...

Page 290: ...th check feature When adding a unit to an existing cluster or when reloading a unit there will be a temporary limited packet connection drop this is expected behavior In some cases the dropped packets can hang your connection for example dropping a FIN ACK packet for an FTP connection will make the FTP client hang In this case you need to reestablish the FTP connection If you use a Windows 2003 se...

Page 291: ...ding to the Prerequisites for ASA Clustering section on page 1 23 Step 2 Cable your equipment Before configuring clustering cable the cluster control link network management network and data networks See the Cabling the Cluster Units and Configuring Upstream and Downstream Equipment section on page 1 28 Step 3 Configure the interface mode You can only configure one type of interface for clustering...

Page 292: ...ls then you should configure the upstream and downstream equipment for the EtherChannels Examples Note This example uses EtherChannels for load balancing If you are using PBR or ECMP your switch configuration will differ For example on each of 4 ASA 5585 Xs you want to use 2 Ten Gigabit Ethernet interfaces in a device local EtherChannel for the cluster control link 2 Ten Gigabit Ethernet interface...

Page 293: ... 9 8 ports total Configure a single EtherChannel across all ASAs On the switch configure these VLANs and networks now for example a trunk including VLAN 200 for the inside and VLAN 201 for the outside Management interface Management 0 0 4 ports total Place all interfaces on the same isolated management VLAN for example VLAN 100 ASA1 333150 ten0 6 ten0 7 ten0 8 man0 0 ten0 9 ASA2 ten0 6 ten0 7 ten0...

Page 294: ...tion so you can force the interface mode and fix your configuration later the mode is not changed with this command Step 2 cluster interface mode individual spanned force Example hostname config cluster interface mode spanned force Sets the interface mode for clustering There is no default setting you must explicitly choose the mode If you have not set the mode you cannot enable clustering The for...

Page 295: ... of IP addresses The Main cluster IP address is a fixed address for the cluster that always belongs to the current master unit In Spanned EtherChannel mode we recommend configuring the management interface as an Individual interface Individual management interfaces let you connect directly to each unit if necessary while a Spanned EtherChannel interface only allows connection to the current master...

Page 296: ...pool Step 2 interface interface_id Example hostname config interface tengigabitethernet 0 8 Enters interface configuration mode Step 3 Management interface only management only Example hostname config if management only Sets an interface to management only mode so that it does not pass through traffic By default Management type interfaces are configured as management only In transparent mode this ...

Page 297: ...terfaces See the Configuring Spanned EtherChannels section on page 1 33 For Individual interface mode join the cluster See the Configuring the Cluster Interface Mode on Each Unit section on page 1 30 Configuring Spanned EtherChannels A Spanned EtherChannel spans all ASAs in the cluster and provides load balancing as part of the EtherChannel operation Prerequisites You must be in Spanned EtherChann...

Page 298: ... the minimum links across the cluster so this value will not match the ASA value Do not change the load balancing algorithm from the default see the port channel load balance command On the switch we recommend that you use one of the following algorithms source dest ip or source dest ip port see the Nexus OS and IOS port channel load balance command Do not use a vlan keyword in the load balance al...

Page 299: ...tep 3 no shutdown Example hostname config if no shutdown Enables the interface Step 4 Optional Add additional interfaces to the EtherChannel by repeating Step 1 through Step 3 Example hostname config interface gigabitethernet 0 1 hostname config if channel group 1 mode active hostname config if no shutdown Multiple interfaces in the EtherChannel per unit are useful for connecting to switches in a ...

Page 300: ... Context Mode Allocate the interface to a context See the Configuring a Security Context section on page 1 20 Then enter changeto context name interface port channel channel_id Example hostname config context admin hostname config allocate interface port channel1 hostname config changeto context admin hostname config if interface port channel 1 For multiple context mode the rest of the interface c...

Page 301: ... can assign up to four interfaces to a bridge group You cannot assign the same interface to more than one bridge group Note that the BVI configuration includes the IP address Step 12 security level number Example hostname config if security level 50 Sets the security level where number is an integer between 0 lowest and 100 highest See the Security Levels section on page 1 1 Step 13 mac address ma...

Page 302: ... Unit section on page 1 31 before you enable clustering When you add a unit to a running cluster you may see temporary limited packet connection drops this is expected behavior Enabling the Cluster Control Link Interface You need to enable the cluster control link interface before you join the cluster You will later identify this interface as the cluster control link when you enable clustering We ...

Page 303: ... group 1 mode on Assigns this physical interface to an EtherChannel with the channel_id between 1 and 48 If the port channel interface for this channel ID does not yet exist in the configuration one will be added automatically interface port channel channel_id We recommend using the On mode for cluster control link member interfaces to reduce unnecessary traffic on the cluster control link The clu...

Page 304: ... Names the cluster and enters cluster configuration mode The name must be an ASCII string from 1 to 38 characters You can only configure one cluster group per unit All members of the cluster must use the same name Step 3 local unit unit_name Example hostname cfg cluster local unit unit1 Names this member of the cluster with a unique ASCII string from 1 to 38 characters Each unit must have a unique...

Page 305: ...bundling decision By default the ASA uses priority 1 which is the highest priority The priority needs to be higher than the priority on the switch This command is not part of the bootstrap configuration and is replicated from the master unit to the slave units However you cannot change this value after you enable clustering Step 8 enable noconfirm Example hostname cfg cluster enable INFO Clusterin...

Page 306: ...red unresponsive or dead Interface status messages detect link failure If an interface fails on a particular unit but the same interface is active on other units then the unit is removed from the cluster If a unit does not receive interface status messages within the holdtime then the amount of time before the ASA removes a member from the cluster depends on the type of interface and whether the u...

Page 307: ... group pod1 local unit unit1 cluster interface port channel1 ip 192 168 1 1 255 255 255 0 priority 1 key chuntheunavoidable enable noconfirm Configuring Slave Unit Bootstrap Settings Perform the following procedures to configure the slave units Step 2 conn rebalance frequency seconds Example hostname cfg cluster conn rebalance frequency 60 Enables connection rebalancing for TCP traffic This comman...

Page 308: ...t Supported Models section on page 1 33 If you have any interfaces in your configuration that have not been configured for clustering for example the default configuration Management 0 0 interface you can join the cluster as a slave unit with no possibility of becoming the master in a current election When you add a unit to a running cluster you may see temporary limited packet connection drops th...

Page 309: ...cal interface to an EtherChannel with the channel_id between 1 and 48 If the port channel interface for this channel ID does not yet exist in the configuration one will be added automatically interface port channel channel_id We recommend using the On mode for cluster control link member interfaces to reduce unnecessary traffic on the cluster control link The cluster control link does not need the...

Page 310: ...uster local unit unit1 Names this member of the cluster with a unique ASCII string from 1 to 38 characters Each unit must have a unique name A unit with a duplicated name will be not be allowed in the cluster Step 4 cluster interface interface_id ip ip_address mask Example hostname cfg cluster cluster interface port channel2 ip 192 168 1 2 255 255 255 0 INFO Non cluster interface config is cleared...

Page 311: ...uster Members Becoming an Inactive Member page 1 48 Inactivating a Member page 1 48 Step 6 Optional key shared_secret Example hostname cfg cluster key chuntheunavoidable Sets the same authentication key that you set for the master unit Step 7 enable as slave Example hostname cfg cluster enable as slave Enables clustering You can avoid any configuration incompatibilities primarily the existence of ...

Page 312: ...ch is the same as the master unit You must use the console port for any further configuration Prerequisites You must use the console port you cannot enable or disable clustering from a remote CLI connection For multiple context mode perform this procedure in the system execution space If you are not already in the System configuration mode enter the changeto system command Detailed Steps Inactivat...

Page 313: ...eans either restoring a pre clustering configuration from backup or clearing your configuration and starting over to avoid IP address conflicts Prerequisites You must use the console port when you remove the cluster configuration all interfaces are shut down including the management interface and cluster control link Moreover you cannot enable or disable clustering from a remote CLI connection Com...

Page 314: ...luster no enable Disables clustering You cannot make configuration changes while clustering is enabled on a slave unit Step 2 clear configure cluster Example hostname config clear configure cluster Clears the cluster configuration The ASA shuts down all interfaces including the management interface and cluster control link Step 3 no cluster interface mode Example hostname config no cluster interfa...

Page 315: ...nit are copied to the TFTP server The destination capture file name is automatically attached with the unit name such as capture1_asa1 pcap capture1_asa2 pcap and so on In this example asa1 and asa2 are cluster unit names The following sample output for the cluster exec show port channel summary command shows EtherChannel information for each member in the cluster hostname cluster exec show port c...

Page 316: ...how traffic distribution across all cluster units These commands can help you to evaluate and adjust the external load balancer The show cluster info trace command shows the debug information for further troubleshooting The show cluster info health command shows the current health of interfaces units and the cluster overall The show cluster info loadbalance command shows connection rebalance stati...

Page 317: ...LANCE Feb 02 14 19 47 456 DBUG Send CCP message to all CCP_MSG_KEEPALIVE from 80 1 at MASTER Example 1 3 show cluster access list hostname show cluster access list hitcnt display order cluster wide aggregated result unit A unit B unit C unit D access list cached ACL log flows total 0 denied 0 deny flow max 4096 alert interval 300 access list 101 122 elements name hash 0xe7d586b5 access list 101 li...

Page 318: ... 0 0 0x2c7dba0d To display the aggregated count of in use connections for all units enter hostname show cluster conn count Usage Summary In Cluster 200 in use cluster wide aggregated cl2 LOCAL 100 in use 100 most used cl1 100 in use 100 most used Related Commands Command Purpose show conn detail The show conn command shows whether a flow is a director backup or forwarder flow For details about the...

Page 319: ...44727 idle 0 00 00 bytes 37240828 flags z ASA2 12 in use 13 most used Cluster stub connections 0 in use 46 most used TCP outside 172 18 124 187 22 inside 192 168 103 131 44727 idle 0 00 00 bytes 37240828 flags UIO ASA3 10 in use 12 most used Cluster stub connections 2 in use 29 most used TCP outside 172 18 124 187 22 inside 192 168 103 131 44727 idle 0 00 03 bytes 0 flags Y The following is sample...

Page 320: ...s Traffic received at interface NP Identity Ifc Locally received 0 0 byte s UDP outside 10 1 227 1 500 NP Identity Ifc 10 1 226 1 500 flags c idle 1m22s uptime 1m22s timeout 2m0s bytes 1580 cluster sent rcvd bytes 0 0 cluster sent rcvd total bytes 0 0 owners 0 255 Traffic received at interface outside Locally received 864 10 byte s Traffic received at interface NP Identity Ifc Locally received 716...

Page 321: ...nel group 1 mode on no shutdown interface GigabitEthernet0 1 channel group 1 mode on no shutdown interface Port channel1 description Clustering Interface cluster group Moya local unit B cluster interface Port channel1 ip 10 0 0 2 255 255 255 0 priority 11 key emphyri0 enable as slave Master Interface Configuration ip local pool mgmt pool 10 53 195 231 10 53 195 232 interface GigabitEthernet0 2 cha...

Page 322: ...on interface GigabitEthernet1 0 15 switchport access vlan 201 switchport mode access spanning tree portfast channel group 10 mode active interface GigabitEthernet1 0 16 switchport access vlan 201 switchport mode access spanning tree portfast channel group 10 mode active interface GigabitEthernet1 0 17 switchport access vlan 401 switchport mode access spanning tree portfast channel group 11 mode ac...

Page 323: ...ASA becomes unavailable the switch will rebalance traffic between the remaining units Interface Mode on Each Unit cluster interface mode spanned force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0 8 no shutdown description CCL cluster group cluster1 local unit asa1 cluster interface tengigabitethernet0 8 ip 192 168 1 1 255 255 255 0 priority 1 key chuntheunavoidable enable noc...

Page 324: ...55 255 0 priority 3 key chuntheunavoidable enable as slave Master Interface Configuration ip local pool mgmt 10 1 1 2 10 1 1 9 ipv6 local pool mgmtipv6 2001 DB8 1002 64 8 interface management 0 0 nameif management ip address 10 1 1 1 255 255 255 0 cluster pool mgmt ipv6 address 2001 DB8 1001 32 cluster pool mgmtipv6 security level 100 management only no shutdown interface tengigabitethernet 0 9 ch...

Page 325: ... tengigabitethernet 0 6 channel group 1 mode on no shutdown interface tengigabitethernet 0 7 channel group 1 mode on no shutdown interface port channel 1 description CCL cluster group cluster1 local unit asa1 cluster interface port channel1 ip 192 168 1 1 255 255 255 0 priority 1 key chuntheunavoidable enable noconfirm ASA1 333220 ten0 6 ten0 7 ten0 8 man0 0 ten0 9 ASA2 ten0 6 ten0 7 ten0 8 man0 0...

Page 326: ... mode on no shutdown interface port channel 1 description CCL cluster group cluster1 local unit asa3 cluster interface port channel1 ip 192 168 1 3 255 255 255 0 priority 3 key chuntheunavoidable enable as slave Master Interface Configuration ip local pool mgmt 10 1 1 2 10 1 1 9 ipv6 local pool mgmtipv6 2001 DB8 1002 64 8 interface management 0 0 nameif management ip address 10 1 1 1 255 255 255 0...

Page 327: ...n the switch side The backup links can be connected to a separate switch to provide inter switch redundancy Interface Mode on Each Unit cluster interface mode individual force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0 6 channel group 1 mode on ASA1 333220 ten0 6 ten0 7 ten1 6 man0 0 ten1 7 ten0 9 man0 1 ASA2 ten0 6 ten0 7 ten1 6 ten0 9 ASA3 ten0 6 ten0 7 ten1 6 ten0 8 ten0...

Page 328: ...port channel 1 description CCL cluster group cluster1 local unit asa2 cluster interface port channel1 ip 192 168 1 2 255 255 255 0 priority 2 key chuntheunavoidable enable as slave ASA3 Slave Bootstrap Configuration interface tengigabitethernet 0 6 channel group 1 mode on no shutdown interface tengigabitethernet 0 7 channel group 1 mode on no shutdown interface port channel 1 description CCL clust...

Page 329: ...4 cluster pool outside ipv6 address 2001 DB8 DD 1 64 cluster pool outsideipv6 security level 0 Spanned EtherChannel With Backup Links The maximum number of active ports in an etherchannel is limited to 8 from the switch side If you have an 8 ASA cluster and you allocate 2 ports per unit to the EtherChannel for a total of 16 ports total then 8 of them have to be in standby mode The ASA uses LACP to...

Page 330: ...ports and the number of active secondary ports in balance Note that when a 5th unit joins the cluster traffic is not balanced evenly between all units 333218 Router or Access Switch Virtual Switch Link ASA1 ASA8 1 Up to 4 units Router or Access Switch Virtual Switch Link ASA1 ASA2 ASA3 ASA4 2 5th unit joined 3 Maximum of 8 units Router or Access Switch Virtual Switch Link ASA1 ASA2 ASA3 ASA4 ASA5 ...

Page 331: ...As Configuration Examples for ASA Clustering Link or device failure is handled with the same principle You may end up with a less than perfect load balancing situation The following figure shows a 4 unit cluster with a single link failure on one of the units 333217 ASA1 ASA2 ASA3 ASA4 ...

Page 332: ...iving traffic from the outside network when it has already lost connectivity to the inside network Interface Mode on Each Unit cluster interface mode spanned force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0 6 channel group 1 mode on no shutdown interface tengigabitethernet 0 7 channel group 1 mode on no shutdown interface tengigabitethernet 0 8 channel group 1 mode on no sh...

Page 333: ...own interface port channel 1 description CCL cluster group cluster1 local unit asa2 cluster interface port channel1 ip 192 168 1 2 255 255 255 0 priority 2 key chuntheunavoidable enable as slave ASA3 Slave Bootstrap Configuration interface tengigabitethernet 0 6 channel group 1 mode on no shutdown interface tengigabitethernet 0 7 channel group 1 mode on no shutdown interface tengigabitethernet 0 8...

Page 334: ... 2 mode active no shutdown interface management 0 1 channel group 2 mode active no shutdown interface port channel 2 nameif management ip address 10 1 1 1 255 255 255 0 cluster pool mgmt security level 100 management only interface tengigabitethernet 1 6 channel group 3 mode active vss id 1 no shutdown interface tengigabitethernet 1 7 channel group 3 mode active vss id 2 no shutdown interface port...

Page 335: ...he ASA 5580 and the ASA 5585 X all units in a cluster must be the same model with the same hardware specifications See the configuration guide for a list of unsupported features when clustering is enabled We introduced or modified the following commands channel group clacp system mac clear cluster info clear configure cluster cluster exec cluster group cluster interface mode cluster interface conn...

Page 336: ...1 72 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring a Cluster of ASAs Feature History for ASA Clustering ...

Page 337: ...1 18 Failover Times page 1 20 Failover Messages page 1 20 Introduction to Failover and High Availability Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and optionally a Stateful Failover link The health of the active interfaces and units is monitored to determine if specific failover conditions are met If those conditions are met...

Page 338: ...with the smaller flash memory has enough space to accommodate the software image files and the configuration files If it does not configuration synchronization from the unit with the larger flash memory to the unit with the smaller flash memory will fail Software Requirements The two units in a failover configuration must be in the same operating modes routed or transparent single or multiple cont...

Page 339: ...ld pose a significant security risk We recommend securing the failover communication with a failover key if you are using the ASA to terminate VPN tunnels You can use any unused interface on the device as the failover link however you cannot specify an interface that is currently configured with a name The failover link interface is not configured as a normal networking interface it exists for fai...

Page 340: ... MDIX on its copper Ethernet ports so you can either use a crossover cable or a straight through cable If you use a straight through cable the interface automatically detects the cable and swaps one of the transmit receive pairs to MDIX Enable the PortFast option on Cisco switch ports that connect directly to the ASA If you use a data interface as the Stateful Failover link you receive the followi...

Page 341: ...50 milliseconds If latency is more than10 milliseconds some performance degradation occurs due to retransmission of failover messages The ASA supports sharing of failover heartbeat and stateful link but we recommend using a separate heartbeat link on systems with high Stateful Failover traffic Avoiding Interrupted Failover Links Because the uses failover interfaces to transport messages between pr...

Page 342: ... with a Double Switch Not Recommended Scenario 2 Recommended To make the ASA failover pair resistant to failover interface failure we recommend that failover interfaces NOT use the same switch as the data interfaces as shown in the preceding connections Instead use a different switch or use a direct cable to connect two ASA failover interfaces as shown in Figure 1 3 and Figure 1 4 Figure 1 3 Conne...

Page 343: ... Secure Switch Scenario 4 Recommended The most reliable failover configurations use a redundant interface on the failover interface as shown in Figure 1 6 and Figure 1 7 Figure 1 6 Connecting with Redundant Interfaces 236373 Failover link Failover link Primary Secondary outside outside inside inside ISL ISL Switch 3 Switch 4 Switch 1 Switch 2 236375 Primary Active redundant failover link Active re...

Page 344: ...over you divide the security contexts on the ASA into failover groups A failover group is simply a logical group of one or more security contexts Each group is assigned to be active on a specific ASA in the failover pair When a failover occurs it occurs at the failover group level For more detailed information about each type of failover refer the following information Chapter 1 Configuring Active...

Page 345: ... Stateful Failover The ASA supports two types of failover regular and stateful This section includes the following topics Stateless Regular Failover page 1 9 Stateful Failover page 1 10 Stateless Regular Failover When a failover occurs all active connections are dropped Clients need to reestablish connections when the new active unit takes over Note Some configuration elements for clientless SSL V...

Page 346: ...ing protocol forwarding information on the newly Active unit The following state information is passed to the standby ASA when Stateful Failover is enabled NAT translation table TCP connection states UDP connection states The ARP table The Layer 2 bridge table when running in transparent firewall mode The HTTP connection states if HTTP replication is enabled The ISAKMP and IPsec SA table GTP PDP c...

Page 347: ...achable and unregisters itself For VPN failover VPN end users should not have to reauthenticate or reconnect the VPN session in the event of a failover However applications operating over the VPN connection could lose packets during the failover process and not recover from the packet loss Intra and Inter Chassis Module Placement for the ASA Services Module You can place the primary and secondary ...

Page 348: ...ions between ASASMs we recommend that you configure a trunk port between the two switches that carries the failover and state VLANs The trunk ensures that failover communication between the two units is subject to minimal failure risk For other VLANs you must ensure that both switches have access to all firewall VLANs and that monitored VLANs can successfully pass hello packets between both switch...

Page 349: ... Failover Intra and Inter Chassis Module Placement for the ASA Services Module Figure 1 9 Normal Operation Active ASA SM VLAN 200 VLAN 100 VLAN 201 Mktg Inside Eng Standby ASA SM Trunk VLANs 10 11 Internet VLAN 202 VLAN 11 VLAN 10 Failover Links VLAN 203 Switch Switch 255220 ...

Page 350: ...SA Services Module If the primary ASASM fails then the secondary ASASM becomes active and successfully passes the firewall VLANs Figure 1 10 Figure 1 10 ASASM Failure Failed ASA SM VLAN 200 VLAN 100 VLAN 201 Mktg Inside Eng Active ASA SM Trunk VLANs 10 11 Internet VLAN 202 VLAN 203 VLAN 11 VLAN 10 Failover Links Switch Switch 255221 ...

Page 351: ... loss while the port is in a blocking state you can configure one of the following workarounds depending on the switch port mode Access mode Enable the STP PortFast feature on the switch interface interface_id spanning tree portfast The PortFast feature immediately transitions the port into STP forwarding mode upon linkup The port still participates in STP So if the port is to be a part of the loo...

Page 352: ...munication between the units will fail Only the primary unit will perform the call home to the Auto Update Server The primary unit must be in the active state to call home If it is not the ASA automatically fails over to the primary unit Only the primary unit downloads the software image or configuration file The software image or configuration is then copied to the secondary unit The interface MA...

Page 353: ... occurs a The primary unit retrieves the configuration file from the using the specified URL b The new configuration replaces the old configuration on both units simultaneously c The update process begins again at Step 1 7 If the checksums match for all image and configuration files no updates are required The process ends until the next poll time Monitoring the Auto Update Process You can use the...

Page 354: ...load reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA safe reload reload active waiting with mate state 20 auto update HA...

Page 355: ...ello messages on a monitored interface for half of the configured hold time it runs the following tests 1 Link Up Down test A test of the interface status If the Link Up Down test indicates that the interface is operational then the ASA performs network tests The purpose of these tests is to generate network traffic to determine which if either unit has failed At the start of each test each unit c...

Page 356: ...set the state by entering the failover reset command If the failover condition persists however the unit will fail again Failover Times Table 1 2 shows the minimum default and maximum failover times Failover Messages When a failover occurs both ASAs send out system messages This section includes the following topics Failover System Messages page 1 20 Debug Messages page 1 21 SNMP page 1 21 Failove...

Page 357: ...erence for more information Note Because debugging output is assigned high priority in the CPU process it can drastically affect system performance For this reason use the debug fover commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC SNMP To receive SNMP syslog traps for failover configure the SNMP agent to send SNMP traps to SNMP management stations...

Page 358: ...1 22 Cisco ASA Series CLI Configuration Guide Chapter 1 Information About Failover Failover Messages ...

Page 359: ...cs Active Standby Failover Overview page 1 1 Primary Secondary Status and Active Standby Status page 1 2 Device Initialization and Configuration Synchronization page 1 2 Command Replication page 1 3 Failover Triggers page 1 4 Failover Actions page 1 5 Active Standby Failover Overview Active Standby failover enables you to use a standby ASA to take over the functionality of a failed unit When the a...

Page 360: ...nds its entire configuration to the standby unit The active unit is determined by the following If a unit boots and detects a peer already running as active it becomes the standby unit If a unit boots and does not detect a peer it becomes the active unit If both units boot simultaneously then the primary unit becomes the active unit and the secondary unit becomes the standby unit Note If the secon...

Page 361: ...to flash memory For multiple context mode enter the write memory all command on the active unit from the system execution space The command is replicated to the standby unit which proceeds to write its configuration to flash memory Using the all keyword with this command causes the system and all context configurations to be saved Note Startup configurations saved on external servers are accessibl...

Page 362: ...r does not replicate the following files and configuration components AnyConnect images CSD images ASA images AnyConnect profiles Local Certificate Authorities CAs ASDM images To save the replicated commands to the flash memory on the standby unit standby unit do the following For single context mode enter the copy running config startup config command on the active unit The command is replicated ...

Page 363: ...unit failed power or hardware No failover Mark standby as failed n a When the standby unit is marked as failed then the active unit does not attempt to fail over even if the interface failure threshold is surpassed Failover link failed during operation No failover Mark failover interface as failed Mark failover interface as failed You should restore the failover link as soon as possible because th...

Page 364: ... the secondary unit uses the correct MAC addresses when it is the active unit even if it comes online before the primary unit Licensing Requirements for Active Standby Failover The following table shows the licensing requirements for this feature Prerequisites for Active Standby Failover Active Standby failover has the following prerequisites Both units must be identical ASAs that are connected to...

Page 365: ...active unit in a failover pair the active console terminal pager settings change but the standby unit settings do not A default configuration issued on the active unit does affect behavior on the standby unit When you enable interface monitoring you can monitor up to 250 interfaces on a unit By default the ASA does not replicate HTTP session information when Stateful Failover is enabled Because HT...

Page 366: ...teps in this section to configure the primary unit in a LAN based Active Standby failover configuration These steps provide the minimum configuration needed to enable failover on the primary unit Restrictions Do not configure an IP address in interface configuration mode for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface You use the failover interface ip...

Page 367: ...while it is in use as a failover link To alter the configuration you need to either shut down the EtherChannel while you make changes or temporarily disable failover either action prevents failover from occurring for the duration Step 3 failover interface ip if_name ip_address mask standby ip_address ipv6_address prefix standbyipv6_address Example hostname config failover interface ip folink 172 2...

Page 368: ...temporarily disable failover either action prevents failover from occurring for the duration Step 6 failover interface ip if_name ip_address mask standby ip_address ipv6_address prefix standbyipv6_address Example hostname config failover interface ip folink 172 27 48 1 255 255 255 0 standby 172 27 48 2 hostname config failover interface ip statelink 2001 a1a b00 a0a a70 64 standby 2001 a1a b00 a0a...

Page 369: ...Command Purpose Command Purpose Step 1 failover lan interface if_name interface_id Example hostname config failover lan interface folink vlan100 Specifies the interface to be used as the failover interface Use the same settings that you used for the primary unit The if_name argument assigns a name to the interface specified by the interface_id argument The interface ID can be a physical interface ...

Page 370: ... interface_id no shutdown Example hostname config interface vlan100 hostname config if no shutdown Enables the interface Step 4 failover lan unit secondary Example hostname config failover lan unit secondary Optional Designates this unit as the secondary unit Note This step is optional because by default units are designated as secondary unless previously configured Step 5 failover Example hostnam...

Page 371: ...faces is enabled and monitoring subinterfaces is disabled Hello messages are exchanged during every interface poll frequency time period between the ASA failover pair The failover interface poll time is 3 to 15 seconds For example if the poll time is set to 5 seconds testing begins on an interface if 5 consecutive hellos are not heard on that interface 25 seconds Monitored failover interfaces can ...

Page 372: ...sting begins If a hello packet or a successful test result is not received within the specified hold time the interface is marked as failed Failover occurs if the number of failed interfaces meets the failover criteria Decreasing the poll and hold times enables the ASA to detect and respond to interface failures more quickly but may consume more system resources Increasing the poll and hold times ...

Page 373: ...times Valid values for poll time are from 1 to 15 seconds or if the optional msec keyword is used from 500 to 999 milliseconds The hold time determines how long it takes from the time a hello packet is missed to when the interface is marked as failed Valid values for the hold time are from 5 to 75 seconds You cannot enter a hold time that is less than 5 times the poll time If the interface link is...

Page 374: ...nd standby_mac arguments are MAC addresses in H H H format where H is a 16 bit hexadecimal digit For example the MAC address 00 0C F1 42 4C DE would be entered as 000C F142 4CDE The active_mac address is associated with the active IP address for the interface and the standby_mac is associated with the standby IP address for the interface You can also set the MAC address using other commands or met...

Page 375: ...ver it is still considered to be a unit issue If the ASA detects that an interface is down failover occurs immediately without waiting for the interface holdtime The interface holdtime is only useful when the ASA considers its status to be OK although it is not receiving hello packets from the peer To simulate interface holdtime shut down the VLAN on the switch to prevent peers from receiving hell...

Page 376: ...re information about the output of the monitoring commands refer to the Cisco ASA 5500 Series Command Reference Feature History for Active Standby Failover Table 1 2 lists the release history for this feature Command Purpose show failover Displays information about the failover state of the unit show monitor interface Displays information about the monitored interface show running config failover ...

Page 377: ...tive failover This section includes the following topics Active Active Failover Overview page 1 1 Primary Secondary Status and Active Standby Status page 1 2 Device Initialization and Configuration Synchronization page 1 3 Command Replication page 1 3 Failover Triggers page 1 4 Failover Actions page 1 5 Active Active Failover Overview Active Active failover is only available to ASAs in multiple co...

Page 378: ...econdary Status and Active Standby Status As in Active Standby failover one unit in an Active Active failover pair is designated the primary unit and the other unit the secondary unit Unlike Active Standby failover this designation does not indicate which unit becomes active when both units start simultaneously Instead the primary secondary designation does two things Determines which unit provide...

Page 379: ...guration being received Avoid entering commands on either unit in the failover pair during the configuration replication process Depending upon the size of the configuration replication can take from a few seconds to several minutes On the unit receiving the configuration the configuration exists only in running memory To save the configuration to flash memory after synchronization enter the write...

Page 380: ...es active connections through those contexts to be terminated Use the failover active command on the unit providing the configuration to make sure all contexts are active on that unit before entering the write standby command If you enter the write standby command in a security context only the configuration for the security context is written to the peer unit You must enter the command in the sec...

Page 381: ...group 2 remains active on the primary unit while failover group 1 becomes active on the secondary unit Note When configuring Active Active failover make sure that the combined traffic for both units is within the capacity of each unit Table 1 2 shows the failover action for each failure event For each failure event the policy whether or not failover occurs actions for the active failover group and...

Page 382: ...ink failed No failover No action No action State information becomes out of date and sessions are terminated if a failover occurs Failover link failed during operation No failover n a n a Each unit marks the failover interface as failed You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down Table 1 2 Failover B...

Page 383: ...es or a percentage of monitored interfaces that must fail before failover occurs Virtual MAC address configuration Ensures that the secondary unit uses the correct MAC addresses when it is the active unit even if it comes online before the primary unit Licensing Requirements for Active Active Failover The following table shows the licensing requirements for this feature Prerequisites for Active Ac...

Page 384: ...dresses need to be configured on all interfaces The standby IP address is used on the security appliance that is currently the standby unit and it must be in the same subnet as the active IP address You can define a maximum number of two failover groups Failover groups can only be added to the system context of devices that are configured for multiple context mode You can create and remove failove...

Page 385: ...onfiguring the Primary Failover Unit section on page 1 9 Step 2 Configure the secondary unit as shown in the Configuring the Secondary Failover Unit section on page 1 12 Step 3 Optional Configure optional Active Active failover settings as shown in the Optional Active Active Failover Settings section on page 1 7 Configuring the Primary Failover Unit Follow the steps in this section to configure th...

Page 386: ... a0a b70 64 standby 2001 a0a b00 a0a b71 Assigns the active and standby IP addresses to the failover link You can assign either an IPv4 or an IPv6 address to the interface You cannot assign both types of addresses to the failover link The standby IP address must be in the same subnet as the active IP address You do not need to identify the standby address subnet mask The failover link IP address a...

Page 387: ...stname config if no shutdown Enables the interface Note If the Stateful Failover link uses the failover link or regular data interface skip this step You have already enabled the interface Step 7 failover group 1 2 primary secondary Example hostname config failover group 1 hostname config fover group primary hostname config fover group exit hostname config failover group 2 hostname config fover gr...

Page 388: ...hysical port name such as Ethernet1 or a previously created subinterface such as Ethernet0 2 3 On the ASASM the phy_if specifies a VLAN This interface should not be used for any other purpose except optionally the Stateful Failover link Step 2 failover interface ip if_name ip_address mask standby ip_address ipv6_address prefix standbyipv6_address Example hostname config failover interface ip folin...

Page 389: ...ne any failover groups that have the unit as a priority do not become active on that unit unless manually forced over unless a Step 4 failover lan unit secondary Example hostname config failover lan unit secondary Optional Designates this unit as the secondary unit Note This step is optional because by default units are designated as secondary unless previously configured Step 5 failover Example h...

Page 390: ... hostname config failover group 1 hostname config fover group primary hostname config fover group preempt 100 hostname config fover group exit hostname config failover group 2 hostname config fover group secondary hostname config fover group preempt 100 hostname config fover group mac address e1 0000 a000 a011 0000 a000 a012 hostname config fover group exit hostname config Command Purpose Step 1 f...

Page 391: ...works from affecting your failover policy You can monitor up to 250 interfaces on a unit By default monitoring physical interfaces is enabled and monitoring subinterfaces is disabled Hello messages are exchanged during every interface poll frequency time period between the security appliance failover pair The failover interface poll time is 3 to 15 seconds For example if the poll time is set to 5 ...

Page 392: ... meets the failover criteria Decreasing the poll and hold times enables the ASA to detect and respond to interface failures more quickly but may consume more system resources To change the default interface poll time perform the following steps Do one of the following no monitor interface if_name Example hostname context config no monitor interface 1 Disables health monitoring for an interface mon...

Page 393: ...oup perform the following steps The following partial example shows a possible configuration for a failover group hostname config failover group 1 hostname config fover group primary hostname config fover group preempt 100 hostname config fover group interface policy 25 hostname config fover group exit hostname config Configuring Virtual MAC Addresses Active Active failover uses virtual MAC addres...

Page 394: ...le shows a possible configuration for a failover group hostname config failover group 1 hostname config fover group primary hostname config fover group preempt 100 hostname config fover group exit hostname config failover group 2 hostname config fover group secondary hostname config fover group preempt 100 hostname config fover group mac address gigabitethernet1 0 0000 a000 a011 0000 a000 a012 hos...

Page 395: ...nto the stream Note Using the asr group command to configure asymmetric routing support is more secure than using the static command with the nailed option The asr group command does not provide asymmetric routing it restores asymmetrically routed packets to the correct interface Prerequisites You must have to following configured for asymmetric routing support to function properly Active Active F...

Page 396: ...xample Figure 1 1 shows an example of using the asr group command for asymmetric routing support Figure 1 1 ASR Example The two units have the following configuration configurations show only the relevant commands The device labeled SecAppA in the diagram is the primary unit in the failover pair Example 1 1 Primary Unit System Configuration hostname primary interface GigabitEthernet0 1 description...

Page 397: ...2 168 1 2 asr group 1 interface GigabitEthernet0 3 nameif inside security level 100 ip address 10 1 0 1 255 255 255 0 standby 10 1 0 11 monitor interface outside Example 1 3 ctx1 Context Configuration hostname SecAppB interface GigabitEthernet0 4 nameif outsideISP B security level 0 ip address 192 168 2 2 255 255 255 0 standby 192 168 2 1 asr group 1 interface GigabitEthernet0 5 nameif inside secu...

Page 398: ...lover exec command to send configuration commands to the standby unit or context those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized Output from configuration exec and show commands is displayed in the current terminal session so you can use the failover exec command to issue show commands on a peer unit and view the results i...

Page 399: ... exec active mode is in interface configuration mode hostname config failover exec active interface GigabitEthernet0 1 hostname config failover exec active ip address 192 168 1 1 255 255 255 0 standby 192 168 1 2 hostname config router rip hostname config router Changing commands modes for your current session to the device does not affect the command mode used by the failover exec command For exa...

Page 400: ...o debug undebug If the standby unit is in the failed state it can still receive commands from the failover exec command if the failure is due to a service card failure otherwise the remote command execution will fail You cannot use the failover exec command to switch from privileged EXEC mode to global configuration mode on the failover peer For example if the current unit is in privileged EXEC mo...

Page 401: ...it active Restored units or groups remain in the standby state until made active by failover forced or natural An exception is a failover group configured with failover preemption If previously active a failover group becomes active if it is configured with preemption and if the unit on which it failed is the preferred unit To restore a failed unit to an unfailed state enter the following command ...

Page 402: ...3 lists the release history for this feature Command Purpose show failover Displays information about the failover state of the unit show failover group Displays information about the failover state of the failover group The information displayed is similar to that of the show failover command but limited to the specified group show monitor interface Displays information about the monitored interf...

Page 403: ...P A R T 2 Configuring Interfaces ...

Page 404: ......

Page 405: ...nterface Configuration Transparent Mode For ASA 5505 configuration see Chapter 1 Starting Interface Configuration ASA 5505 For multiple context mode complete all tasks in this section in the system execution space To change from the context to the system execution space enter the changeto system command For ASA cluster interfaces which have special requirements see Chapter 1 Configuring a Cluster ...

Page 406: ... fixed value thus disabling auto negotiation for both settings then Auto MDI MDIX is also disabled For Gigabit Ethernet when the speed and duplex are set to 1000 and full then the interface always auto negotiates therefore Auto MDI MDIX is always enabled and you cannot disable it Interfaces in Transparent Mode Interfaces in transparent mode belong to a bridge group one bridge group for each networ...

Page 407: ...le for Through Traffic1 1 By default the Management 0 0 interface is configured for management only traffic the management only command For supported models in routed mode you can remove the limitation and pass through traffic If your model includes additional Management interfaces you can use them for through traffic as well The Management interfaces might not be optimized for through traffic how...

Page 408: ...all mode the management interface updates the MAC address table in the same manner as a data interface therefore you should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port by default Cisco Catalyst switches share a MAC address for all VLAN switch ports Otherwise if traffic arrives on the management interface from t...

Page 409: ... EtherChannels An 802 3ad EtherChannel is a logical interface called a port channel interface consisting of a bundle of individual Ethernet links a channel group so that you increase the bandwidth for a single network A port channel interface is used in the same way as a physical interface when you configure interface related features You can configure up to 48 EtherChannels This section includes ...

Page 410: ...see Figure 1 1 On each ASA a single EtherChannel connects to both switches Even if you could group all switch interfaces into a single EtherChannel connecting to both ASAs in this case the EtherChannel will not be established because of the separate ASA system IDs a single EtherChannel would not be desirable because you do not want traffic sent to the standby ASA Figure 1 2 Active Standby Failover...

Page 411: ... IP address of the packet this criteria is configurable see the Customizing the EtherChannel section on page 1 30 The hash result is a 3 bit value 0 to 7 The eight hash result values are distributed in a round robin fashion between the channel group interfaces starting with the interface with the lowest ID slot port For example all packets with a hash result of 0 go to GigabitEthernet 0 0 packets ...

Page 412: ...g an EtherChannel port interface We recommend manually or in multiple context mode automatically configuring a unique MAC address in case the group channel interface membership changes If you remove the interface that was providing the port channel MAC address then the port channel MAC address changes to the next lowest numbered interface thus causing traffic disruption Licensing Requirements for ...

Page 413: ...faces of all types2 Base License 1316 ASA 5545 X VLANs1 Base License 300 Interfaces of all types2 Base License 1716 ASA 5555 X VLANs1 Base License 500 Interfaces of all types2 Base License 2516 ASA 5585 X VLANs1 Base and Security Plus License 1024 Interface Speed for SSP 10 and SSP 20 Base License 1 Gigabit Ethernet for fiber interfaces 10 GE I O License Security Plus 10 Gigabit Ethernet for fiber...

Page 414: ...nit as normal You can monitor redundant or EtherChannel interfaces for failover using the monitor interface command be sure to reference the logical redundant interface name When an active member interface fails over to a standby interface this activity does not cause the redundant or EtherChannel interface to appear to be failed when being monitored for device level failover Only when all physica...

Page 415: ... For clustering guidelines see the Clustering Guidelines section on page 1 11 EtherChannel Guidelines You can configure up to 48 EtherChannels Each channel group can have eight active interfaces Note that you can assign up to 16 interfaces to a channel group While only eight interfaces can be active the remaining interfaces can act as standby links in case of interface failure All interfaces in th...

Page 416: ...ngle mode or in the system execution space interfaces have the following default states Physical interfaces Disabled Redundant Interfaces Enabled However for traffic to pass through the redundant interface the member physical interfaces must also be enabled Subinterfaces Enabled However for traffic to pass through the subinterface the physical interface must also be enabled EtherChannel port chann...

Page 417: ...he changeto system command Step 2 Enable the physical interface and optionally change Ethernet parameters See the Enabling the Physical Interface and Configuring Ethernet Parameters section on page 1 23 Physical interfaces are disabled by default Step 3 Optional Configure redundant interface pairs See the Configuring a Redundant Interface section on page 1 26 A logical redundant interface pairs an...

Page 418: ...formation Detailed Steps Single Mode page 1 14 Detailed Steps Multiple Mode page 1 19 Detailed Steps Single Mode We recommend that you update your configuration offline as a text file and reimport the whole configuration for the following reasons Because you cannot add a named interface as a member of a redundant or EtherChannel interface you must remove the name from the interface When you remove...

Page 419: ... all interfaces in a given EtherChannel or redundant interface Note that the duplex setting for an EtherChannel interface must be Full or Auto For example you have the following interface configuration The bolded commands are the ones we want to use with three new EtherChannel interfaces and that you should cut and paste to the end of the interface section interface GigabitEthernet0 0 nameif outsi...

Page 420: ...if mgmt security level 100 ip address 10 1 1 5 255 255 255 0 no shutdown Step 6 Assign the physical interfaces to the new logical interfaces Redundant interface Enter the following commands under the new interface redundant command member interface physical_interface1 member interface physical_interface2 Where the physical interfaces are any two interfaces of the same type either formerly in use o...

Page 421: ...GigabitEthernet0 0 channel group 1 mode active no shutdown interface GigabitEthernet0 1 channel group 2 mode active no shutdown interface GigabitEthernet0 2 channel group 1 mode active shutdown no nameif no security level no ip address interface GigabitEthernet0 3 channel group 1 mode active shutdown no nameif no security level no ip address interface GigabitEthernet0 4 channel group 2 mode active...

Page 422: ...urity level no ip address interface GigabitEthernet0 4 channel group 2 mode active no shutdown no nameif no security level no ip address interface GigabitEthernet0 5 channel group 2 mode active no shutdown no nameif no security level no ip address interface Management0 0 channel group 3 mode active no shutdown interface Management0 1 channel group 3 mode active no shutdown no nameif no security le...

Page 423: ...ion on page 1 11 d Reload the ASA using the reload command Do not save the running configuration Step 9 Reenable failover by entering the failover command Detailed Steps Multiple Mode We recommend that you update your system and context configurations offline as text files and reimport them for the following reasons Because you cannot add an allocated interface as a member of a redundant or EtherC...

Page 424: ... GigabitEthernet0 2 shutdown interface GigabitEthernet0 3 shutdown interface GigabitEthernet0 4 shutdown interface GigabitEthernet0 5 shutdown interface Management0 0 no shutdown interface Management1 0 shutdown context customerA allocate interface gigabitethernet0 0 int1 allocate interface gigabitethernet0 1 int2 allocate interface management0 0 mgmt context customerB allocate interface gigabitet...

Page 425: ...l interfaces you want to use as part of the logical interface Note You can only add physical interfaces to an EtherChannel or redundant interface you cannot have VLANs configured for the physical interfaces Be sure to match physical interface parameters such as speed and duplex for all interfaces in a given EtherChannel or redundant interface Note that the duplex setting for an EtherChannel interf...

Page 426: ...channel2 allocate interface port channel3 Note You might want to take this opportunity to assign mapped names to interfaces if you have not done so already For example the configuration for customerA does not need to be altered at all it just needs to be reapplied on the ASA The customerB configuration however needs to have all of the interface IDs changed if you assign mapped names for customerB ...

Page 427: ...Traffic through the ASA stops at this point c Paste in the new system configuration at the prompt All of the new context configurations now reload When they are finished reloading traffic through the ASA resumes Remote connection a Save the new system configuration to a TFTP or FTP server so you can copy it to the startup configuration on the ASA For example you can run a TFTP or FTP server on you...

Page 428: ...ional media type sfp Example hostname config if media type sfp Sets the media type to SFP if available for your model To restore the default RJ 45 enter the media type rj45 command Step 3 Optional speed auto 10 100 1000 nonegotiate Example hostname config if speed 100 Sets the speed For copper interfaces the default setting is auto For SFP interfaces the default setting is no speed nonegotiate whi...

Page 429: ... The default high_water value is 128 KB 10 GigabitEthernet and 24 KB 1 GigabitEthernet you can set it between 0 and 511 10 GigabitEthernet or 0 and 47 KB 1 GigabitEthernet After a pause is sent an XON frame can be sent when the buffer usage is reduced below the low water mark By default the low_water value is 64 KB 10 GigabitEthernet and 16 KB 1 GigabitEthernet you can set it between 0 and 511 10 ...

Page 430: ... Redundant Interface page 1 26 Changing the Active Interface page 1 28 Configuring a Redundant Interface This section describes how to create a redundant interface By default redundant interfaces are enabled Guidelines and Limitations You can configure up to 8 redundant interface pairs Redundant interface delay values are configurable but by default the ASA inherits the default delay values based ...

Page 431: ...Mode Command Purpose Step 1 interface redundant number Example hostname config interface redundant 1 Adds the logical redundant interface where the number argument is an integer between 1 and 8 Note You need to add at least one member interface to the redundant interface before you can configure logical parameters for it such as a name Step 2 member interface physical_interface Example hostname co...

Page 432: ...n includes the following topics Adding Interfaces to the EtherChannel page 1 28 Customizing the EtherChannel page 1 30 Adding Interfaces to the EtherChannel This section describes how to create an EtherChannel port channel interface and assign interfaces to the EtherChannel By default port channel interfaces are enabled Guidelines and Limitations You can configure up to 48 EtherChannels Each chann...

Page 433: ...tive mode For information about active passive and on modes see the Link Aggregation Control Protocol section on page 1 6 Step 3 Optional lacp port priority number Example hostname config if lacp port priority 12345 Sets the priority for a physical interface in the channel group between 1 and 65535 The default is 32768 The higher the number the lower the priority The ASA uses this setting to decid...

Page 434: ...r the EtherChannel to be active the load balancing algorithm and other optional parameters Detailed Steps Command Purpose Step 1 interface port channel channel_id Example hostname config interface port channel 1 Specifies the port channel interface This interface was created automatically when you added an interface to the channel group If you have not yet added an interface then this command crea...

Page 435: ...vlan only vlan src dst ip vlan src dst ip port vlan src ip vlan src ip port Example hostname config if port channel load balance src dst mac Configures the load balancing algorithm By default the ASA balances the packet load on interfaces according to the source and destination IP address src dst ip of the packet If you want to change the properties on which the packet is categorized use this comm...

Page 436: ...rfaces on the Management 0 0 interface Prerequisites For multiple context mode complete this procedure in the system execution space To change from the context to the system execution space enter the changeto system command Detailed Steps Command Purpose Step 1 interface physical_interface redundant number port channel number subinterface Example hostname config interface gigabitethernet 0 1 100 S...

Page 437: ...A 5580 ASA 5585 X Prerequisites In multiple context mode set this option in the system execution space Changes in this setting require you to reload the ASA Be sure to set the MTU for each interface that needs to transmit jumbo frames to a higher value than the default 1500 for example set the value to 9000 using the mtu command See the Configuring the MAC Address and MTU section on page 1 10 In m...

Page 438: ...meters for the physical interface in single mode interface gigabitethernet 0 1 speed 1000 duplex full no shutdown Command Purpose show interface Displays interface statistics show interface ip brief Displays interface IP addresses and status show lacp channel_group_number counters internal neighbor sys id For EtherChannel displays LACP information such as traffic statistics system identifier and n...

Page 439: ...erfaces as part of an EtherChannel It also sets the system priority to be a higher priority and GigabitEthernet 0 2 to be a higher priority than the other interfaces in case more than eight interfaces are assigned to the EtherChannel lacp system priority 1234 interface GigabitEthernet0 0 channel group 1 mode active interface GigabitEthernet0 1 channel group 1 mode active interface GigabitEthernet0...

Page 440: ...se the ASA 5520 from 100 to 150 the ASA 5550 from 200 to 250 Gigabit Ethernet Support for the ASA 5510 Security Plus License 7 2 3 The ASA 5510 ASA now supports GE Gigabit Ethernet for port 0 and 1 with the Security Plus license If you upgrade the license from Base to Security Plus the capacity of the external Ethernet0 0 and Ethernet0 1 ports increases from the original FE Fast Ethernet 100 Mbps ...

Page 441: ...gabit Ethernet Interfaces 8 2 5 8 4 2 You can now enable pause XOFF frames for flow control for 1 Gigabit interfaces on all models We modified the following command flowcontrol EtherChannel support 8 4 1 You can configure up to 48 802 3ad EtherChannels of eight active interfaces each We introduced the following commands channel group lacp port priority interface port channel lacp max bundle port c...

Page 442: ...1 38 Cisco ASA Series CLI Configuration Guide Chapter 1 Starting Interface Configuration ASA 5510 and Higher Feature History for ASA 5510 and Higher Interfaces ...

Page 443: ...for ASA 5505 Interfaces page 1 4 Guidelines and Limitations page 1 5 Default Settings page 1 5 Starting ASA 5505 Interface Configuration page 1 6 Monitoring Interfaces page 1 11 Configuration Examples for ASA 5505 Interfaces page 1 11 Where to Go Next page 1 13 Feature History for ASA 5505 Interfaces page 1 13 Information About ASA 5505 Interfaces This section describes the ports and interfaces of...

Page 444: ...the Maximum Active VLAN Interfaces for Your License section for more information about the maximum VLAN interfaces VLAN interfaces let you divide your equipment into separate VLANs for example home business and Internet VLANs To segregate the switch ports into separate VLANs you assign each switch port to a VLAN interface Switch ports on the same VLAN can communicate with each other using hardware...

Page 445: ... can configure 20 VLAN interfaces in routed mode including a VLAN interface for failover and a VLAN interface as a backup link to your ISP You can configure the backup interface to not pass through traffic unless the route through the primary interface fails You can configure trunk ports to accommodate multiple VLANs per port Note The ASA 5505 supports Active Standby failover but not Stateful Fail...

Page 446: ...ing the no shutdown command See the Configuring and Enabling Switch Ports as Access Ports section on page 1 7 for more information about shutting down a switch port To view the status of PoE switch ports including the type of device connected Cisco or IEEE 802 3af use the show power inline command Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ...

Page 447: ...ported with the Security Plus license Active Active failover is not supported IPv6 Guidelines Supports IPv6 Default Settings This section lists default settings for interfaces if you do not have a factory default configuration For information about the factory default configurations see the Factory Default Configurations section on page 1 18 Default State of Interfaces Interfaces have the followin...

Page 448: ...in single mode perform the following steps Step 1 Configure VLAN interfaces See the Configuring VLAN Interfaces section on page 1 6 Step 2 Configure and enable switch ports as access ports See the Configuring and Enabling Switch Ports as Access Ports section on page 1 7 Step 3 Optional for Security Plus licenses Configure and enable switch ports as trunk ports See the Configuring and Enabling Swit...

Page 449: ...ommand Because this interface also includes the interface name configuration and the name is used in other commands those commands are also removed Step 2 Optional for the Base license no forward interface vlan number Example hostname config if no forward interface vlan 101 Allows this interface to be the third VLAN by limiting it from initiating contact to one other VLAN The number specifies the ...

Page 450: ... prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs you do not need to allow intra VLAN access and you want to isolate the devices from each other in case of infection or other security breach For example if you have a DMZ that hosts three web servers you can isolate the web servers from each other if you apply the s...

Page 451: ...ccess Ports section on page 1 7 Guidelines This switch port cannot pass traffic until you assign at least one VLAN to it native or non native Detailed Steps Command Purpose Step 1 interface ethernet0 port Example hostname config interface ethernet0 1 Specifies the switch port you want to configure where port is 0 through 7 Step 2 To assign VLANs to this trunk do one or more of the following switch...

Page 452: ...ing with each other if the devices on those switch ports are primarily accessed from other VLANs you do not need to allow intra VLAN access and you want to isolate the devices from each other in case of infection or other security breach For example if you have a DMZ that hosts three web servers you can isolate the web servers from each other if you apply the switchport protected command to each s...

Page 453: ...onfig if security level 100 hostname config if ip address 10 2 1 1 255 255 255 0 hostname config if no shutdown hostname config if interface vlan 300 hostname config if nameif dmz hostname config if security level 50 hostname config if ip address 10 3 1 1 255 255 255 0 hostname config if no shutdown hostname config if interface vlan 400 hostname config if nameif backup isp hostname config if secur...

Page 454: ...an 200 hostname config if nameif inside hostname config if security level 100 hostname config if ip address 10 2 1 1 255 255 255 0 hostname config if no shutdown hostname config if interface vlan 201 hostname config if nameif dept1 hostname config if security level 90 hostname config if ip address 10 2 2 1 255 255 255 0 hostname config if no shutdown hostname config if interface vlan 202 hostname ...

Page 455: ...1 Completing Interface Configuration Routed Mode or Chapter 1 Completing Interface Configuration Transparent Mode Feature History for ASA 5505 Interfaces Table 1 1 lists the release history for this feature Table 1 1 Feature History for Interfaces Feature Name Releases Feature Information Increased VLANs 7 2 2 The maximum number of VLANs for the Security Plus license on the ASA 5505 was increased ...

Page 456: ...1 14 Cisco ASA Series CLI Configuration Guide Chapter 1 Starting Interface Configuration ASA 5505 Feature History for ASA 5505 Interfaces ...

Page 457: ...Interfaces in Routed Mode page 1 18 Feature History for Interfaces in Routed Mode page 1 19 Note For multiple context mode complete the tasks in this section in the context execution space Enter the changeto context name command to change to the context you want to configure Information About Completing Interface Configuration in Routed Mode This section includes the following topics Security Leve...

Page 458: ...pection engine Applied only for outbound connections SQL Net inspection engine If a control connection for the SQL Net formerly OraServ port exists between a pair of hosts then only an inbound data connection is permitted through the ASA Filtering HTTP S and FTP filtering applies only for outbound connections from a higher level to a lower level If you enable communication for same security interf...

Page 459: ...ANs 2 active VLANs in 1 bridge group and 1 active VLAN for the failover link VLAN Trunks Base License None Security Plus License 8 Model License Requirement ASA 5510 VLANs1 Base License 50 Security Plus License 100 Interface Speed Base License All interfaces Fast Ethernet Security Plus License Ethernet 0 0 and 0 1 Gigabit Ethernet all others Fast Ethernet Interfaces of all types2 Base License 364 ...

Page 460: ... Interfaces of all types2 Base License 1316 ASA 5545 X VLANs1 Base License 300 Interfaces of all types2 Base License 1716 ASA 5555 X VLANs1 Base License 500 Interfaces of all types2 Base License 2516 ASA 5585 X VLANs1 Base and Security Plus License 1024 Interface Speed for SSP 10 and SSP 20 Base License 1 Gigabit Ethernet for fiber interfaces 10 GE I O License Security Plus 10 Gigabit Ethernet for...

Page 461: ...e system configuration according to the Configuring Multiple Contexts section on page 1 15 PPPoE is not supported in multiple context mode Firewall Mode Guidelines Supported in routed firewall mode For transparent mode see Chapter 1 Completing Interface Configuration Transparent Mode Failover Guidelines Do not finish configuring failover interfaces with the procedures in this chapter See the Confi...

Page 462: ...the security level of an interface and you do not want to wait for existing connections to time out before the new security information is used you can clear the connections using the clear local host command Default State of Interfaces for the ASASM In single mode or in the system execution space VLAN interfaces are enabled by default In multiple context mode all allocated interfaces are enabled ...

Page 463: ...g section on page 1 12 Step 6 Optional Allow same security level communication either by allowing communication between two interfaces or by allowing traffic to enter and exit the same interface See the Allowing Same Security Level Communication section on page 1 16 Configuring General Interface Parameters This procedure describes how to set the name security level IPv4 address and other options F...

Page 464: ... number port channel number physical_interface subinterface mapped_name For the ASA 5505 or ASASM hostname config interface vlan number mapped_name Example hostname config interface gigabithethernet 0 0 If you are not already in interface configuration mode enters interface configuration mode The redundant number argument is the redundant interface ID such as redundant 1 The port channel number ar...

Page 465: ... section on page 1 9 for more information ip address dhcp setroute Example hostname config if ip address dhcp Obtains an IP address from a DHCP server The setroute keyword lets the ASA use the default route supplied by the DHCP server Reenter this command to reset the DHCP lease and request a new lease If you do not enable the interface using the no shutdown command before you enter the ip address...

Page 466: ...face uses the lowest numbered channel group interface MAC address as the port channel MAC address Alternatively you can manually configure a MAC address for the port channel interface In multiple context mode you can automatically assign unique MAC addresses to interfaces including an EtherChannel port interface We recommend manually or in multiple context mode automatically configuring a unique M...

Page 467: ... default on the ASASM To enable jumbo frames see the Enabling Jumbo Frame Support Supported Models section on page 1 33 A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes including Layer 2 header and FCS up to 9216 bytes Jumbo frames require extra memory to process and assigning more memory for jumbo frames might limit the maximum use of other features such as acces...

Page 468: ...to the physical or redundant interface ID separated by a period In multiple context mode enter the mapped_name if one was assigned using the allocate interface command Step 2 mac address mac_address standby mac_address Example hostname config if mac address 000C F142 4CDE Assigns a private MAC address to this interface The mac_address is in H H H format where H is a 16 bit hexadecimal digit For ex...

Page 469: ...nfigure the link local address either automatically or manually Note If you want to only configure the link local addresses see the ipv6 enable to auto configure or ipv6 address link local to manually configure command in the command reference Modified EUI 64 Interface IDs RFC 3513 Internet Protocol Version 6 IPv6 Addressing Architecture requires that the interface identifier portion of all unicas...

Page 470: ...e complete this procedure in the context execution space To change from the system to a context configuration enter the changeto context name command Detailed Steps Command Purpose Step 1 For the ASA 5510 and higher interface redundant number port channel number physical_interface subinterface mapped_name For the ASA 5505 or ASASM hostname config interface vlan number mapped_name Example hostname ...

Page 471: ...o the interface When you assign a global address the link local address is automatically created for the interface standby specifies the interface address used by the secondary unit or failover group in a failover pair See the IPv6 Addresses section on page 1 5 for more information about IPv6 addressing ipv6 address ipv6 prefix prefix length eui 64 Example hostname config if ipv6 address 2001 0DB8...

Page 472: ...ces without access lists If you enable same security interface communication you can still configure interfaces at different security levels as usual Information About Intra Interface Communication Intra interface communication might be useful for VPN traffic that enters an interface but is then routed out the same interface The VPN traffic might be unencrypted in this case or it might be reencryp...

Page 473: ...ip next hop 10 6 34 7 route map intra inter2 permit 20 match ip address 102 set interface Vlan20 set ip next hop 10 6 34 7 route map intra inter1 permit 10 match ip address 101 set interface Vlan20 set ip next hop 10 6 34 7 Detailed Steps Vlan70 10 6 36 0 Vlan10 10 6 35 0 Vlan60 10 6 37 0 SVI Vlan20 10 6 34 0 Host Host Host ASA MSFC IP cloud 2 IP cloud 3 IP cloud 1 Command Purpose same security tr...

Page 474: ...e This section includes the following topics ASA 5505 Example page 1 18 ASA 5505 Example The following example configures three VLAN interfaces for the Base license The third home interface cannot forward traffic to the business interface hostname config interface vlan 100 Command Purpose Step 1 hostname config interface vlan number mapped_name Example hostname config interface vlan 100 If you are...

Page 475: ...ure Table 1 1 Feature History for Interfaces Feature Name Releases Feature Information Increased VLANs 7 0 5 Increased the following limits ASA5510 Base license VLANs from 0 to 10 ASA5510 Security Plus license VLANs from 10 to 25 ASA5520 VLANs from 25 to 100 ASA5540 VLANs from 100 to 200 Increased VLANs 7 2 2 The maximum number of VLANs for the Security Plus license on the ASA 5505 was increased f...

Page 476: ...lowing command switchport trunk native vlan Jumbo packet support for the ASA 5580 8 1 1 The Cisco ASA 5580 supports jumbo frames A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes including Layer 2 header and FCS up to 9216 bytes You can enable support for jumbo frames for all interfaces by increasing the amount of memory to process Ethernet frames Assigning more me...

Page 477: ...ge 1 5 Default Settings page 1 7 Completing Interface Configuration in Transparent Mode page 1 7 Turning Off and Turning On Interfaces page 1 19 Monitoring Interfaces page 1 19 Configuration Examples for Interfaces in Transparent Mode page 1 20 Feature History for Interfaces in Transparent Mode page 1 21 Note For multiple context mode complete the tasks in this section in the context execution spa...

Page 478: ...rnet can be level 0 Other networks such as DMZs can be in between You can assign interfaces to the same security level See the Allowing Same Security Level Communication section on page 1 18 for more information The level controls the following behavior Network access By default there is an implicit permit from a higher security interface to a lower security interface outbound Hosts on the higher ...

Page 479: ...Mode Base License 2 active VLANs in 1 bridge group Security Plus License 3 active VLANs 2 active VLANs in 1 bridge group and 1 active VLAN for the failover link VLAN Trunks Base License None Security Plus License 8 Model License Requirement ASA 5510 VLANs1 Base License 50 Security Plus License 100 Interface Speed Base License All interfaces Fast Ethernet Security Plus License Ethernet 0 0 and 0 1 ...

Page 480: ...4 ASA 5580 VLANs1 Base License 1024 Interfaces of all types2 Base License 4612 ASA 5512 X VLANs1 Base License 50 Security Plus License 100 Interfaces of all types2 Base License 716 Security Plus License 916 ASA 5515 X VLANs1 Base License 100 Interfaces of all types2 Base License 916 ASA 5525 X VLANs1 Base License 200 Interfaces of all types2 Base License 1316 ASA 5545 X VLANs1 Base License 300 Int...

Page 481: ...ext in the system configuration using the allocate interface command ASA 5555 X VLANs1 Base License 500 Interfaces of all types2 Base License 2516 ASA 5585 X VLANs1 Base and Security Plus License 1024 Interface Speed for SSP 10 and SSP 20 Base License 1 Gigabit Ethernet for fiber interfaces 10 GE I O License Security Plus 10 Gigabit Ethernet for fiber interfaces SSP 40 and SSP 60 support 10 Gigabi...

Page 482: ...on The management IP address must be on the same subnet as the connected network You cannot set the subnet to a host subnet 255 255 255 255 The ASA does not support traffic on secondary networks only traffic on the same network as the management IP address is supported See the Configuring Bridge Groups section on page 1 8 for more information about management IP subnets For IPv6 at a minimum you n...

Page 483: ...want to wait for existing connections to time out before the new security information is used you can clear the connections using the clear local host command Default State of Interfaces for the ASASM In single mode or in the system execution space VLAN interfaces are enabled by default In multiple context mode all allocated interfaces are enabled by default no matter what the state of the interfa...

Page 484: ...ure the MAC address and the MTU See the Configuring the MAC Address and MTU section on page 1 13 Step 7 Optional Configure IPv6 addressing See the Configuring IPv6 Addressing section on page 1 16 Step 8 Optional Allow same security level communication either by allowing communication between two interfaces or by allowing traffic to enter and exit the same interface See the Allowing Same Security L...

Page 485: ...s Redundant interfaces EtherChannel interfaces Command Purpose Step 1 interface bvi bridge_group_number Example hostname config interface bvi 1 Creates a bridge group where bridge_group_number is an integer between 1 and 100 Step 2 ip address ip_address mask standby ip_address Example hostname config if ip address 10 1 3 1 255 255 255 0 standby 10 1 3 2 Specifies the management IP address for the ...

Page 486: ...faces that you are reserving for failover and Stateful Failover communications See the Configuring Active Standby Failover section on page 1 7 or the Configuring Active Active Failover section on page 1 9 to configure the failover and state links Prerequisites Set up your interfaces depending on your model ASA 5510 and higher Chapter 1 Starting Interface Configuration ASA 5510 and Higher ASA 5505 ...

Page 487: ...abling the Physical Interface and Configuring Ethernet Parameters section for a description of the physical interface ID Do not use this procedure for Management interfaces see the Configuring a Management Interface ASA 5510 and Higher section on page 1 12 to configure the Management interface Append the subinterface ID to the physical or redundant interface ID separated by a period In multiple co...

Page 488: ...r 1 Starting Interface Configuration ASA 5510 and Higher In multiple context mode you can only configure context interfaces that you already assigned to the context in the system configuration according to the Configuring Multiple Contexts section on page 1 15 In multiple context mode complete this procedure in the context execution space To change from the system to a context configuration enter ...

Page 489: ...redundant interface using this command then it is used regardless of the member interface MAC addresses Step 3 Do one of the following ip address ip_address mask standby ip_address Example hostname config if ip address 10 1 1 1 255 255 255 0 standby 10 1 1 2 Sets the IP address manually Note For use with failover you must set the IP address and standby address manually DHCP is not supported The ip...

Page 490: ...s you can use this procedure to override the generated address For single context mode or for interfaces that are not shared in multiple context mode you might want to assign unique MAC addresses to subinterfaces For example your service provider might perform access control based on the MAC address Information About the MTU The MTU is the maximum datagram size that is sent on a connection Data th...

Page 491: ...Configuring Ethernet Parameters section for a description of the physical interface ID Append the subinterface ID to the physical or redundant interface ID separated by a period In multiple context mode enter the mapped_name if one was assigned using the allocate interface command Step 2 mac address mac_address standby mac_address Example hostname config if mac address 000C F142 4CDE Assigns a pri...

Page 492: ...functions such as address resolution and neighbor discovery Because the link local address is only available on a segment and is tied to the interface MAC address you need to configure the link local address per interface At a minimum you need to configure a link local address for IPv6 to operate If you configure a global address a link local addresses is automatically configured on each interface...

Page 493: ...a lifetime ipv6 nd suppress ra Configuring a Global IPv6 Address To configure a global IPv6 address for a bridge group or management interface perform the following steps Note Configuring the global address automatically configures the link local address so you do not need to configure it separately Restrictions The ASA does not support IPv6 anycast addresses Prerequisites Set up your interfaces d...

Page 494: ... management interface interface management_interface_id Example hostname config interface bvi 1 If you are not already in interface configuration mode enters interface configuration mode Step 2 ipv6 address ipv6 address prefix length standby ipv6 address Example hostname config if ipv6 address 2001 0DB8 BA98 0 3210 48 Assigns a global address to the interface When you assign a global address the l...

Page 495: ...e following commands Command Purpose same security traffic permit inter interface Enables interfaces on the same security level so that they can communicate with each other Command Purpose Step 1 hostname config interface vlan number mapped_name Example hostname config interface vlan 100 If you are not already in interface configuration mode enters interface configuration mode In multiple context ...

Page 496: ...outside1 security level 0 bridge group 1 no shutdown interface gigabitethernet 0 2 nameif dmz1 security level 50 bridge group 1 no shutdown interface bvi 1 ip address 10 1 3 1 255 255 255 0 standby 10 1 3 2 interface gigabitethernet 1 0 nameif inside2 security level 100 bridge group 2 no shutdown interface gigabitethernet 1 1 nameif outside2 security level 0 bridge group 2 no shutdown interface gi...

Page 497: ...ou do not need to use the backup interface command to cripple a backup ISP interface you can use a fully functional interface for it The backup interface command is still useful for an Easy VPN configuration VLAN limits were also increased for the ASA 5510 from 10 to 50 for the Base license and from 25 to 100 for the Security Plus license the ASA 5520 from 100 to 150 the ASA 5550 from 200 to 250 G...

Page 498: ... ASA 5580 are increased from 100 to 250 IPv6 support for transparent mode 8 2 1 IPv6 support was introduced for transparent firewall mode Support for Pause Frames for Flow Control on the ASA 5580 10 Gigabit Ethernet Interfaces 8 2 2 You can now enable pause XOFF frames for flow control We introduced the following command flowcontrol Bridge groups for transparent mode 8 4 1 If you do not want the o...

Page 499: ...P A R T 2 Configuring Basic Settings ...

Page 500: ......

Page 501: ... 4 Configuring the Master Passphrase page 1 7 Configuring the DNS Server page 1 12 http www cisco com en US products ps6121 products_tech_note09186a0080aaeff5 shtml page 1 13 Performing Password Recovery page 1 13 Monitoring DNS Cache page 1 15 Configuring the Hostname Domain Name and Passwords This section includes the following topics Setting the Login Password page 1 2 Changing the Enable Passw...

Page 502: ...figuration in encrypted form so you cannot view the original password after you enter it If for some reason you need to copy the password to another ASA but do not know the original password you can enter the passwd command with the encrypted password and the encrypted keyword Normally you only see this keyword when you enter the show running config passwd command Use the no password command to re...

Page 503: ...elps you keep track of where you enter commands The default hostname depends on your platform For multiple context mode the hostname that you set in the system execution space appears in the command line prompt for all contexts The hostname that you optionally set within a context does not appear in the command line but can be used by the banner command hostname token Command Purpose domain name n...

Page 504: ...the Master Passphrase Feature Name Platform Releases Feature Information Removal of the default Telnet password 9 0 2 To improve security for management access to the ASA the default login password for Telnet was removed you must manually set the password before you can log in using Telnet Note The login password is only used for Telnet if you do not configure Telnet user authentication the aaa au...

Page 505: ...T for Pacific Daylight Time The day value sets the day of the month from 1 to 31 You can enter the day and month as April 1 or as 1 April for example depending on your standard date format The month value sets the month as a string You can enter the day and month as April 1 or as 1 April depending on your standard date format The year value sets the year using four digits for example 2004 The year...

Page 506: ...tp server ip_address key key_id source interface_name prefer Example hostname config ntp server 10 1 1 1 key 1 prefer Identifies an NTP server The key_id argument is the ID you set in Step 2 using the ntp trusted key command The source interface_name keyword argument pair identifies the outgoing interface for NTP packets if you do not want to use the default interface in the routing table Because ...

Page 507: ...e include the following OSPF Command Purpose clock set hh mm ss month day day month year Example hostname clock set 20 54 00 april 1 2004 Sets the date time manually The hh mm ss argument sets the hour minutes and seconds in 24 hour time For example enter 20 54 00 for 8 54 pm The day value sets the day of the month from 1 to 31 You can enter the day and month as april 1 or as 1 april for example d...

Page 508: ...Guidelines Supported in single and multiple context mode Failover Guidelines If failover is enabled but no failover shared key is set an error message appears if you change the master passphrase informing you that you must enter a failover shared key to protect the master passphrase changes from being sent as plain text Adding or Changing the Master Passphrase This procedure will only be accepted ...

Page 509: ...ig password encryption aes Enables password encryption As soon as password encryption is enabled and the master passphrase is available all the user passwords will be encrypted The running configuration will show the passwords in the encrypted format If the passphrase is not configured at the time that password encryption is enabled the command will succeed in anticipation that the passphrase will...

Page 510: ...e config key config key password encryption Old key 12345678 New key 23456789 Confirm key 23456789 In the following example you want to key in interactively but no key is present The New key and Confirm key prompts appear on your screen if you are in interactive mode hostname config key config key password encryption New key 12345678 Confirm key 12345678 Disabling the Master Passphrase Disabling t...

Page 511: ...not enter the passphrase in the command you are prompted for it Step 2 write memory Example hostname config write memory Saves the runtime value of the master passphrase and the resulting configuration The non volatile memory containing the passphrase will be erased and overwritten with the 0xFF pattern In multiple mode the master passphrase is changed in the system context configuration As a resu...

Page 512: ...you manually configure the name command to associate a name with an IP address and enable use of the names using the names command For information about dynamic DNS see the Configuring DDNS section on page 1 2 Prerequisites Make sure that you configure the appropriate routing for any interface on which you enable DNS domain lookup so you can reach the DNS server See the Information About Routing s...

Page 513: ... the ASA to ignore the startup configuration enter the following command rommon 1 confreg The ASA displays the current configuration register value and asks whether you want to change it Current Configuration Register 0x00000041 Configuration Summary boot default image from Flash ignore system configuration Do you wish to change this configuration y n n y Step 6 Record the current configuration re...

Page 514: ... 14 Access the global configuration mode by entering the following command hostname configure terminal Step 15 Change the passwords as required in the default configuration by entering the following commands hostname config password password hostname config enable password password hostname config username name password password Step 16 Load the default configuration by entering the following comm...

Page 515: ...h a different version of the command does not change the setting If you disable password recovery when the ASA is configured to ignore the startup configuration at startup in preparation for password recovery then the ASA changes the setting to load the startup configuration as usual If you use failover and the standby unit is configured to ignore the startup configuration then the same change is ...

Page 516: ...1 16 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Basic Settings Monitoring DNS Cache ...

Page 517: ... a DHCP server to request the assignment of configuration information using a reserved link scoped multicast address which indicates that the client and server should be attached to the same link However in some cases where ease of management economy or scalability is the concern we recommend that you allow a DHCP client to send a message to a server that is not connected to the same link The DHCP...

Page 518: ... must be directly connected to the interface on which the server is enabled The ASA does not support QIP DHCP servers for use with the DHCP proxy service The relay agent cannot be enabled if the DHCP server is also enabled The ASA DHCP server does not support BOOTP requests In multiple context mode you cannot enable the DHCP server or DHCP relay service on an interface that is used by more than on...

Page 519: ...vers are also forwarded to the client until the client DHCP relay binding is removed The binding is removed when the ASA receives any of the following DHCP messages ACK NACK or decline You cannot enable DHCP relay service on an interface running as a DHCP proxy service You must remove the VPN DHCP configuration first or an error message appears This error occurs if both DHCP relay and DHCP proxy s...

Page 520: ...00 Optional Changes the lease length to be granted to the client The lease length equals the amount of time in seconds that the client can use its allocated IP address before the lease expires Enter a value from 0 to 1 048 575 The default value is 3600 seconds Step 5 dhcpd domain domain_name Example hostname config dhcpd domain example com Optional Configures the domain name Step 6 dhcpd ping_time...

Page 521: ...s Options that Return an IP Address Options that Return a Text String Options that Return a Hexadecimal Value Command Purpose dhcpd option code ip addr_1 addr_2 Example hostname config dhcpd option 2 ip 10 10 1 1 10 10 1 2 Configures a DHCP option that returns one or two IP addresses Command Purpose dhcpd option code ascii text Example hostname config dhcpd option 2 ascii examplestring Configures ...

Page 522: ...nes download their configuration from a TFTP server When a Cisco IP phone starts if it does not have both the IP address and TFTP server IP address preconfigured it sends a request with option 150 or 66 to the DHCP server to obtain this information DHCP option 150 provides the IP addresses of a list of TFTP servers DHCP option 66 gives the IP address or the hostname of a single TFTP server Note Ci...

Page 523: ...tion number as specified in RFC 2132 Command Purpose dhcpd option 66 ascii server_name Example hostname config dhcpd option 66 ascii exampleserver Provides the IP address or name of a TFTP server for option 66 Command Purpose dhcpd option 150 ip server_ip1 server_ip2 Example hostname config dhcpd option 150 ip 10 10 1 1 Provides the IP address or names of one or two TFTP servers for option 150 The...

Page 524: ...erface Example hostname config dhcprelay enable inside Enables DHCP relay service on the interface connected to the clients Step 3 dhcprelay timeout seconds Example hostname config dhcprelay timeout 25 Optional Set the number of seconds allowed for relay address handling Step 4 dhcprelay setroute interface_name Example hostname config dhcprelay setroute inside Optional Change the first default rou...

Page 525: ...nected If the specified address is a link scoped address then you must specify the interface You can configure up to ten servers per context Step 2 ipv6 dhcprelay enable interface Example hostname config ipv6 dhcprelay enable inside Enables DHCPv6 relay service on an interface When the service is enabled the incoming DHCPv6 message from a client on the interface that may have been relayed by anoth...

Page 526: ...ure History for DHCP Feature Name Releases Description DHCP 7 0 1 The ASA can provide a DHCP server or DHCP relay services to DHCP clients attached to ASA interfaces We introduced the following commands dhcp client update dns dhcpd address dhcpd domain dhcpd enable dhcpd lease dhcpd option dhcpd ping timeout dhcpd update dns dhcpd wins dhcp network scope dhcprelay enable dhcprelay server dhcprelay...

Page 527: ...ronization of the name to address mapping and address to name mapping on the DNS server To configure the DNS server for other uses see the Configuring the DNS Server section on page 1 12 To configure DHCP see the Configuring a DHCP Server section on page 1 3 EDNS allows DNS requesters to advertise the size of their UDP packets and facilitates the transfer of packets larger than 512 octets When a D...

Page 528: ...ses and hostnames When you use DHCP and dynamic DNS update this configures a host automatically for network access whenever it attaches to the IP network You can locate and reach the host using its permanent unique DNS hostname Mobile hosts for example can move freely without user or administrator intervention DDNS provides address and domain name mapping so that hosts can find each other even tho...

Page 529: ... Example 5 Client Updates A RR Server Updates PTR RR page 1 5 Example 1 Client Updates Both A and PTR RRs for Static IP Addresses The following example shows how to configure the client to request that it update both A and PTR resource records for static IP addresses To configure this scenario perform the following steps Step 1 To define a DDNS update method called ddns 2 that requests that the cl...

Page 530: ... RR Server Overrides Client and Updates Both RRs The following example shows how to configure the DHCP client to include the FQDN option that instruct the DHCP server not to honor either the A or PTR updates The example also shows how to configure the server to override the client request As a result the client does not perform any updates To configure this scenario perform the following steps Ste...

Page 531: ...HCP server enter the following commands hostname config if dhcpd update dns hostname config if dhcpd domain example com Example 5 Client Updates A RR Server Updates PTR RR The following example shows how to configure the client to update the A resource record and how to configure the server to update the PTR records Also the client uses the domain name from the DHCP server to form the FQDN To conf...

Page 532: ...ease in which it was implemented Command Purpose show running config ddns Shows the current DDNS configuration show running config dns server group Shows the current DNS server group status Table 1 1 Feature History for DDNS Feature Name Releases Feature Information DDNS 7 0 1 We introduced this feature We introduced the following commands ddns ddns update dhcp client update dns dhcpd update dns s...

Page 533: ...P A R T 2 Configuring Objects and Access Lists ...

Page 534: ......

Page 535: ...tions in the place of inline IP addresses services names and so on Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it Without objects you would have to modify the parameters for every feature when required instead of just once For example if a network object defines an IP address an...

Page 536: ...osts to make the object group names unique and to aid in identification Objects and object groups share the same name space You cannot remove an object or make an object empty if it is used in a command Configuring Objects Configuring Network Objects and Groups page 1 2 Configuring Service Objects and Service Groups page 1 5 Configuring Local User Groups page 1 11 Configuring Security Group Object...

Page 537: ...t include FQDN objects Command Purpose Step 1 object network obj_name Example hostname config object network OBJECT1 Creates a new network object The obj_name is a text string up to 64 characters in length and can be any combination of letters digits and the following characters underscore _ dash period The prompt changes to network object configuration mode Step 2 host ip_addr subnet net_addr net...

Page 538: ...config object group network admins Adds a network group The grp_id is a text string up to 64 characters in length and can be any combination of letters digits and the following characters underscore _ dash period The prompt changes to protocol configuration mode Step 2 description text Example hostname config network Administrator Addresses Optional Adds a description The description can be up to ...

Page 539: ...ostname config object group network admin hostname config network group object eng hostname config network group object hr hostname config network group object finance Configuring Service Objects and Service Groups Service objects and groups identify protocols and ports This section describes how to configure service objects service groups TCP and UDP port service groups protocol groups and ICMP g...

Page 540: ...p_code tcp udp source operator port destination operator port Example hostname config service object service tcp source eq www destination eq ssh Creates a service object for the source mapped address The protocol argument specifies an IP protocol name or number The icmp tcp or udp keywords specify that this service object is for either the ICMP TCP or UDP protocol The icmp type argument names the...

Page 541: ...perator number Example hostname config service port object eq domain You can specify the source and or destination ports between 0 and 65535 For a list of supported names see the CLI help Valid operators include eq Equals the port number gt Greater than the port number lt Less than the port number neq Not equal to the port number range A range of ports Specify two numbers separated by a space such...

Page 542: ...vice object service tcp destination eq ssh hostname config service object EIGRP hostname config service object service eigrp hostname config service object HTTPS hostname config service object service tcp source range 0 1024 destination eq https hostname config object group service Group1 hostname config service object group service object object SSH hostname config service object group service ob...

Page 543: ...up The grp_id is a text string up to 64 characters in length and can be any combination of letters digits and the following characters underscore _ dash period Specifies the protocol for the services ports you want to add with either the tcp udp or tcp udp keywords Enter the tcp udp keyword if your service uses both TCP and UDP with the same port number for example DNS port53 The prompt changes to...

Page 544: ...group The grp_id is a text string up to 64 characters in length and can be any combination of letters digits and the following characters underscore _ dash period The prompt changes to ICMP type configuration mode Step 2 Add one or more of the following group members icmp object icmp type Example hostname config icmp type icmp object echo reply Defines the ICMP types in the group Enter the command...

Page 545: ...obj_grp_id is a text string up to 64 characters in length and can be any combination of letters digits and the following characters underscore _ dash period The prompt changes to protocol configuration mode Step 2 Add one or more of the following group members protocol object protocol Example hostname config protocol protocol object tcp Defines the protocols in the group Enter the command for each...

Page 546: ...ep 2 Add one or more of the following group members user domain_NetBIOS_name user_name Example hostname config user object group user SAMPLE users1 Specifies the user to add to the access rule The user_name can contain any character including a z A Z 0 9 _ If domain_NetBIOS_name user_name contains a space you must enclose the domain name and user name in quotation marks The user_name can be part o...

Page 547: ...ew Security ID or security group name that does not exist on the ASA You can use the security object groups you create on the ASA to control access to network resources You can use the security object group as part of an access group or service policy Prerequisites See Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec to enable TrustSec Detailed Steps Command Purpose Step 1 object gro...

Page 548: ... text string You can use a regular expression to match the content of certain application traffic for example you can match a URL string inside an HTTP packet Guidelines Use Ctrl V to escape all of the special characters in the CLI such as question mark or a tab For example type d Ctrl V g to enter d g in the configuration See the regex command in the command reference for performance impact infor...

Page 549: ...function is invoked Asterisk A quantifier that indicates that there are 0 1 or any number of the previous expression For example lo se matches lse lose loose and so on Plus A quantifier that indicates that there is at least 1 of the previous expression For example lo se matches lose and loose but not lse x or x Minimum repeat quantifier Repeat at least x times For example ab xy 2 z matches abxyxyz...

Page 550: ...wing message INFO Regular expression match failed Step 2 To add a regular expression after you tested it enter the following command hostname config regex name regular_expression Where the name argument can be up to 40 characters in length The regular_expression argument can be up to 100 characters in length Examples The following example creates two regular expressions for use in an inspection po...

Page 551: ...eserved All types of class maps use the same name space so you cannot reuse a name already used by another type of class map The match any keyword specifies that the traffic matches the class map if it matches at least one of the regular expressions The CLI enters class map configuration mode Step 2 Optional Add a description to the class map by entering the following command hostname config cmap ...

Page 552: ...ating a time range does not restrict access to the device This procedure defines the time range only Detailed Steps Examples The following is an example of an absolute time range beginning at 8 00 a m on January 1 2006 Because no end time and date are specified the time range is in effect indefinitely Command Purpose Step 1 time range name Example hostname config time range Sales Identifies the ti...

Page 553: ...ect group Displays all current object groups show running config object group grp_id Displays the current object groups by their group ID show running config object group grp_type Displays the current object groups by their group type Table 1 2 Feature History for Object Groups Feature Name Platform Releases Feature Information Object groups 7 0 1 Object groups simplify access list creation and ma...

Page 554: ...We modified the following commands object group network Security Group Object Groups for Cisco TrustSec 8 4 2 Security group object groups for TrustSec were introduced We introduced the following commands object network security security Extended ACLand object enhancement to filter ICMP traffic by ICMP code 9 0 1 ICMP traffic can now be permitted denied based on ICMP code We introduced or modified...

Page 555: ...uring a Service Policy Using the Modular Policy Framework This chapter includes the following sections Access List Types page 1 1 Access Control Entry Order page 1 2 Access Control Implicit Deny page 1 3 IP Addresses Used for Access Lists When You Use NAT page 1 3 Where to Go Next page 1 3 Access List Types The ASA uses five types of access control lists Standard access lists Identify the destinat...

Page 556: ...re management access according to Chapter 1 Configuring Management Access Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic Control network access for IP traffic for a given user Extended downloaded from a AAA server per user You can configure the RADIUS server to download a dynamic access list to be applied to the user or the server can send the name of an acc...

Page 557: ... explicitly deny all traffic with an EtherType ACE then IP and ARP traffic is denied IP Addresses Used for Access Lists When You Use NAT For the following features you should always use the real IP address in the access list when you use NAT even if the address as seen on an interface is the mapped address access group command Modular Policy Framework match access list command Botnet Traffic Filte...

Page 558: ...1 4 Cisco ASA Series CLI Configuration Guide Chapter 1 Information About Access Lists Where to Go Next ...

Page 559: ...extended ACL is made up of one or more access control entries ACEs Each ACE specifies a source and destination for matching traffic You can identify parameters within the access list command or you can create objects or object groups for use in the ACL Access Control Entry Order page 1 1 NAT and ACLs page 1 2 Access Control Entry Order An ACL is made up of one or more ACEs Each ACE that you enter ...

Page 560: ...access the inside server needs to reference the server s real IP address 10 1 1 5 and not the mapped address 209 165 201 5 hostname config object network server1 hostname config network object host 10 1 1 5 hostname config network object nat inside outside static 209 165 201 5 hostname config access list OUTSIDE extended permit tcp any host 10 1 1 5 eq www hostname config access group OUTSIDE in i...

Page 561: ...n You might want to name the ACL for the interface for example INSIDE or you can name it for the purpose for which it is created for example NO_NAT or VPN Typically you identify the ip keyword for the protocol but other protocols are accepted For a list of protocol names see the Protocols and Applications section on page 1 11 You can specify the source and destination ports only for the TCP or UDP...

Page 562: ...An ACL is made up of one or more access control entries ACEs with the same ACL ID To create an ACL you start by creating an ACE and applying a list name An ACL with one entry is still considered a list although you can add multiple entries to the list Prerequisites Optional Create network objects or object groups according to the Configuring Network Objects and Groups section on page 1 2 Objects c...

Page 563: ...ated using the object service command A TCP UDP or ICMP service object can include a protocol and a source and or destination port or ICMP type and code object group service_grp_id Specifies a service object group created using the object group service command Source Address Destination Address The source_address_argument specifies the IP address or FQDN from which the packet is being sent and the...

Page 564: ... the clear configure access list command Detailed Steps Command Purpose access list access_list_name line line_number extended deny permit tcp udp source_address_argument port_argument dest_address_argument port_argument log level interval secs disable default inactive time range time_range_name Example hostname config access list ACL_IN extended deny tcp any host 209 165 201 29 eq www Adds an ACE...

Page 565: ...guration To remove the entire ACL use the clear configure access list command Detailed Steps Adding an ACE for User Based Policy Identity Firewall If you configure the identity firewall feature you can control traffic based on user identity Prerequisites See Chapter 1 Configuring the Identity Firewall to enable IDFW Command Purpose access list access_list_name line line_number extended deny permit...

Page 566: ...olicy as well as optional usernames and or groups For common keywords and arguments see the Adding an ACE for IP Address or Fully Qualified Domain Name Based Policy section on page 1 4 Keywords and arguments specific to this type of ACE include the following user_argument is for use with the identity firewall feature and specifies the user or group for which to match traffic in addition to the sou...

Page 567: ...AL idfw any 10 0 0 0 255 255 255 0 Adds an ACE for IP address or FQDN policy as well as optional security groups For common keywords and arguments see the Adding an ACE for IP Address or Fully Qualified Domain Name Based Policy section on page 1 4 Keywords and arguments specific to this type of ACE include the following security_group_argument is for use with the TrustSec feature and specifies the...

Page 568: ...ault all other traffic is denied unless explicitly permitted hostname config access list ACL_IN extended permit ip 192 168 1 0 255 255 255 0 209 165 201 0 255 255 255 224 The following ACL restricts all hosts on the interface to which you apply the ACL from accessing a website at address 209 165 201 29 All other traffic is allowed hostname config access list ACL_IN extended deny tcp any host 209 1...

Page 569: ...1 29 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 4 host 209 165 201 16 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 78 host 209 165 201 16 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 89 host 209 165 201 16 eq www hostname config access list ACL_IN extended deny tcp host 10 1 1 4 host 209 165 201 78 eq www hostname c...

Page 570: ... TCP or UDP or the IPCMP type for ICMP We introduced the following command access list extended Real IP addresses 8 3 1 When using NAT or PAT mapped addresses and ports are no longer required in an ACL for several features You should now always use the real untranslated addresses and ports for these features Using the real address and port means that if the NAT configuration changes you do not nee...

Page 571: ...ively The IPv6 specific ACLs are deprecated Existing IPv6 ACLs are migrated to extended ACLs See the release notes for more information about migration We modified the following commands access list extended access list webtype We removed the following commands ipv6 access list ipv6 access list webtype ipv6 vpn filter Extended ACLand object enhancement to filter ICMP traffic by ICMP code 9 0 1 ICM...

Page 572: ...1 14 Cisco ASA Series CLI Configuration Guide Chapter 1 Adding an Extended Access Control List Feature History for Extended ACLs ...

Page 573: ...e Access Lists page 1 5 Feature History for EtherType Access Lists page 1 5 Information About EtherType Access Lists An EtherType access list is made up of one or more Access Control Entries ACEs that specify an EtherType An EtherType rule controls any EtherType identified by a 16 bit hexadecimal number as well as selected traffic types See the Supported EtherTypes and Other Traffic section on pag...

Page 574: ...y allowed from a high security interface to a low security interface However if you explicitly deny all traffic with an EtherType ACE then IP and ARP traffic is denied 802 3 formatted frames are not handled by the access list because they use a length field as opposed to a type field See the Supported EtherTypes and Other Traffic section on page 1 5 for more information about supported traffic Def...

Page 575: ...se letters so that the name is easy to see in the configuration You might want to name the access list for the interface for example INSIDE or for the purpose for example MPLS or PIX The permit keyword permits access if the conditions are matched deny denies access The ipx keyword specifies access to IPX The bpdu keyword specifies access to bridge protocol data units which are allowed by default T...

Page 576: ...g access list OUT extended permit ip host 209 168 200 3 any hostname config access list OUT remark this is the hr admin address hostname config access list OUT extended permit ip host 209 168 200 4 any What to Do Next Apply the access list to an interface See the Configuring Access Rules section on page 1 7 for more information Monitoring EtherType Access Lists To monitor EtherType access lists en...

Page 577: ...terface inside hostname config access group ETHER in interface outside The following access list denies traffic with EtherType 0x1256 but it allows all others on both interfaces hostname config access list nonIP ethertype deny 1256 hostname config access list nonIP ethertype permit any hostname config access group ETHER in interface inside hostname config access group ETHER in interface outside Fe...

Page 578: ...1 6 Cisco ASA Series CLI Configuration Guide Chapter 1 Adding an EtherType Access List Feature History for EtherType Access Lists ...

Page 579: ...ion Examples for Standard Access Lists page 1 4 Feature History for Standard Access Lists page 1 5 Information About Standard Access Lists Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution Standard access lists cannot be applied to interfaces to control traffic Licensing Requirements for Standard Access Lists The follo...

Page 580: ...ist name When used with the access group command the deny keyword does not allow a packet to traverse the ASA By default the ASA denies all packets on the originating interface unless you specifically permit access When specifying a source local or destination address use the following guidelines Use a 32 bit quantity in four part dotted decimal format Use the keyword any as an abbreviation for an...

Page 581: ... used in a route map for OSPF redistribution enter the following command Command Purpose hostname config access list access_list_name standard deny permit any ip_address mask Example hostname config access list OSPF standard permit 192 168 1 0 255 255 255 0 Adds a standard access list entry To add another ACE to the end of the access list enter another access list command specifying the same acces...

Page 582: ...t to Do Next Apply the access list to an interface See the Configuring Access Rules section on page 1 7 for more information Monitoring Access Lists To monitor access lists perform one of the following tasks Configuration Examples for Standard Access Lists The following example shows how to deny IP traffic through the ASA hostname config access list 77 standard deny Command Purpose access list acc...

Page 583: ...specify a destination address hostname config access list 77 standard permit host 10 1 10 123 Feature History for Standard Access Lists Table 1 2 lists the release history for this feature Table 1 2 Feature History for Standard Access Lists Feature Name Releases Feature Information Standard access lists 7 0 1 Standard access listsidentify the destination IP addresses of OSPF routes which can be us...

Page 584: ...1 6 Cisco ASA Series CLI Configuration Guide Chapter 1 Adding a Standard Access Control List Feature History for Standard Access Lists ...

Page 585: ...1 2 Using Webtype Access Lists page 1 2 What to Do Next page 1 5 Monitoring Webtype Access Lists page 1 5 Configuration Examples for Webtype Access Lists page 1 5 Feature History for Webtype Access Lists page 1 7 Licensing Requirements for Webtype Access Lists The following table shows the licensing requirements for this feature Guidelines and Limitations This section includes the guidelines and l...

Page 586: ... ACLs have been extended to support IPv6 ACLs If you configure both an IPv4 ACL and an IPv6 ACL they are converted to dynamic ACLs If you use the Access Control Server ACS you must configure IPv6 ACLs using the cisco av pair attribute downloadable ACLs are not supported in the ACS GUI Default Settings Table 1 1 lists the default settings for Webtype access lists parameters Using Webtype Access Lis...

Page 587: ...option specifies the time interval at which to generate system log message 106100 valid values are from 1 to 600 seconds The log disable default level option specifies that system log message 106100 is generated for the ACE When the log optional keyword is specified the default level for system log message 106100 is 6 informational See the log command for more information The permit keyword permit...

Page 588: ...keyword denies access if the conditions are matched The host ip_address option specifies a host IP address The interval option specifies the time interval at which to generate system log message 106100 valid values are from 1 to 600 seconds The ip_address ip_mask option specifies a specific IP address and subnet mask The log disable default level option specifies that system log message 106100 is ...

Page 589: ...y What to Do Next Apply the access list to an interface See the Configuring Access Rules section on page 1 7 for more information Monitoring Webtype Access Lists To monitor webtype access lists enter the following command Configuration Examples for Webtype Access Lists The following example shows how to deny access to a specific company URL hostname config access list acl_company webtype deny url ...

Page 590: ...r in the preceding example specifies that either character 0 or 1 can occur The following example matches URLs such as http www example com and http www example net access list test webtype permit url http www a z ample The range operator in the preceding example specifies that any character in the range from a to z can occur The following example matches URLs such as http www cisco com anything c...

Page 591: ...onfiguration that supports filtering for clientless SSL VPN We introduced the feature and the following command access list webtype Unified ACL for IPv4 and IPv6 9 0 1 ACLs now support IPv4 and IPv6 addresses You can even specify a mix of IPv4 and IPv6 addresses for the source and destination The IPv6 specific ACLs are deprecated Existing IPv6 ACLs are migrated to extended ACLs See the release not...

Page 592: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Adding a Webtype Access Control List Feature History for Webtype Access Lists ...

Page 593: ...ccess List Logging page 1 3 Monitoring Access Lists page 1 4 Configuration Examples for Access List Logging page 1 4 Feature History for Access List Logging page 1 5 Information About Logging Access List Activity By default when traffic is denied by an extended ACE or a Webtype ACE the ASA generates syslog message 106023 for each denied packet in the following form ASA PIX 4 106023 Deny protocol s...

Page 594: ... first hit and at the end of each interval identifying the total number of hits during the interval and the timestamp for the last hit At the end of each interval the ASA resets the hit count to 0 If no packets match the ACE during an interval the ASA deletes the flow entry A flow is defined by the source and destination IP addresses protocols and ports Because the source port might differ for a n...

Page 595: ... to log denied packets Default Settings Table 1 1 lists the default settings for extended access list parameters Configuring Access List Logging This sections describes how to configure access list logging Note For complete access list command syntax see the Configuring Extended ACLs section on page 1 4 and the Using Webtype Access Lists section on page 1 2 Table 1 1 Default Extended Access List P...

Page 596: ...ecifies the access list for which you want to configure logging The extended option adds an ACE The deny keyword denies a packet if the conditions are matched Some features do not allow deny ACEs such as NAT See the command documentation for each feature that uses an access list for more information The permit keyword permits a packet if the conditions are matched If you enter the log option witho...

Page 597: ...log message ASA PIX 2 106100 access list outside acl denied ip outside 3 3 3 3 12345 inside 192 168 1 1 1357 hit cnt 1 first hit If 20 additional attempts occur within a 5 minute interval the default the following syslog message appears at the end of 5 minutes ASA PIX 2 106100 access list outside acl denied ip outside 3 3 3 3 12345 inside 192 168 1 1 1357 hit cnt 21 300 second interval Feature His...

Page 598: ...prevents unlimited consumption of memory and CPU resources When you reach the maximum number of deny flows the ASA issues syslog message 106100 ASA PIX 1 106101 The number of ACL log deny flows has reached limit number The access list alert interval command sets the time interval for generating syslog message 106001 Syslog message 106001 alerts you that the ASA has reached a deny flow maximum When...

Page 599: ...ers argument specifies the maximum number of deny flows The default is 4096 secs The secs argument specifies the time in seconds between syslog messages The default is 300 Command Purpose access list deny flow max number Example hostname config access list deny flow max 3000 Sets the maximum number of deny flows The numbers argument specifies the maximum number which can be between 1 and 4096 The ...

Page 600: ...1 2 lists the release history for this feature Table 1 4 Feature History for Managing Deny Flows Feature Name Releases Feature Information Managing Deny Flows 7 0 1 You can configure the maximum number of deny flows and set the interval between deny flow alert messages We introduced the following commands access list deny flow and access list alert interval ...

Page 601: ...P A R T 2 Configuring IP Routing ...

Page 602: ......

Page 603: ... of these is referred to as packet switching Although packet switching is relatively straightforward path determination can be very complex This section includes the following topics Switching page 1 1 Path Determination page 1 2 Supported Route Types page 1 2 Switching Switching algorithms is relatively simple it is the same for most routing protocols In most cases a host determines that it must ...

Page 604: ...ation address and attempts to associate this address with a next hop Routing tables also can include other information such as data about the desirability of a path Routers compare metrics to determine optimal routes and these metrics differ depending on the design of the routing algorithm used Routers communicate with one another and maintain their routing tables through the transmission of a var...

Page 605: ...sharing Flat Versus Hierarchical Some routing algorithms operate in a flat space while others use routing hierarchies In a flat routing system the routers are peers of all others In a hierarchical routing system some routers form what amounts to a routing backbone Packets from nonbackbone routers travel to the backbone routers where they are sent through the backbone until they reach the general a...

Page 606: ...ess interface then source IP translation is performed if necessary For regular dynamic outbound NAT initial outgoing packets are routed using the route table and then creating the XLATE Incoming return packets are forwarded using existing XLATE only For static NAT destination translated incoming packets are always forwarded using existing XLATE or static translation rules Next Hop Selection Proces...

Page 607: ...at provides compatibility and seamless interoperation with IGRP routers An automatic redistribution mechanism allows IGRP routes to be imported into Enhanced IGRP and vice versa so it is possible to add Enhanced IGRP gradually into an existing IGRP network For more information about configuring EIGRP see the Configuring EIGRP section on page 1 3 Open Shortest Path First OSPF OSPF is a routing prot...

Page 608: ...e ASA routing table can be populated by statically defined routes directly connected routes and routes discovered by the RIP EIGRP and OSPF routing protocols Because the ASA can run multiple routing protocols in addition to having static and connected routes in the routing table it is possible that the same route is discovered or entered in more than one manner When two routes to the same destinat...

Page 609: ... the routing protocols have metrics based on algorithms that are different from the other protocols it is not always possible to determine the best path for two routes to the same destination that were generated by different routing protocols Each routing protocol is prioritized using an administrative distance value Table 1 1 shows the default administrative distance values for the routing protoc...

Page 610: ... dynamic routing process fails the static route is installed in the routing table How Forwarding Decisions Are Made Forwarding decisions are made as follows If the destination does not match an entry in the routing table the packet is forwarded through the interface specified for the default route If a default route has not been configured the packet is discarded If the destination matches a singl...

Page 611: ...ave to the master the epoch number 32 bit sequence number for the RIB table is incremented After the transition the new master unit initially has RIB table entries that are the mirror image of the previous master unit In addition the reconvergence timer starts on the new master unit When the epoch number for the RIB table is incremented all existing entries are considered stale Forwarding of IP pa...

Page 612: ...layer 3 interface you must also configure the router id pool setting For more information about dynamic routing and clustering see Chapter 1 Configuring a Cluster of ASAs Dynamic Routing in Multiple Context Mode In multiple context mode each context maintains a separate routing table and routing protocol databases This enables you to configure OSPFv2 and EIGRP independently in each context You can...

Page 613: ...uest with its own MAC address even though the device does not own the IP address The ASA uses proxy ARP when you configure NAT and specify a mapped address that is on the same network as the ASA interface The only way traffic can reach the hosts is if the ASA uses proxy ARP to claim that the MAC address is assigned to destination mapped addresses Under rare circumstances you might want to disable ...

Page 614: ...sco ASA Series CLI Configuration Guide Chapter 1 Routing Overview Disabling Proxy ARPs Command Purpose sysopt noproxyarp interface Example hostname config sysopt noproxyarp exampleinterface Disables proxy ARPs ...

Page 615: ...orks generates the following syslog message ASA 6 110001 No route to dest_address from source_address You might want to use static routes in single context mode in the following cases Your networks use a different router discovery protocol from EIGRP RIP or OSPF Your network is small and you can easily manage static routes You do not want the traffic or CPU overhead associated with routing protoco...

Page 616: ...ature Context Mode Guidelines Supported in single and multiple context mode Firewall Mode Guidelines Supported in routed and transparent firewall mode IPv6 Guidelines Supports IPv6 Failover Guidelines Supports Stateful Failover of dynamic routing protocols Additional Guidelines IPv6 static routes are not supported in transparent mode in ASDM In clustering static route monitoring is only supported ...

Page 617: ...same destination per interface Equal cost multi path ECMP is not supported across multiple interfaces With ECMP the traffic is not necessarily divided evenly between the routes traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses To configure a static route see the following section Adding or Editing a Static Route page 1 3 A...

Page 618: ...buted among the specified gateways When defining more than one default route you must specify the same interface for each entry If you attempt to define more than three equal cost default routes or a default route with a different interface than a previously defined default route you receive the following message ERROR Cannot add route entry possible conflict with existing routes You can define a ...

Page 619: ... is the administrative distance for the route The default is 1 if you do not specify a value Administrative distance is a parameter used to compare routes among different routing protocols The default administrative distance for static routes is 1 giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes The default administrative distance for routes ...

Page 620: ...c route with a monitoring target that you define and monitors the target using ICMP echo requests If an echo reply is not received within a specified time period the object is considered down and the associated route is removed from the routing table A previously configured backup route is used in place of the removed route When selecting a monitoring target you need to make sure that it can respo...

Page 621: ... is used in its place Step 3 sla monitor schedule sla_id life forever seconds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Example hostname config sla monitor schedule sla_id life forever seconds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Schedules the monitoring process Typically you will use the sla m...

Page 622: ...or which there is no static or learned route is distributed among the gateways with the IP addresses 192 168 2 1 192 168 2 2 and 192 168 2 3 Encrypted traffic received by the ASA for which there is no static or learned route is passed to the gateway with the IP address 192 168 2 4 The following example creates a static route that sends all traffic destined for 10 1 1 0 24 to the router 10 1 2 45 c...

Page 623: ...efault Routes Table 1 1 lists each feature change and the platform release in which it was implemented Table 1 1 Feature History for Static and Default Routes Feature Name Platform Releases Feature Information Routing 7 0 1 Static and default routing were introduced We introduced the route command Clustering 9 0 1 Supports static route monitoring on the master unit only ...

Page 624: ...1 10 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Static and Default Routes Feature History for Static and Default Routes ...

Page 625: ...or route maps consists of a list scan in a predetermined order and an evaluation of the criteria of each statement that matches A list scan is aborted once the first statement match is found and an action associated with the statement match is performed They are generic mechanisms Criteria matches and match interpretation are dictated by the way that they are applied The same route map applied to ...

Page 626: ... in case you need to insert clauses in the future This section includes the following topics Permit and Deny Clauses page 1 2 Match and Set Clause Values page 1 2 Permit and Deny Clauses Route maps can have permit and deny clauses In the route map ospf to eigrp command there is one deny clause with sequence number 10 and two permit clauses The deny clause rejects route matches from redistribution ...

Page 627: ...Set Value in ASDM is not present in a route map permit clause then the route is redistributed without modification of its current attributes Note Do not configure a set command in a route map deny clause because the deny clause prohibits route redistribution there is no information to modify A route map clause without a match or set command or Match or Set Value as set on the Match or Set Value ta...

Page 628: ...ute to Match a Specific Destination Address To define a route to match a specified destination address perform the following steps Detailed Steps Command Purpose route map name permit deny sequence_number Example hostname config route map name permit 12 Creates the route map entry Enters route map configuration mode Route map entries are read in order You can identify the order using the sequence_...

Page 629: ...ge from 0 to 4294967295 match ip next hop acl_id acl_id Example hostname config route map match ip next hop acl_id acl_id Matches any routes that have a next hop router address that matches a standard ACL If you specify more than one ACL then the route can match any of the ACLs match interface if_name Example hostname config route map match interface if_name Matches any routes with the specified n...

Page 630: ...te map access list mymap2 line 1 permit 10 1 1 0 255 255 255 0 hostname config route map route map mymap2 permit 10 hostname config route map match ip address mymap2 hostname config route map router eigrp 1 hostname config redistribute static metric 250 250 1 1 1 route map mymap2 Command Purpose Step 1 route map name permit deny sequence_number Example hostname config route map name permit 12 Crea...

Page 631: ... We introduced this feature We introduced the following command route map Enhanced support for static and dynamic route maps 8 0 2 Enhanced support for dynamic and static route maps was added Support for Stateful Failover of dynamic routing protocols EIGRP OSPF and RIP and debugging of general routing related operations 8 4 1 We introduced the following commands debug route show debug route We mod...

Page 632: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Defining Route Maps Feature History for Route Maps ...

Page 633: ...ces page 1 47 Feature History for OSPF page 1 48 Information About OSPF OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path selection OSPF propagates link state advertisements rather than routing table updates Because only LSAs are exchanged instead of the entire routing tables OSPF networks converge more quickly than RIP networks OSPF uses a li...

Page 634: ... supports MD5 and clear text neighbor authentication Authentication should be used with all routing protocols when possible because route redistribution between OSPF and other protocols such as RIP can potentially be used by attackers to subvert routing information If NAT is used if OSPF is operating on public and private areas and if address filtering is required then you need to run two OSPF pro...

Page 635: ...prefix length Addition of two LSA types Handling of unknown LSA types Authentication support using the IPsec ESP standard for OSPFv3 routing protocol traffic as specified by RFC 4552 Using Clustering For more information about dynamic routing and clustering see the Dynamic Routing and Clustering section on page 1 9 For more information about using clustering see Chapter 1 Configuring a Cluster of ...

Page 636: ...hest IPv4 address on any data interface in each of the cluster units If the cluster interface mode has not been configured then only a single dotted decimal IPv4 address is allowed as the router ID and the cluster pool option is disabled If the cluster interface mode is set to a spanned configuration then only a single dotted decimal IPv4 address is allowed as the router ID and the cluster pool op...

Page 637: ...d cluster pool A mastership role change in the cluster does not change the routing topology in any way Additional Guidelines OSPFv2 and OSPFv3 support multiple instances on an interface OSPFv3 supports encryption through ESP headers in a non clustered environment OSPFv3 supports Non Payload Encryption Configuring OSPFv2 This section describes how to enable an OSPFv2 process on the ASA After you en...

Page 638: ...re allowed to be redistributed into the target routing process you must first generate a default route See the Configuring Static and Default Routes section on page 1 2 and then define a route map according Command Purpose Step 1 router ospf process_id Example hostname config router ospf 2 Creates an OSPF routing process and enters router configuration mode for this OSPF process The process_id arg...

Page 639: ...ribute static metric metric value metric type type 1 type 2 tag tag_value subnets route map map_name Example hostname config redistribute static 5 type 1 route map practice Redistributes static routes into the OSPF routing process redistribute ospf pid match internal external 1 2 nssa external 1 2 metric metric value metric type type 1 type 2 tag tag_value subnets route map map_name Example hostna...

Page 640: ...stribute rip metric metric value metric type type 1 type 2 tag tag_value subnets route map map_name Example hostname config redistribute rip 5 hostname config route map match metric 1 hostname config route map set metric 5 hostname config route map set metric type type 1 hostname config rtr redistribute ospf 1 route map 1 to 2 Allows you to redistribute routes from a RIP routing process into the O...

Page 641: ...s OSPF process The process_id argument is an internally used identifier for this routing process and can be any positive integer This ID does not have to match the ID on any other device it is for internal use only You can use a maximum of two processes Step 2 summary address ip_address mask not advertise tag tag Example hostname config router ospf 1 hostname config rtr summary address 10 1 0 0 25...

Page 642: ... two processes Step 2 network ip_address mask area area_id Example hostname config router ospf 2 hostname config rtr network 10 0 0 0 255 0 0 0 area 0 Defines the IP addresses on which OSPF runs and the area ID for that interface Step 3 interface interface_name Example hostname config interface my_interface Allows you to enter interface configuration mode Step 4 Do one of the following to configur...

Page 643: ...d An identifier in the range from 1 to 255 key An alphanumeric password of up to 16 bytes Usually one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets The same key identifier on the neighbor router must have the same key value We recommend that you not keep more than one key per interface Every time you add a new key you sho...

Page 644: ...ig interface ospf transmit delay 5 Sets the estimated number of seconds required to send a link state update packet on an OSPF interface The seconds value ranges from 1 to 65535 seconds The default value is 1 second In this example the transmit delay is 5 seconds ospf network point to point non broadcast Example hostname config interface ospf network point to point non broadcast Specifies the inte...

Page 645: ... site border router and the remote router could not be run as an OSPFv2 stub area because routes for the remote site could not be redistributed into the stub area and two routing protocols needed to be maintained A simple protocol such as RIP was usually run and handled the redistribution With NSSA you can extend OSPFv2 to cover the remote connection by defining the area between the corporate rout...

Page 646: ...the ID on any other device it is for internal use only You can use a maximum of two processes Step 2 Do one of the following to configure optional OSPF NSSA parameters area area id nssa no redistribution default information originate Example hostname config rtr area 0 nssa Defines an NSSA area summary address ip_address mask not advertise tag tag Example hostname config rtr summary address 10 1 0 ...

Page 647: ... 0 0 255 255 0 0 area 1 hostname config rtr log adj changes Specifies the router ID cluster pool for Layer 3 clustering The cluster pool keyword enables configuration of an IP address pool when Layer 3 clustering is configured The hostname A B C D keyword specifies the OSPF router ID for this OSPF process The ip_pool argument specifies the name of the IP address pool Note If you are using clusteri...

Page 648: ... adj changes detail command if you want to see messages for each state change Command Purpose Step 1 router ospf process_id Example hostname config router ospf 2 Creates an OSPFv2 routing process and enters router configuration mode for this OSPFv2 process The process_id argument is an internally used identifier for this routing process and can be any positive integer This ID does not have to matc...

Page 649: ...SPFv3 Default Parameters page 1 36 Sending Syslog Messages page 1 37 Suppressing Syslog Messages page 1 37 Calculating Summary Route Costs page 1 38 Generating a Default External Route into an OSPFv3 Routing Domain page 1 38 Configuring an IPv6 Summary Prefix page 1 39 Redistributing IPv6 Routes page 1 40 Command Purpose Step 1 router ospf process_id Example hostname config router ospf 2 Creates a...

Page 650: ...router ospf 10 Creates an OSPFv3 routing process and enters IPv6 router configuration mode The process id argument is an internally used tag for this routing process and can be any positive integer This tag does not have to match the tag on any other device it is for internal use only You can use a maximum of two processes Command Purpose Step 1 interface interface_name Example hostname config int...

Page 651: ...et3 2 200 vlan 200 nameif outside security level 100 ip address 10 20 200 30 255 255 255 0 standby 10 20 200 31 ipv6 address 3001 1 64 standby 3001 8 ipv6 address 6001 1 64 standby 6001 8 ipv6 enable ospf priority 255 ipv6 ospf cost 100 ipv6 ospf 100 area 10 instance 200 Creates an OSPFv3 area The area num argument is the area for which authentication is to be enabled and can be either a decimal v...

Page 652: ...ing LSAs are flooded to the interface by default ipv6 ospf dead interval seconds Example hostname config if interface GigabitEthernet3 2 200 vlan 200 nameif outside security level 100 ip address 10 20 200 30 255 255 255 0 standby 10 20 200 31 ipv6 address 3001 1 64 standby 3001 8 ipv6 address 6001 1 64 standby 6001 8 ipv6 enable ospf priority 255 ipv6 ospf cost 100 ipv6 ospf 100 area 10 instance 2...

Page 653: ... encryption The key encryption type argument can be one of the following two values 0 The key is not encrypted 7 The key is encrypted The key argument specifies the number used in the calculation of the message digest The number is 32 hexadecimal digits 16 bytes long The size of the key depends on the encryption algorithm used Some algorithms such as AES CDC allow you to choose the size of the key...

Page 654: ...ty level 100 ip address 10 20 200 30 255 255 255 0 standby 10 20 200 31 ipv6 address 3001 1 64 standby 3001 8 ipv6 address 6001 1 64 standby 6001 8 ipv6 enable ospf priority 255 ipv6 ospf cost 100 ipv6 ospf 100 area 10 instance 200 ipv6 ospf mtu ignore Disables the OSPF MTU mismatch detection when DBD packets are received OSPF MTU mismatch detection is enabled by default ipv6 ospf network broadcas...

Page 655: ...ets the router priority which helps determine the designated router for a network Valid values range from 0 to 255 ipv6 ospf neighbor ipv6 address priority number poll interval seconds cost number database filter all out Example hostname config if interface GigabitEthernet3 2 200 vlan 200 nameif outside security level 100 ip address 10 20 200 30 255 255 255 0 standby 10 20 200 31 ipv6 address 3001...

Page 656: ...f transmit delay seconds Example hostname config if interface GigabitEthernet3 2 200 vlan 200 nameif outside security level 100 ip address 10 20 200 30 255 255 255 0 standby 10 20 200 31 ipv6 address 3001 1 64 standby 3001 8 ipv6 address 6001 1 64 standby 6001 8 ipv6 enable ospf priority 255 ipv6 ospf cost 100 ipv6 ospf 100 area 10 instance 200 ipv6 ospf retransmit delay 3 Sets the estimated time ...

Page 657: ...rtr exit Exits from IPv6 router configuration mode ignore Example hostname config rtr ignore lsa Suppresses the sending of syslog messages with the lsa parameter when the router receives a link state advertisement LSA for Type 6 Multicast OSPF MOSPF packets log adjacency changes Example hostname config rtr log adjacency changes detail Configures the router to send a syslog message when an OSPFv3 n...

Page 658: ...lid values from 0 to 128 The X X X X X parameter specifies the IPv6 prefix timers Example hostname config ipv6 router ospf 10 hostname config rtr timers throttle spf 6000 12000 14000 Adjusts routing timers The routing timer parameters are the following lsa Specifies OSPFv3 LSA timers pacing Specifies OSPFv3 pacing timers throttle Specifies OSPFv3 throttle timers Command Purpose Command Purpose Ste...

Page 659: ...ifies the IPv6 prefix The prefix length argument specifies the prefix length The advertise keyword sets the address range status to advertised and generates a Type 3 summary LSA The not advertise keyword sets the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and the component networks remain hidden from other networks The cost cost keyword argument pair specifies the ...

Page 660: ...ues range from 1 to 8192 The default is 10 The retransmit interval seconds keyword argument pair specifies the time in seconds between LSA retransmissions for adjacencies that belong to the interface The retransmit interval is the expected round trip delay between any two routers on the attached network The value must be greater than the expected round trip delay and can range from 1 to 8192 The d...

Page 661: ..._name argument specifies the name of the interface on which the OSPFv3 process is running If the no interface_name argument is specified all of the interfaces in the OSPFv3 process process_id are made passive Command Purpose Step 1 ipv6 router ospf process_id Example hostname config if ipv6 router ospf 1 Enables an OSPFv3 routing process and enters IPv6 router configuration mode The process_id arg...

Page 662: ...mers lsa arrival 2000 Sets the minimum interval at which the ASA accepts the same LSA from OSPF neighbors The milliseconds argument specifies the minimum delay in milliseconds that must pass between acceptance of the same LSA arriving from neighbors The range is from 0 to 6 000 000 milliseconds The default is 1000 milliseconds Command Purpose Step 1 ipv6 router ospf process id Example hostname con...

Page 663: ...terval at which OSPFv3 LSAs are collected into a group and refreshed checksummed or aged The seconds argument specifies the number of seconds in the interval at which LSAs are grouped refreshed check summed or aged The range is from 10 to 1800 seconds The default value is 240 seconds Command Purpose Step 1 ipv6 router ospf process id Example hostname config if ipv6 router ospf 1 Enables an OSPFv3 ...

Page 664: ...form the following steps Detailed Steps Command Purpose Step 1 ipv6 router ospf process id Example hostname config if ipv6 router ospf 1 Enables an OSPFv3 routing process and enters IPv6 router configuration mode The process id argument is an internally used identifier for this routing process is locally assigned and can be any positive integer from 1 to 65535 This ID does not have to match the ID...

Page 665: ...en OSPFv3 automatically corrects to the first occurrence value Similarly if the maximum delay specified is less than the minimum delay then OSPFv3 automatically corrects to the minimum delay value The default values for LSA throttling are the following For milliseconds1 the default value is 0 milliseconds For milliseconds2 and milliseconds3 the default value is 5000 milliseconds timers throttle sp...

Page 666: ...s id argument is an internally used identifier for this routing process is locally assigned and can be any positive integer from 1 to 65535 This ID does not have to match the ID on any other device it is for internal administrative use only You can use a maximum of two processes Step 2 ipv6 ospf neighbor ipv6 address priority number poll interval seconds cost number database filter all out Example...

Page 667: ...fix timers Example hostname config rtr default metric 5 Returns an optional parameter to its default value The area keyword specifies the OSPFv3 area parameters The auto cost keyword specifies the OSPFv3 interface cost according to bandwidth The default information keyword distributes default information The default metric keyword specifies the metric for a redistributed route The discard route ke...

Page 668: ...ny other device it is for internal administrative use only You can use a maximum of two processes Step 2 log adjacency changes detail Example hostname config rtr log adjacency changes detail Configures the router to send a syslog message when an OSPFv3 neighbor goes up or down The detail keyword sends a syslog message for each state not only when an OSPFv3 neighbor goes up or down Command Purpose ...

Page 669: ...her device it is for internal administrative use only You can use a maximum of two processes Step 2 default information originate always metric metric value metric type type value route map map name Example hostname config rtr default information originate always metric 3 metric type 2 Generates a default external route into an OSPFv3 routing domain The always keyword advertises the default route ...

Page 670: ...o match the ID on any other device it is for internal administrative use only You can use a maximum of two processes Step 2 summary prefix prefix not advertise tag tag value Example hostname config if ipv6 router ospf 1 hostname config rtr router id 192 168 3 3 hostname config rtr summary prefix FECO 24 hostname config rtr redistribute static Configures an IPv6 summary prefix The prefix argument i...

Page 671: ...co ASA Series CLI Configuration Guide Chapter 1 Configuring OSPF Configuring OSPFv3 Redistributing IPv6 Routes To redistribute connected routes into an OSPFv3 process perform the following steps Detailed Steps ...

Page 672: ...rocess on the same router the metric is carried through from one process to the other if no metric value is specified When redistributing other processes into an OSPFv3 process the default metric is 20 when no metric value is specified The metric transparent keyword causes RIP to use the routing table metric for redistributed routes as the RIP metric The metric type type value keyword argument pai...

Page 673: ...type 1 hostname config route map router ospf 2 hostname config rtr redistribute ospf 1 route map 1 to 2 Step 3 Optional To configure OSPFv2 interface parameters enter the following commands hostname config router ospf 2 hostname config rtr network 10 0 0 0 255 0 0 0 area 0 hostname config rtr interface inside hostname config interface ospf cost 20 hostname config interface ospf retransmit interval...

Page 674: ...e config show ospf Routing Process ospf 2 with ID 10 1 89 2 and Domain ID 0 0 0 2 Supports only single TOS TOS0 routes Supports opaque LSA SPF schedule delay 5 secs Hold time between two SPFs 10 secs Minimum LSA interval 5 secs Minimum LSA arrival 1 secs Number of external LSA 5 Checksum Sum 0x 26da6 Number of opaque AS LSA 0 Checksum Sum 0x 0 Number of DCbitless external and opaque AS LSA 0 Numbe...

Page 675: ...address 9098 10 64 standby 9098 11 hostname config if ipv6 enable hostname config if ipv6 ospf cost 900 hostname config if ipv6 ospf hello interval 20 hostname config if ipv6 ospf network broadcast hostname config if ipv6 ospf database filter all out hostname config if ipv6 ospf flood reduction hostname config if ipv6 ospf mtu ignore hostname config if ipv6 ospf 1 area 1 instance 100 hostname conf...

Page 676: ...ds apart Without pacing some update packets could get lost in situations where the link is slow a neighbor could not receive the updates quickly enough or the router could run out of buffer space For example without pacing packets might be dropped if either of the following topologies exist A fast router is connected to a slower router over a point to point link During flooding several neighbors s...

Page 677: ...mmary Displays lists of information related to the OSPFv3 database for a specific router show ipv6 ospf process id area id events Displays OSPFv3 event information show ipv6 ospf process id area id flood list interface type interface number Displays a list of LSAs waiting to be flooded over an interface to observe OSPFv3 packet pacing OSPFv3 update packets are automatically paced so they are not s...

Page 678: ...on list neighbor interface interface neighbor Displays a list of all LSAs waiting to be resent show ipv6 ospf statistic process id detail Displays various OSPFv3 statistics show ipv6 ospf process id summary prefix Displays a list of all summary address redistribution information configured under an OSPFv3 process show ipv6 ospf process id timers lsa group rate limit Displays OSPFv3 timers informat...

Page 679: ...o interval ipv6 ospf mtu ignore ipv6 ospf neighbor ipv6 ospf network ipv6 ospf flood reduction ipv6 ospf priority ipv6 ospf retransmit interval ipv6 ospf transmit delay ipv6 router ospf ipv6 router ospf area ipv6 router ospf default ipv6 router ospf default information ipv6 router ospf distance ipv6 router ospf exit ipv6 router ospf ignore ipv6 router ospf log adjacency changes ipv6 router ospf no...

Page 680: ...1 48 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring OSPF Feature History for OSPF ...

Page 681: ...ll the neighbor routing tables so that it can quickly adapt to alternate routes If no appropriate route exists EIGRP queries its neighbors to discover an alternate route These queries propagate until an alternate route is found Its support for variable length subnet masks permits routes to be automatically summarized on a network number boundary In addition EIGRP can be configured to summarize on ...

Page 682: ...nation in the topology table not just the least cost route The least cost route is inserted into the routing table The other routes remain in the topology table If the main route fails another route is chosen from the feasible successors A successor is a neighboring router used for packet forwarding that has a least cost path to a destination The feasibility calculation guarantees that the path is...

Page 683: ...red to use both EIGRP and OSPFv2 In a Layer 3 cluster setup EIGRP adjacencies can only be established between two contexts on a shared interface on the master unit You can manually configure multiple neighbor statements corresponding to each cluster node separately to work around this issue Additional Guidelines EIGRP instances cannot form adjacencies with each other across shared interfaces becau...

Page 684: ...a stub router Any neighbor that receives a packet informing it of the stub status will not query the stub router for any routes and a router that has a stub peer will not query that peer The stub router depends on the distribution router to send the correct updates to all peers Command Purpose Step 1 router eigrp as num Example hostname config router eigrp 2 Creates an EIGRP routing process and en...

Page 685: ... of the EIGRP routing process Step 2 network ip addr mask Example hostname config router eigrp 2 hostname config router network 10 0 0 0 255 0 0 0 Configures the interfaces and networks that participate in EIGRP routing You can configure one or more network statements with this command Directly connected and static networks that fall within the defined network are advertised by the ASA Additionall...

Page 686: ...he network address and associated mask configured for the specified EIGRP routing process To add or define a network perform the following steps Detailed Steps Command Purpose Step 1 router eigrp as num Example hostname config router eigrp 2 Creates an EIGRP routing process and enters router configuration mode for this EIGRP process The as num argument is the autonomous system number of the EIGRP ...

Page 687: ...ticipate in the EIGRP routing process If you have an interface that you do not want to have participate in EIGRP routing but that is attached to a network that you want advertised see the Defining a Network for an EIGRP Routing Process section on page 1 6 Step 3 Optional Do one of the following to customize an interface to participate in EIGRP routing no default information in out WORD Example hos...

Page 688: ...ion on page 1 10 for more information on this particular option hello interval eigrp as num seconds Example hostname config hello interval eigrp 2 60 Allows you to change the hello interval See the Customizing the EIGRP Hello Interval and Hold Time section on page 1 15 for more information on this particular option hold time eigrp as num seconds Example hostname config hold time eigrp 2 60 Allows ...

Page 689: ... network participate in the EIGRP routing process If you have an interface that you do not want to have participate in EIGRP routing but that is attached to a network that you want advertised see the Defining a Network for an EIGRP Routing Process section on page 1 6 Step 3 passive interface default if name Example hostname config router eigrp 2 hostname config router network 10 0 0 0 255 0 0 0 ho...

Page 690: ...authentication is configured on a per interface basis All EIGRP neighbors on interfaces configured for EIGRP message authentication must be configured with the same authentication mode and key for adjacencies to be established Note Before you can enable EIGRP route authentication you must enable EIGRP To enable EIGRP authentication on an interface perform the following steps Command Purpose Step 1...

Page 691: ...etwork that you want advertised see the Configuring EIGRP section on page 1 3 Step 3 interface phy_if Example hostname config interface inside Enters interface configuration mode for the interface on which you are configuring EIGRP message authentication Step 4 authentication mode eigrp as num md5 Example hostname config authentication mode eigrp 2 md5 Enables MD5 authentication of EIGRP packets T...

Page 692: ...P only Before you begin this procedure you must create a route map to further define which routes from the specified routing protocol are redistributed in to the RIP routing process See Chapter 1 Defining Route Maps for more information about creating a route map To redistribute routes into the EIGRP routing process perform the following steps Command Purpose Step 1 router eigrp as num Example hos...

Page 693: ...istribute command If you specify the EIGRP metrics in the redistribute command and have the default metric command in the EIGRP router configuration the metrics in the redistribute command are used Step 3 Do one of the following to redistribute the selected route type into the EIGRP routing process redistribute connected metric bandwidth delay reliability loading mtu route map map_name Example hos...

Page 694: ...e rip metric bandwidth delay reliability load mtu route map map_name Redistributes routes from a RIP routing process into the EIGRP routing process Command Purpose Command Purpose Step 1 router eigrp as num Example hostname config router eigrp 2 Creates an EIGRP routing process and enters router configuration mode for this EIGRP process The as num argument is the autonomous system number of the EI...

Page 695: ...tailed Steps Step 3 Do one of the following to filter networks sent or received in EIGRP routing updates distribute list acl out connected ospf rip static interface if_name Example hostname config router eigrp 2 hostname config router network 10 0 0 0 255 0 0 0 hostname config router distribute list acl out connected Filters networks sent in EIGRP routing updates You can specify an interface to ap...

Page 696: ...ed Steps Configuring Default Information in EIGRP You can control the sending and receiving of default route information in EIGRP updates By default default routes are sent and accepted Configuring the ASA to disallow default information to be received causes the candidate default route bit to be blocked on received routes Configuring the ASA to disallow default information to be sent disables the...

Page 697: ...P routing process and enters router configuration mode for this EIGRP process The as num argument is the autonomous system number of the EIGRP routing process Step 2 hostname config router network ip addr mask Example hostname config router eigrp 2 hostname config router network 10 0 0 0 255 0 0 0 Configures the interfaces and networks that participate in EIGRP routing You can configure one or mor...

Page 698: ...mmand Purpose Step 1 interface phy_if Example hostname config interface phy_if Enters interface configuration mode for the interface on which you are changing the delay value used by EIGRP Step 2 no split horizon eigrp as number Example hostname config if no split horizon eigrp 2 Disables the split horizon Command Purpose clear eigrp pid 1 65535 neighbors topology events Example hostname config cl...

Page 699: ... participate in EIGRP routing enter the following command hostname config router network 10 0 0 0 255 0 0 0 Step 5 To change the interface delay value used in EIGRP distance calculations enter the following commands hostname config router exit hostname config interface phy_if hostname config if delay 200 show eigrp as number topology ip addr mask active all links pending summary zero successors Di...

Page 700: ...ata performing authentication and redistributing and monitoring routing information using the Enhanced Interior Gateway Routing Protocol EIGRP We introduced the following command route eigrp Dynamic Routing in Multiple Context Mode 9 0 1 EIGRP routing is supported in multiple context mode Clustering 9 0 1 For EIGRP bulk synchronization route synchronization and layer 2 load balancing are supported...

Page 701: ...1 2 RIP Timers page 1 2 Using Clustering page 1 3 The Routing Information Protocol or RIP as it is more commonly called is one of the most enduring of all routing protocols RIP has four basic components routing update process RIP routing metrics routing stability and routing timers Devices that support RIP send routing update messages at regular intervals and when the network topology changes Thes...

Page 702: ... to measure the distance between the source and a destination network Each hop in a path from source to destination is assigned a hop count value which is typically 1 When a router receives a routing update that contains a new or changed destination network entry the router adds 1 to the metric value indicated in the update and enters the network in the routing table The IP address of the sender i...

Page 703: ... in single context mode only Firewall Mode Guidelines Supported in routed and transparent firewall mode IPv6 Guidelines Does not support IPv6 Additional Guidelines The following information applies to RIP Version 2 only If using neighbor authentication the authentication key and key ID must be the same on all neighbor devices that provide RIP Version 2 updates to the interface With RIP Version 2 t...

Page 704: ...ning a Route Map section on page 1 4 Enabling RIP You can only enable one RIP routing process on the ASA After you enable the RIP routing process you must define the interfaces that will participate in that routing process using the network command By default the ASA sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates To enable the RIP routing process enter the following co...

Page 705: ...r rip hostname config router network 10 0 0 0 Specifies the interfaces that will participate in the RIP routing process If an interface belongs to a network defined by this command the interface will participate in the RIP routing process If an interface does not belong to a network defined by this command the interface will not send or receive RIP updates Step 3 Enter one of the following numbers...

Page 706: ...rip Starts the RIP routing process and places you in router configuration mode Step 2 network network_address Example hostname config router rip hostname config router network 10 0 0 0 Specifies the interfaces that will participate in the RIP routing process If an interface belongs to a network defined by this command the interface will participate in the RIP routing process If an interface does n...

Page 707: ...matic route summarization on the routers that are creating conflicting summary addresses Because RIP Version 1 always uses automatic route summarization and RIP Version 2 always uses automatic route summarization by default when configuring automatic route summarization you only need to disable it To disable automatic route summarization perform the following steps Detailed Steps rip send version ...

Page 708: ...buted in to the RIP routing process See Chapter 1 Defining a Route Map for more information about creating a route map To redistribute a route into the RIP routing process enter one of the following commands Command Purpose Step 1 router rip Example hostname config router rip Enables the RIP routing process and places you in router configuration mode Step 2 distribute list acl in interface if_name...

Page 709: ... map name Redistributes connected routes into the RIP routing process You must specify the RIP metric values in the redistribute command if you do not have a default metric command in the RIP router configuration redistribute static metric metric_value transparent route map map_name Example hostname config router redistribute static metric metric_value transparent route map map_name Redistributes ...

Page 710: ...rface configuration mode for the interface on which you are configuring RIP message authentication Step 3 rip authentication mode text md5 Example hostname config if rip authentication mode md5 Sets the authentication mode By default text authentication is used We recommend that you use MD5 authentication Step 4 rip authentication key key key id key id Example hostname config if rip authentication...

Page 711: ...Example for RIP The following example shows how to enable and configure RIP with various optional processes hostname config router rip 2 hostname config router default information originate hostname config router version 1 hostname config router network 225 25 25 225 hostname config router passive interface default hostname config router redistribute connected metric bandwidth delay reliability lo...

Page 712: ...ation RIP support 7 0 1 Support was added for routing data performing authentication and redistributing and monitoring routing information using the Routing Information Protocol RIP We introduced the route rip command Clustering 9 0 1 For RIP bulk synchronization route synchronization and layer 2 load balancing are supported in the clustering environment We introduced or modified the following com...

Page 713: ...ions that take advantage of multicast routing include videoconferencing corporate communications distance learning and distribution of software stock quotes and news Multicast routing protocols delivers source traffic to multiple receivers without adding any additional burden on the source or the receivers while using the least network bandwidth of any competing technology Multicast packets are re...

Page 714: ...lticast topology With the assistance of the DF multicast data is forwarded from sources to the Rendezvous Point and therefore along the shared tree to receivers without requiring source specific state The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point Note If the ASA is the PIM RP use the untranslated outside address of the ASA as the...

Page 715: ...de In multiple context mode unshared interfaces and shared interfaces are not supported Firewall Mode Guidelines Supported only in routed firewall mode Transparent firewall mode is not supported IPv6 Guidelines Does not support IPv6 Additional Guidelines In clustering for IGMP and PIM this feature is only supported on the master unit Enabling Multicast Routing Enabling multicast routing lets you e...

Page 716: ...ding IGMP Messages Note Stub multicast routing and PIM are not supported concurrently An ASA acting as the gateway to the stub area does not need to participate in PIM Instead you can configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected on one interface to an upstream multicast router on another interface To configure the ASA as an IGMP proxy agent forward the ...

Page 717: ...IGMP Features IP hosts use the Internet Group Management Protocol IGMP to report their group memberships to directly connected multicast routers IGMP is used to dynamically register individual hosts in a multicast group on a particular LAN Hosts identify group memberships by sending IGMP messages to their local multicast router Under IGMP routers listen to IGMP messages and periodically send out q...

Page 718: ...describes how to configure optional IGMP setting on a per interface basis and includes the following topics Disabling IGMP on an Interface page 1 6 Configuring IGMP Group Membership page 1 7 Configuring a Statically Joined IGMP Group page 1 7 Controlling Access to Multicast Groups page 1 8 Limiting the Number of IGMP States on an Interface page 1 8 Modifying the Query Messages to Multicast Groups ...

Page 719: ...the group because of some configuration or there may be no members of a group on the network segment However you still want multicast traffic for that group to be sent to that network segment You can have multicast traffic for that group sent to the segment by configuring a statically joined IGMP group Enter the igmp static group command The ASA does not accept the multicast packets but instead fo...

Page 720: ... 662 25 Creates a standard access list for the multicast traffic You can create more than one entry for a single access list You can use extended or standard access lists The ip_addr mask argument is the IP address of the multicast group being permitted or denied access list name extended permit deny protocol src_ip_addr src_mask dst_ip_addr dst_mask Example hostname config access list acl2 extend...

Page 721: ...To change the query interval query response time and query timeout value perform the following steps Detailed Steps Changing the IGMP Version By default the ASA runs IGMP Version 2 which enables several additional features such as the igmp query timeout and igmp query interval commands All multicast routers on a subnet must support the same version of IGMP The ASA does not automatically detect Ver...

Page 722: ...atic Rendezvous Point Address page 1 11 Configuring the Designated Router Priority page 1 11 Configuring and Filtering PIM Register Messages page 1 12 Configuring PIM Message Intervals page 1 12 Filtering PIM Neighbors page 1 12 Enabling and Disabling PIM on an Interface You can enable or disable PIM on specific interfaces To enable or disable PIM on an interface perform the following steps Detail...

Page 723: ...ion Configuring the Designated Router Priority The DR is responsible for sending PIM register join and prune messages to the RP When there is more than one multicast router on a network segment selecting the DR is based on the DR priority If multiple devices have the same DR priority then the device with the highest IP address becomes the DR By default the ASA has a DR priority of 1 To change this...

Page 724: ...ltering PIM Neighbors You can define the routers that can become PIM neighbors By filtering the routers that can become PIM neighbors you can do the following Prevent unauthorized routers from becoming PIM neighbors Prevent attached stub routers from participating in PIM To define neighbors that can become a PIM neighbor perform the following steps Command Purpose pim accept register list acl rout...

Page 725: ...network by letting you specify the routers that should participate in the DF election while still allowing all routers to participate in the sparse mode domain The bidir enabled routers can elect a DF from among themselves even when there are non bidir routers on the segment Multicast boundaries on the non bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of ...

Page 726: ...nistratively scoped boundary by entering the filter autorp keyword Any Auto RP group range announcements from the Auto RP packets that are denied by the boundary ACL are removed An Auto RP group range announcement is permitted and passed by the boundary only if all addresses in the Auto RP group range are permitted by the boundary ACL If any address is not permitted the entire group range is filte...

Page 727: ...s Step 1 Enable multicast routing hostname config multicast routing Step 2 Configure a static multicast route hostname config mroute src_ip src_mask input_if_name rpf_neighbor distance hostname config exit Step 3 Configure the ASA to be a member of a multicast group hostname config interface hostname config if igmp join group group address Additional References For additional information related t...

Page 728: ...ETF draft ietf idmr igmp proxy 01 txt RFC Title RFC 2113 IP Router Alert Option RFC 2236 IGMPv2 RFC 2362 PIM SM RFC 2588 IP Multicast and Firewalls Table 1 2 Feature History for Multicast Routing Feature Name Platform Releases Feature Information Multicast routing support 7 0 1 Support was added for multicast routing data authentication and redistribution and monitoring of routing information usin...

Page 729: ...solicited node multicast addresses to determine the link layer address of a neighbor on the same network local link verify the readability of a neighbor and keep track of neighboring routers Nodes hosts use neighbor discovery to determine the link layer addresses for neighbors known to reside on attached links and to quickly purge cashed values that become invalid Hosts also use neighbor discovery...

Page 730: ... is the unicast address of the neighbor Neighbor advertisement messages are also sent when there is a change in the link layer address of a node on a local link When there is such a change the destination address for the neighbor advertisement is the all nodes multicast address Neighbor Reachable Time The neighbor reachable time enables detecting unavailable neighbors Shorter configured times enab...

Page 731: ... used as a default router and if so the amount of time in seconds the router should be used as a default router Additional information for hosts such as the hop limit and MTU a host should use in packets that it originates The amount of time between neighbor solicitation message retransmissions on a given link The amount of time a node considers a neighbor reachable Router advertisements are also ...

Page 732: ...pported in single and multiple context mode Firewall Mode Guidelines Supported in routed mode only Transparent mode is not supported Additional Guidelines and Limitations The interval value is included in all IPv6 router advertisements that are sent out of this interface The configured time enables detecting unavailable neighbors Shorter configured times enable detecting unavailable neighbors more...

Page 733: ...ry cache learned through the IPv6 neighbor discovery process the entry is automatically converted to a static entry These entries are stored in the configuration when the copy command is used to store the configuration Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache The clear ipv6 neighbor command deletes all entries in the IPv6 neighbor discovery cac...

Page 734: ...ration Mode Configure neighbor discovery settings per interface To enter interface configuration mode perform the following steps Table 1 1 Default IPv6 Neighbor Discovery Parameters Parameters Default value for the neighbor solicitation transmission message interval 1000 seconds between neighbor solicitation transmissions value for the neighbor reachable time The default is 0 value for the router...

Page 735: ...smission interval of 9000 milliseconds for GigabitEthernet 0 0 hostname config interface gigabitethernet 0 0 hostname config if ipv6 nd ns interval 9000 Command Purpose interface name Example hostname config interface gigabitethernet 0 0 hostname config if Enters interface configuration mode Command Purpose ipv6 nd ns interval value Example hostname config if ipv6 nd ns interval 9000 Sets the inte...

Page 736: ...00 Sets the amount of time that a remote IPv6 node is reachable Valid values for the value argument range from 0 to 3600000 milliseconds When 0 is used for the value the reachable time is sent as undetermined It is up to the receiving devices to set and track the reachable time value Command Purpose ipv6 nd ra interval msec value Example hostname config if ipv6 nd ra interval 201 Sets the interval...

Page 737: ...ings To specify DAD settings on the interface enter the following command Detailed Steps Command Purpose ipv6 nd ra lifetime msec value Example hostname config if ipv6 nd ra lifetime 2000 Specifies the length of time that nodes on the local link should consider the ASA as the default router on the link The optional msec keyword indicates that the value provided is in milliseconds If this keyword i...

Page 738: ...rface To suppress the router lifetime value in IPv6 router advertisements on an interface enter the following command Detailed Steps Examples The following example suppresses an IPv6 router advertisement transmission for the specified interface which is GigabitEthernet 0 0 hostname config interface gigabitethernet 0 0 hostname config if ipv6 nd suppress ra 900 Command Purpose ipv6 nd suppress ra s...

Page 739: ...ipv6 nd managed config flag Example hostname config if ipv6 nd managed config flag Sets the Managed Address Config flag in the IPv6 router advertisement packet This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain addresses in addition to the derived stateless autoconfiguration address ipv6 nd other config flag Example hostname config if ipv6 nd other config flag S...

Page 740: ...onal infinite keyword specifies that the valid lifetime does not expire The ipv6 prefix argument specifies the IPv6 network number to include in router advertisements This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16 bit values between colons The optional no advertise keyword indicates to hosts on the local link that the specified prefi...

Page 741: ...entry in the IPv6 neighbor discovery cache enter the following command Detailed Steps Examples The following example adds a static entry for an inside host with an IPv6 address of 3001 1 45A and a MAC address of 002 7D1a 9472 to the neighbor discovery cache hostname config if ipv6 neighbor 3001 1 45A inside 002 7D1A 9472 Command Purpose ipv6 neighbor ipv6_address if_name mac_address Example hostna...

Page 742: ...nd Purpose show ipv6 interface Displays the usability status of interfaces configured for IPv6 Including the interface name such as outside and displays the settings for the specified interface Excludes the name from the command and displays the settings for all interfaces that have IPv6 enabled on them Output for the command shows the following The name and status of the interface The link local ...

Page 743: ... be specified in hexadecimal format using 16 bit values between colons IP Version 6 Addressing Architecture RFC 3849 specifies the requirements for using IPv6 address prefixes in documentation The IPv6 unicast address prefix that has been reserved for use in documentation is 2001 DB8 32 IPv6 Address Prefix Reserved for Documentation Table 1 2 Feature History for IPv6 Neighbor Discovery Feature Nam...

Page 744: ...1 16 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring IPv6 Neighbor Discovery Feature History for IPv6 Neighbor Discovery ...

Page 745: ...P A R T 2 Configuring Network Address Translation ...

Page 746: ......

Page 747: ...NAT for VPN page 1 22 DNS and NAT page 1 28 Where to Go Next page 1 33 Note To start configuring NAT see Chapter 33 Configuring Network Object NAT or Chapter 34 Configuring Twice NAT Why Use NAT Each computer and device within an IP network is assigned a unique IP address that identifies the host Because of a shortage of public IPv4 addresses most of these IP addresses are private not routable any...

Page 748: ...et of traffic that traffic will not be translated but will have all of the security policies applied as normal NAT Terminology This document uses the following terminology Real address host network interface The real address is the address that is defined on the host before it is translated In a typical NAT scenario where you want to translate the inside network when it accesses the outside the in...

Page 749: ...dentity NAT A real address is statically transalted to itself essentially bypassing NAT You might want to configure NAT this way when you want to translate a large group of addresses but then want to exempt a smaller subset of addresses See the Identity NAT section on page 1 10 Static NAT This section describes static NAT and includes the following topics Information About Static NAT page 1 3 Info...

Page 750: ... Non Standard Ports page 1 5 Static Interface NAT with Port Translation page 1 5 Information About Static NAT with Port Address Translation When you specify the port with static NAT you can choose to map the port and or the IP address to the same value or to a different value Figure 1 2 shows a typical static NAT with port translation scenario showing both a port that is mapped to itself and a por...

Page 751: ...can configure static NAT to map a real address to an interface address port combination For example if you want to redirect Telnet access for the ASA outside interface to an inside host then you can map the inside host IP address port 23 to the ASA interface address port 23 Note that although Telnet to the ASA is not allowed to the lowest security interface static NAT with interface port translati...

Page 752: ...ust like a one to many configuration only the first mappings are bidirectional subsequent mappings allow traffic to be initiated to the real host but all traffic from the real host uses only the first mapped address for the source Figure 1 4 shows a typical few to many static NAT scenario Figure 1 4 Few to Many Static NAT For a many to few or many to one configuration where you have more real addr...

Page 753: ...ddresses than the real group When a host you want to translate accesses the destination network the ASA assigns the host an IP address from the mapped pool The translation is created only when the real host initiates the connection The translation is in place only for the duration of the connection and a given user does not keep the same IP address after the translation times out Users on the dest...

Page 754: ...ations that have a data stream on one port the control path on another port and are not open standard See the Default Settings section on page 1 4 for more information about NAT and PAT support Dynamic PAT This section describes dynamic PAT and includes the following topics Information About Dynamic PAT page 1 8 Per Session PAT vs Multi Session PAT page 1 9 Dynamic PAT Disadvantages and Advantages...

Page 755: ...the TIME_WAIT state Multi session PAT on the other hand uses the PAT timeout by default 30 seconds For hit and run traffic such as HTTP or HTTPS the per session feature can dramatically increase the connection rate supported by one address Without the per session feature the maximum connection rate for one address for an IP protocol is approximately 2000 per second With the per session feature the...

Page 756: ... to translate an address to itself Identity NAT is necessary for remote access VPN where you need to exempt the client traffic from NAT Figure 1 8 shows a typical identity NAT scenario Figure 1 8 Identity NAT NAT in Routed and Transparent Mode You can configure NAT in both routed and transparent firewall mode This section describes typical usage for each firewall mode and includes the following to...

Page 757: ...rks NAT in transparent mode has the following requirements and limitations Because the transparent firewall does not have any interface IP addresses you cannot use interface PAT ARP inspection is not supported Moreover if for some reason a host on one side of the ASA sends an ARP request to a host on the other side of the ASA and the initiating host real address is mapped to a different address on...

Page 758: ...es the translation of the mapped address 209 165 201 15 back to the real address 10 1 1 1 75 Because the real address is directly connected the ASA sends it directly to the host 4 For host 192 168 1 2 the same process occurs except for returning traffic the ASA looks up the route in its routing table and sends the packet to the downstream router at 10 1 1 3 based on the ASA static route for 192 16...

Page 759: ...optionally translate the addresses net tonet where the first IPv4 address maps to the first IPv6 address the second to the second and so on NAT64 IPv6 to IPv4 You may not have enough IPv4 addresses to accommodate the number of IPv6 addresses We recommend using a dynamic PAT pool to provide a large number of IPv4 translations For specific implementation guidelines and limitations see the configurat...

Page 760: ... All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules Network object NAT is a quick and easy way to configure NAT for a network object which can be a single IP address a range of addresses or a subnet After you configure the network object you can then identify the mapped address for that object either as an inline address or as another...

Page 761: ... 165 201 11 the real address is translated to 209 165 202 129 When the host accesses the server at 209 165 200 225 the real address is translated to 209 165 202 130 Figure 1 11 Twice NAT with Different Destination Addresses Server 1 209 165 201 11 Server 2 209 165 200 225 DMZ Inside 10 1 2 27 10 1 2 0 24 130039 209 165 201 0 27 209 165 200 224 27 Translation 209 165 202 129 10 1 2 27 Translation 2...

Page 762: ...server for web services the real address is translated to 209 165 202 129 When the host accesses the same server for Telnet services the real address is translated to 209 165 202 130 Figure 1 12 Twice NAT with Different Destination Ports Web and Telnet server 209 165 201 11 Internet Inside Translation 209 165 202 129 10 1 2 27 80 10 1 2 27 10 1 2 0 24 Translation 209 165 202 130 10 1 2 27 23 Web P...

Page 763: ...affic to and from the 209 165 201 0 27 network A translation does not exist for the 209 165 200 224 27 network so the translated host cannot connect to that network nor can a host on that network connect to the translated host Figure 1 13 Twice Static NAT with Destination Address Translation 209 165 201 11 209 165 200 225 DMZ Inside No Translation 10 1 2 27 10 1 2 27 10 1 2 0 27 209 165 201 0 27 2...

Page 764: ...the end of this section Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic instead of matching the invisible rule If VPN does not work due to NAT failure consider adding twice NAT rules to section 3 instead Section 2 Network object NAT Section 2 rules are applied in the following order as automatically determined by the ASA 1 Static rules 2 Dynamic...

Page 765: ... the mapped address The ASA also needs to determine the egress interface for any packets it receives destined for mapped addresses This section describes how the ASA handles accepting and delivering packets with NAT and includes the following topics Mapped Addresses and Routing page 1 19 Transparent Mode Routing Requirements for Remote Networks page 1 21 Determining the Egress Interface page 1 22 ...

Page 766: ...g protocol For transparent mode if the real host is directly connected configure the static route on the upstream router to point to the ASA specify the bridge group IP address For remote hosts in transparent mode in the static route on the upstream router you can alternatively specify the downstream router IP address The same address as the real address identity NAT The default behavior for ident...

Page 767: ...proxy ARP lets the ASA keep traffic destined for the virtual Telnet address rather than send the traffic out the source interface according to the NAT rule See Figure 1 15 Figure 1 15 Proxy ARP and Virtual Telnet Transparent Mode Routing Requirements for Remote Networks When you use NAT in transparent mode some types of traffic require static routes See the MAC Address vs Route Lookups section on ...

Page 768: ...se a route lookup instead In certain scenarios a route lookup override is required for example see the NAT and VPN Management Access section on page 1 26 You do not configure the interface in the NAT rule The ASA uses a route lookup to determine the egress interface Figure 1 16 shows the egress interface selection method in routed mode In almost all cases a route lookup is equivalent to the NAT ru...

Page 769: ...ork and any outside network to match the interface PAT rule you set up for Internet access traffic from the VPN client 10 3 3 10 to the SMTP server 10 1 1 6 will be dropped due to a reverse path failure traffic from 10 3 3 10 to 10 1 1 6 does not match a NAT rule but returning traffic from 10 1 1 6 to 10 3 3 10 should match the interface PAT rule for outgoing traffic Because forward and reverse fl...

Page 770: ...ite tunnel connecting the Boulder and San Jose offices For traffic that you want to go to the Internet for example from 10 1 1 6 in Boulder to www example com you need a public IP address provided by NAT to access the Internet The below example uses interface PAT rules However for traffic that you want to go over the VPN tunnel for example from 10 1 1 6 in Boulder to 10 2 2 78 in San Jose you do n...

Page 771: ... traffic same security traffic permit intra interface Identify local VPN network perform object interface PAT when going to Internet 10 1 1 6 Firewall1 Firewall2 10 2 2 78 Internet Src 10 1 1 6 10 1 1 6 203 0 113 1 6070 Src 10 1 1 6 10 1 1 6 Dst 10 2 2 78 10 2 2 78 San Jose Inside Boulder Inside 1 IM to 10 2 2 78 Src 10 1 1 6 A HTTP to www example com Src 10 1 1 6 3 IM received C HTTP request to w...

Page 772: ...se_inside sanjose_inside See the following sample NAT configuration for ASA2 San Jose Identify inside San Jose network perform object interface PAT when going to Internet object network sanjose_inside subnet 10 2 2 0 255 255 255 0 nat inside outside dynamic interface Identify inside Boulder network for use in twice NAT rule object network boulder_inside subnet 10 1 1 0 255 255 255 0 Identify local...

Page 773: ...more information about the route lookup option Figure 1 21 VPN Management Access See the following sample NAT configuration for the above network Enable hairpin for non split tunneled VPN client traffic same security traffic permit intra interface Enable management access on inside ifc management access inside Identify local VPN network perform object interface PAT when going to Internet object ne...

Page 774: ... IPv6 or the PTR record for reverse DNS queries For DNS replies traversing from a mapped interface to any other interface the record is rewritten from the mapped value to the real value Inversely for DNS replies traversing from any interface to a mapped interface the record is rewritten from the real value to the mapped value Note If you configure a twice NAT rule you cannot configure DNS modifica...

Page 775: ... DMZ network from an outside DNS server The DNS server replies with the mapped address 209 165 201 10 according to the static rule between outside and DMZ even though the user is not on the DMZ network The ASA translates the address inside the DNS reply to 10 1 3 14 If the user needs to access ftp cisco com using the real address then no further configuration is required If there is also DNS Serve...

Page 776: ...to the static rule between inside and DMZ Figure 1 23 DNS Reply Modification DNS Server Host and Server on Separate Networks DNS Server Outside Inside User 1 2 3 5 6 DNS Reply Modification 1 209 165 201 10 10 1 3 14 7 Translation 10 1 3 14 4 DNS Reply Modification 2 10 1 3 14 DNS Reply 209 165 201 10 DNS Reply DNS Query ftp cisco com FTP Request Security Device ftp cisco com 10 1 3 14 Static Trans...

Page 777: ... Figure 1 24 DNS Reply Modification DNS Server on Host Network Figure 1 24 shows an FTP server and DNS server on the outside IPv4 network The ASA has a static translation for the outside server In this case when an inside IPv6 user requests the address for ftp cisco com from the DNS server the DNS server responds with the real address 209 165 200 225 ftp cisco com 209 165 201 10 DNS Server Outside...

Page 778: ...25 DNS64 Reply Modification Using Outside NAT ftp cisco com 209 165 200 225 IPv4 Internet IPv6 Net Static Translation on Inside to 2001 DB8 D1A5 C8E1 PAT Translation on Outside to 209 165 200 230 User 2001 DB8 1 DNS Server 209 165 201 15 Static Translation on Inside to 2001 DB8 D1A5 C90F 1 2 7 6 5 4 3 DNS Query ftp cisco com DNS Reply 209 165 200 225 DNS Reply Modification 209 165 200 225 2001 DB8...

Page 779: ... the DNS server responds with the server name ftp cisco com Figure 1 26 PTR Modification DNS Server on Host Network Where to Go Next To configure network object NAT see Chapter 33 Configuring Network Object NAT To configure twice NAT see Chapter 34 Configuring Twice NAT ftp cisco com 209 165 201 10 DNS Server Outside Inside User 10 1 2 27 Static Translation on Inside to 10 1 2 56 1 2 4 3 Reverse D...

Page 780: ...1 34 Cisco ASA Series CLI Configuration Guide Chapter 1 Information About NAT Where to Go Next ...

Page 781: ...k Object NAT page 1 28 Note For detailed information about how NAT works see Chapter 1 Information About NAT Information About Network Object NAT When a packet enters the ASA both the source and destination IP addresses are checked against the network object NAT rules The source and destination address in the packet can be translated by separate rules if separate matches are made These rules are n...

Page 782: ...de Firewall Mode Guidelines Supported in routed and transparent firewall mode In transparent mode you must specify the real and mapped interfaces you cannot use any In transparent mode you cannot configure interface PAT because the transparent mode interfaces do not have IP addresses You also cannot use the management IP address as a mapped address In transparent mode translating between IPv4 and ...

Page 783: ...IPv6 addresses the object group must include only one type of address You can use the same mapped object or group in multiple NAT rules The mapped IP address pool cannot include The mapped interface IP address If you specify any interface for the rule then all interface IP addresses are disallowed For interface PAT routed mode only use the interface keyword instead of the IP address Transparent mo...

Page 784: ...e 1 2 for information about disallowed mapped IP addresses Dynamic NAT You cannot use an inline address you must configure a network object or group The object or group cannot contain a subnet the object must define a range the group can include hosts and ranges If a mapped network object contains both ranges and host IP addresses then the ranges are used for dynamic NAT and then the host IP addre...

Page 785: ...dress group object grp_obj_name Example hostname config object network TEST hostname config network object range 10 1 1 1 10 1 1 70 hostname config object network TEST2 hostname config network object range 10 1 2 1 10 1 2 70 hostname config network object object group network MAPPED_IPS hostname config network network object object TEST hostname config network network object object TEST2 hostname ...

Page 786: ...255 255 0 If you are creating a new network object defines the real IP address es either IPv4 or IPv6 that you want to translate Step 4 nat real_ifc mapped_ifc dynamic mapped_obj interface ipv6 dns Example hostname config network object nat inside outside dynamic MAPPED_IPS interface Configures dynamic NAT for the object IP addresses Note You can only define a single NAT rule for a given object Se...

Page 787: ...network object object IPv4_NAT_RANGE hostname config network object network object object IPv4_PAT hostname config network object object network my_net_obj5 hostname config network object subnet 2001 DB8 96 hostname config network object nat inside outside dynamic IPv4_GROUP interface Configuring Dynamic PAT Hide This section describes how to configure network object NAT for dynamic PAT hide For m...

Page 788: ...If the ASA fails over then subsequent connections from a host may not use the initial IP address Round robin especially when combined with extended PAT can consume a large amount of memory Because NAT pools are created for every mapped protocol IP address port range round robin results in a large number of concurrent NAT pools which use memory Extended PAT results in an even larger number of concu...

Page 789: ...ed IP address You can specify the mapped IP address as An inline host address An existing network object that is defined as a host address see Step 1 pat pool An existing network object or group that contains multiple addresses interface Routed mode only The IP address of the mapped interface is used as the mapped address If you specify ipv6 then the IPv6 address of the interface is used For this ...

Page 790: ...eate a translation of 10 1 1 1 1027 when going to 192 168 1 7 23 as well as a translation of 10 1 1 1 1027 when going to 192 168 1 7 80 Flat range The flat keyword enables use of the entire 1024 to 65535 port range when allocating ports When choosing the mapped port number for a translation the ASA uses the real source port number if it is available However without this option if the real port is ...

Page 791: ...twork object nat inside outside dynamic pat pool IPv4_POOL Configuring Static NAT or Static NAT with Port Translation This section describes how to configure a static NAT rule using network object NAT For more information see the Static NAT section on page 1 3 Detailed Steps Command Purpose Step 1 Optional Create a network object or group for the mapped addresses See the Adding Network Objects for...

Page 792: ...Network Object NAT Step 3 host ip_address subnet subnet_address netmask range ip_address_1 ip_address_2 Example hostname config network object subnet 10 2 1 0 255 255 255 0 If you are creating a new network object defines the real IP address es IPv4 or IPv6 that you want to translate Command Purpose ...

Page 793: ... the mapped address then the mapped range will include 172 20 1 1 through 172 20 1 6 An existing network object or group see Step 1 interface Static NAT with port translation only routed mode For this option you must configure a specific interface for the mapped_ifc If you specify ipv6 then the IPv6 address of the interface is used Be sure to also configure the service keyword Typically you config...

Page 794: ...nterface service tcp 21 2121 The following example maps an inside IPv4 network to an outside IPv6 network hostname config object network inside_v4_v6 hostname config network object subnet 10 1 1 0 255 255 255 0 hostname config network object nat inside outside static 2001 DB8 96 The following example maps an inside IPv6 network to an outside IPv6 network hostname config object network inside_v6 ho...

Page 795: ...ed interfaces Be sure to include the parentheses in your command In routed mode if you do not specify the real and mapped interfaces all interfaces are used you can also specify the keyword any for one or both of the interfaces Mapped IP addresses Be sure to configure the same IP address for both the mapped and real address Use one of the following Network object Including the same IP address as t...

Page 796: ...T vs Multi Session PAT section on page 1 9 Defaults By default the following rules are installed xlate per session permit tcp any4 any4 xlate per session permit tcp any4 any6 xlate per session permit tcp any6 any4 xlate per session permit tcp any6 any6 xlate per session permit udp any4 any4 eq domain xlate per session permit udp any4 any6 eq domain xlate per session permit udp any6 any4 eq domain ...

Page 797: ... but below any other manually created rules Be sure to create your rules in the order you want them applied For the source and destination IP addresses you can configure the following host ip_address Specifies an IPv4 host address ip_address mask Specifies an IPv4 network address and subnet mask ipv6 address prefix length Specifies an IPv6 host or network address and prefix any4 and any6 any4 spec...

Page 798: ...64 with DNS64 Modification page 1 26 show running config nat Shows the NAT configuration Note You cannot view the NAT configuration using the show running config object command You cannot reference objects or object groups that have not yet been created in nat commands To avoid forward or circular references in show command output the show running config command shows the object command two times ...

Page 799: ...er hostname config object network myWebServ Step 2 Define the web server address hostname config network object host 10 1 2 27 Step 3 Configure static NAT for the object hostname config network object nat inside outside static 209 165 201 10 NAT for Inside Hosts Dynamic NAT and NAT for an Outside Web Server Static NAT The following example configures dynamic NAT for inside users on a private netwo...

Page 800: ...ject network myInsNet hostname config network object subnet 10 1 2 0 255 255 255 0 Step 3 Enable dynamic NAT for the inside network hostname config network object nat inside outside dynamic myNatPool Step 4 Create a network object for the outside web server hostname config object network myWebServ Step 5 Define the web server address hostname config network object host 209 165 201 12 Step 6 Config...

Page 801: ...NAT with One to Many for an Inside Load Balancer Step 1 Create a network object for the addresses to which you want to map the load balancer hostname config object network myPublicIPs hostname config network object range 209 165 201 3 209 265 201 8 Step 2 Create a network object for the load balancer hostname config object network myLBHost Step 3 Define the load balancer address hostname config ne...

Page 802: ...ig object network FTP_SERVER Step 2 Define the FTP server address and configure static NAT with identity port translation for the FTP server hostname config network object host 10 1 2 27 hostname config network object nat inside outside static 209 165 201 3 service tcp ftp ftp Step 3 Create a network object for the HTTP server address hostname config object network HTTP_SERVER Step 4 Define the HT...

Page 803: ...atic 209 165 201 3 service tcp smtp smtp DNS Server on Mapped Interface Web Server on Real Interface Static NAT with DNS Modification For example a DNS server is accessible from the outside interface A server ftp cisco com is on the inside interface You configure the ASA to statically translate the ftp cisco com real address 10 1 3 14 to a mapped address 209 165 201 10 that is visible on the outsi...

Page 804: ...o 209 165 201 10 instead of accessing ftp cisco com directly Figure 1 5 DNS Reply Modification Step 1 Create a network object for the FTP server address hostname config object network FTP_SERVER Step 2 Define the FTP server address and configure static NAT with DNS modification hostname config network object host 10 1 3 14 hostname config network object nat inside outside static 209 165 201 10 dns...

Page 805: ...ou need to configure DNS reply modification for the static translation Figure 1 6 DNS Reply Modification Using Outside NAT Step 1 Create a network object for the FTP server address hostname config object network FTP_SERVER Step 2 Define the FTP server address and configure static NAT with DNS modification hostname config network object host 209 165 201 10 hostname config network object nat outside...

Page 806: ...odification Using Outside NAT Step 1 Configure static NAT with DNS modification for the FTP server a Create a network object for the FTP server address hostname config object network FTP_SERVER b Define the FTP server address and configure static NAT with DNS modification and because this is a one to one translation configure the net to net method for NAT46 hostname config network object host 209 ...

Page 807: ...me config network object nat outside inside static 2001 DB8 D1A5 C90F 128 net to net Step 3 Configure an IPv4 PAT pool for translating the inside IPv6 network hostname config object network IPv4_POOL hostname config network object range 203 0 113 1 203 0 113 254 Step 4 Configure PAT for the inside IPv6 network a Create a network object for the inside IPv6 network hostname config object network IPv...

Page 808: ... enable or disable them discretely Note that you can now also disable proxy ARP for regular static NAT When upgrading to 8 4 2 from 8 3 1 8 3 2 and 8 4 1 all identity NAT configurations will now include the no proxy arp and route lookup keywords to maintain existing functionality We modified the following command nat static no proxy arp route lookup PAT pool and round robin address assignment 8 4 ...

Page 809: ...ports to be used instead of the three unequal sized tiers either 1024 to 65535 or 1 to 65535 We modifed the following command nat dynamic pat pool mapped_object flat include reserve This feature is not available in 8 5 1 or 8 6 1 Extended PAT for a PAT pool 8 4 3 Each PAT IP address allows up to 65535 ports If 65535 ports do not provide enough translations you can now enable extended PAT for a PAT...

Page 810: ... the rules using the show nat command Note Because of routing issues we do not recommend using this feature unless you know you need this feature contact Cisco TAC to confirm feature compatibility with your network See the following limitations Only supports Cisco IPsec and AnyConnect Client Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy c...

Page 811: ...elease the connection avoiding the TIME_WAIT state Multi session PAT on the other hand uses the PAT timeout by default 30 seconds For hit and run traffic such as HTTP or HTTPS the per session feature can dramatically increase the connection rate supported by one address Without the per session feature the maximum connection rate for one address for an IP protocol is approximately 2000 per second W...

Page 812: ...1 32 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Network Object NAT Feature History for Network Object NAT ...

Page 813: ...destination addresses lets you specify that a source address should be translated to A when going to destination X but be translated to B when going to destination Y for example Note For static NAT the rule is bidirectional so be aware that source and destination are used in commands and descriptions throughout this guide even though a given connection might originate at the destination address Fo...

Page 814: ...he Configuring Network Objects and Groups section on page 1 2 For static NAT with port translation configure TCP or UDP service objects the object service command To create a service object see the Configuring Service Objects and Service Groups section on page 1 5 For specific guidelines for objects and groups see the configuration section for the NAT type you want to configure See also the Guidel...

Page 815: ...ftp service tcp destination eq ftp object service MAPPED_ftp service tcp destination eq 2021 object network MyOutNet subnet 209 165 201 0 255 255 255 224 nat inside outside source static MyInsNet MapInsNet destination static Server1_mapped Server1 service MAPPED_ftp REAL_ftp If you change the NAT configuration and you do not want to wait for existing translations to time out before the new NAT inf...

Page 816: ...pool addresses Default Settings By default the rule is added to the end of section 1 of the NAT table Routed mode The default real and mapped interface is Any which applies the rule to all interfaces If you specify an optional interface then the ASA uses the NAT configuration to determine the egress interface but you have the option to always use a route lookup instead Configuring Twice NAT This s...

Page 817: ...he real addresses have the same quantity as the mapped addresses You can however have different quantities if desired For more information see the Static NAT section on page 1 3 Source Identity NAT The real and mapped objects must match you can use the same object for both or you can create separate objects that contain the same IP addresses Destination Static NAT or Static NAT with port translati...

Page 818: ... Source Dynamic NAT Source Dynamic NAT does not support port translation Command Purpose object network obj_name host ip_address subnet subnet_address netmask range ip_address_1 ip_address_2 Example hostname config object network MyInsNet hostname config network object subnet 10 1 1 0 255 255 255 0 Adds a network object either IPv4 or IPv6 object group network grp_name network object object net_ob...

Page 819: ...tination ports if your application uses a fixed source port such as some DNS servers but fixed source ports are rare For example if you want to translate the port for the source host then configure the source service Destination Static NAT or Static NAT with port translation the destination translation is always static For non static source NAT you can only perform port translation on the destinat...

Page 820: ... 1 4 If you want to translate all source traffic you can skip adding an object for the source real addresses and instead specify the any keyword in the nat command If you want to configure destination static interface NAT with port translation only you can skip adding an object for the destination mapped addresses and instead specify the interface keyword in the nat command Step 2 Optional Create ...

Page 821: ...rfaces are used you can also specify the keyword any for one or both of the interfaces Section and Line Optional By default the NAT rule is added to the end of section 1 of the NAT table see the NAT Rule Order section on page 1 18 If you want to add the rule into section 3 instead after the network object NAT rules then use the after auto keyword You can insert a rule anywhere in the applicable se...

Page 822: ...ddresses Destination port Optional Specify the service keyword along with the mapped and real service objects For identity port translation simply use the same service object for both the real and mapped ports DNS Optional for a source only rule The dns keyword translates DNS replies Be sure DNS inspection is enabled it is enabled by default You cannot configure the dns keyword if you configure a ...

Page 823: ...SIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2 The following example configures dynamic NAT for an IPv6 inside network 2001 DB8 AAAA 96 when accessing servers on the IPv4 209 165 201 1 27 network as well as servers on the 203 0 113 0 24 network hostname config object network INSIDE_NW hostname config network object subnet 2001 DB8 AAAA 96 hostname config object network MAPPED_1 hostname c...

Page 824: ...Application Layer Protocol Inspection for a complete list of unsupported inspections If you enable extended PAT for a dynamic PAT rule then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT with port translation rule For example if the PAT pool includes 10 1 1 1 then you cannot create a static NAT with port translation rule using 10 1 1 1 as the PAT address...

Page 825: ...e real addresses and instead specify the any keyword in the nat command If you want to use the interface address as the mapped address you can skip adding an object for the source mapped addresses and instead specify the interface keyword in the nat command If you want to configure destination static interface NAT with port translation only you can skip adding an object for the destination mapped ...

Page 826: ...Section and Line Optional By default the NAT rule is added to the end of section 1 of the NAT table see the NAT Rule Order section on page 1 18 If you want to add the rule into section 3 instead after the network object NAT rules then use the after auto keyword You can insert a rule anywhere in the applicable section using the line argument Source addresses Real Specify a network object group or t...

Page 827: ... translation information Normally the destination port and address are not considered when creating PAT translations so you are limited to 65535 ports per PAT address For example with extended PAT you can create a translation of 10 1 1 1 1027 when going to 192 168 1 7 23 as well as a translation of 10 1 1 1 1027 when going to 192 168 1 7 80 Flat range The flat keyword enables use of the entire 102...

Page 828: ...pped addresses Destination port Optional Specify the service keyword along with the real and mapped service objects For identity port translation simply use the same service object for both the real and mapped ports DNS Optional for a source only rule The dns keyword translates DNS replies Be sure DNS inspection is enabled it is enabled by default You cannot configure the dns keyword if you config...

Page 829: ...ELNET_SVR TELNET_SVR service TELNET TELNET hostname config nat inside outside source dynamic INSIDE_NW pat pool PAT_POOL destination static SERVERS SERVERS The following example configures interface PAT for inside network 192 168 1 0 24 when accessing outside IPv6 Telnet server 2001 DB8 23 and Dynamic PAT using a PAT pool when accessing any server on the 2001 DB8 AAAA 96 network hostname config ob...

Page 830: ...e the Adding Network Objects for Real and Mapped Addresses section on page 1 4 If you want to configure source static interface NAT with port translation only you can skip adding an object for the source mapped addresses and instead specify the interface keyword in the nat command If you want to configure destination static interface NAT with port translation only you can skip adding an object for...

Page 831: ...er the network object NAT rules then use the after auto keyword You can insert a rule anywhere in the applicable section using the line argument Source addresses Real Specify a network object or group Mapped Specify a different network object or group For static interface NAT with port translation only you can specify the interface keyword routed mode only If you specify ipv6 then the IPv6 address...

Page 832: ...ject the first service object contains the real source port mapped destination port the second service object contains the mapped source port real destination port For identity port translation simply use the same service object for both the real and mapped ports source and or destination ports depending on your configuration Net to net Optional For NAT 46 specify net to net to translate the first...

Page 833: ... IPv6 network and the dynamic PAT translation to an IPv4 PAT pool when accessing the IPv4 network hostname config object network INSIDE_NW hostname config network object subnet 2001 DB8 AAAA 96 hostname config object network MAPPED_IPv6_NW hostname config network object subnet 2001 DB8 BBBB 96 hostname config object network OUTSIDE_IPv6_NW hostname config network object subnet 2001 DB8 CCCC 96 hos...

Page 834: ...n page 1 4 If you want to perform identity NAT for all addresses you can skip creating an object for the the source real addresses and instead use the keywords any any in the nat command If you want to configure destination static interface NAT with port translation only you can skip adding an object for the destination mapped addresses and instead specify the interface keyword in the nat command ...

Page 835: ...tional Mapped Specify a network object or group or for static interface NAT with port translation only specify the interface keyword routed mode only If you specify ipv6 then the IPv6 address of the interface is used If you specify interface be sure to also configure the service keyword in this case the service objects should include only the destination port For this option you must configure a s...

Page 836: ...PAT page 1 25 Continued No Proxy ARP Optional Specify no proxy arp to disable proxy ARP for incoming packets to the mapped IP addresses See the Mapped Addresses and Routing section on page 1 19 for more information Route lookup Optional routed mode only interface s specified Specify route lookup to determine the egress interface using a route lookup instead of using the interface specified in the ...

Page 837: ...ject subnet 10 1 2 0 255 255 255 0 Step 2 Add a network object for the DMZ network 1 hostname config object network DMZnetwork1 hostname config network object subnet 209 165 201 0 255 255 255 224 Step 3 Add a network object for the PAT address hostname config object network PATaddress1 hostname config network object host 209 165 202 129 Step 4 Configure the first twice NAT rule hostname config nat...

Page 838: ...e dmz source dynamic myInsideNetwork PATaddress2 destination static DMZnetwork2 DMZnetwork2 Different Translation Depending on the Destination Address and Port Dynamic PAT Figure 1 2 shows the use of source and destination ports The host on the 10 1 2 0 24 network accesses a single host for both web services and Telnet services When the host accesses the server for Telnet services the real address...

Page 839: ...static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not want to translate the destination address or port you need to configure identity NAT for them by specifying the same address for the real and mapped destination addresses and the same port for the real and mapped service By default the NAT rule is added to the end of section 1 of the NAT table See the Configuring...

Page 840: ... that you can now also disable proxy ARP for regular static NAT For pre 8 3 configurations the migration of NAT exempt rules the nat 0 access list command to 8 4 2 and later now includes the following keywords to disable proxy ARP and to use a route lookup no proxy arp and route lookup The unidirectional keyword that was used for migrating to 8 3 2 and 8 4 1 is no longer used for migration When up...

Page 841: ...rts below 1024 have only a small PAT pool If you have a lot of traffic that uses the lower port ranges when using a PAT pool you can now specify a flat range of ports to be used instead of the three unequal sized tiers either 1024 to 65535 or 1 to 65535 We modified the following command nat source dynamic pat pool mapped_object flat include reserve This feature is not available in 8 5 1 or 8 6 1 E...

Page 842: ... the rules using the show nat command Note Because of routing issues we do not recommend using this feature unless you know you need this feature contact Cisco TAC to confirm feature compatibility with your network See the following limitations Only supports Cisco IPsec and AnyConnect Client Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy c...

Page 843: ...se the connection avoiding the TIME_WAIT state Multi session PAT on the other hand uses the PAT timeout by default 30 seconds For hit and run traffic such as HTTP or HTTPS the per session feature can dramatically increase the connection rate supported by one address Without the per session feature the maximum connection rate for one address for an IP protocol is approximately 2000 per second With ...

Page 844: ...1 32 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Twice NAT Feature History for Twice NAT ...

Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...

Page 846: ......

Page 847: ...of protection and control for user access than using access lists alone For example you can create an access list allowing all outside users to access Telnet on a server on the DMZ network If you want only some users to access the server and you might not always know IP addresses of these users you can enable AAA to allow only authenticated and or authorized users to connect through the ASA The Te...

Page 848: ...ent access The enable command Network access VPN access Information About Authorization Authorization controls access per user after users are authenticated You can configure the ASA to authorize the following items Management commands Network access VPN access Authorization controls the services and commands that are available to each authenticated user If you did not enable authorization authent...

Page 849: ...tication via digital certificates and or digital certificates with the AAA combinations listed in the table are also supported Table 1 1 Summary of AAA Support AAA Service Database Type Local RADIU S TACACS SDI RSA NT Kerberos LDA P HTTP Form Authentication of VPN users1 1 For SSL VPN connections either PAP or MS CHAPv2 can be used Yes Yes Yes Yes Yes Yes Yes Yes2 2 HTTP Form protocol supports bot...

Page 850: ...assword management generates an MS CHAPv2 authentication request from the ASA to the RADIUS server See the description of the password management command for details If you use double authentication and enable password management in the tunnel group then the primary and secondary authentication requests include MS CHAPv2 request attributes If a RADIUS server does not support MS CHAPv2 then you can...

Page 851: ... asa asa84 configuration guide ref_extserver html wp16055 08 TACACS Server Support The ASA supports TACACS authentication with ASCII PAP CHAP and MS CHAPv1 RSA SDI Server Support The RSA SecureID servers are also known as SDI servers This section includes the following topics RSA SDI Version Support page 1 5 Two step Authentication Process page 1 5 RSA SDI Primary and Replica Servers page 1 6 RSA ...

Page 852: ...length of 14 characters for user passwords Longer passwords are truncated which is a limitation of NTLM Version 1 Kerberos Server Support The ASA supports 3DES DES and RC4 encryption types Note The ASA does not support changing user passwords during tunnel negotiation To avoid this situation happening inadvertently disable password expiration on the Kerberos Active Directory server for users conne...

Page 853: ...ystems JAVA System Directory Server formerly named the Sun ONE Directory Server the Microsoft Active Directory Novell OpenLDAP and other LDAPv3 directory servers By default the ASA auto detects whether it is connected to Microsoft Active Directory Sun LDAP Novell OpenLDAP or a generic LDAPv3 directory server However if auto detection fails to determine the LDAP server type and you know the server ...

Page 854: ...nistrative access which can also include enable password authentication Command authorization If the TACACS servers in the group are all unavailable the local database is used to authorize commands based on privilege levels VPN authentication and authorization VPN authentication and authorization are supported to enable remote access to the ASA if AAA servers that normally support these VPN servic...

Page 855: ...nnel group also called ASDM Connection Profile Uses the username and password as credentials Authorization Enabled by the authorization server group setting in the tunnel group also called ASDM Connection Profile Uses the username as a credential Using Certificates If user digital certificates are configured the ASA first validates the certificate It does not however use any of the DNs from certif...

Page 856: ... Common Name then the username used in the authorization request would be anyuser example com Licensing Requirements for AAA Servers Guidelines and Limitations This section includes the guidelines and limitations for this feature Context Mode Guidelines Supported in single and multiple context mode Firewall Mode Guidelines Supported in routed and transparent firewall mode IPv6 Guidelines Supports ...

Page 857: ...fferentiating User Roles Using AAA section on page 1 29 Configuring AAA Server Groups If you want to use an external AAA server for authentication authorization or accounting you must first create at least one AAA server group per AAA protocol and add one or more servers to each group You identify AAA server groups by name Each server group is specific to one type of server Kerberos LDAP NT RADIUS...

Page 858: ...1 12 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Detailed Steps ...

Page 859: ...1 13 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA ...

Page 860: ...e up to 15 servers in single mode or 4 servers in multiple mode When you enter the aaa server protocol command you enter aaa server group configuration mode The interim accounting update option enables multi session accounting for clientless SSL and AnyConnect sessions If you choose this option interim accounting records are sent to the RADIUS server in addition to the start and stop records Tip C...

Page 861: ...es whether or not the downloadable ACL and the AV pair ACL are merged and does not apply to any ACLs configured on the ASA Step 3 max failed attempts number Example hostname config aaa server group max failed attempts 2 Specifies the maximum number of requests sent to a AAA server in the group before trying the next server The number argument can range from 1 and 5 The default is 3 If you configur...

Page 862: ...of sending messages only to the active server enter the accounting mode single command Step 6 aaa server server_group interface_name host server_ip Example hostname config aaa server servergroup1 outside host 10 10 1 1 Identifies the server and the AAA server group to which it belongs When you enter the aaa server host command you enter aaa server host configuration mode As needed use host configu...

Page 863: ...10 1 1 2 ldap login password LDAP ldap naming attribute LDAP ldap over ssl LDAP 636 If not set the ASA uses sAMAccountName for LDAP requests Whether using SASL or plain text you can secure communications between the ASA and the LDAP server with SSL If you do not configure SASL we strongly recommend that you secure LDAP communications with SSL ldap scope LDAP mschapv2 capable RADIUS enabled nt auth...

Page 864: ...de commands Note Kerberos realm names use numbers and upper case letters only Although the ASA accepts lower case letters for a realm name it does not translate lower case letters to upper case letters Be sure to use upper case letters only Example 1 2 Kerberos Server Group and Server hostname config aaa server watchdogs protocol kerberos hostname config aaa server group aaa server watchdogs host ...

Page 865: ...r searching a directory and the scope of a directory search by entering the following commands hostname config aaa server ldap_dir_1 protocol ldap hostname config aaa server group aaa server ldap_dir_1 host 10 1 1 4 hostname config aaa server host ldap login dn obscurepassword hostname config aaa server host ldap base dn starthere hostname config aaa server host ldap scope subtree hostname config ...

Page 866: ...the matched entries To use the attribute mapping features correctly you need to understand Cisco LDAP attribute names and values as well as the user defined attribute names and values For more information about LDAP attribute maps see the Active Directory LDAP VPN Remote Access Authorization Examples section on page 1 15 The names of frequently mapped Cisco LDAP attributes and the type of user def...

Page 867: ...ute map map value accessType helpdesk 7 hostname config ldap attribute map aaa server LDAP protocol ldap Command Purpose Step 1 ldap attribute map map name Example hostname config ldap attribute map att_map_1 Creates an unpopulated LDAP attribute map table Step 2 map name user attribute name Cisco attribute name Example hostname config ldap attribute map map name department IETF Radius Class Maps ...

Page 868: ...ut Authorization Required Authorization Type X509 Cert Data hostname config ldap attribute map Adding a User Account to the Local Database This section describes how to manage users in the local database To add a user to the local database perform the following steps Guidelines The local database is used for the following features ASDM per user access Console authentication Telnet and SSH authenti...

Page 869: ...1 23 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Limitations You cannot use the local database for network access authorization ...

Page 870: ...1 24 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA Detailed Steps ...

Page 871: ...1 25 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring AAA Servers and the Local Database Configuring AAA ...

Page 872: ...d then the default level 2 allows management access to privileged EXEC mode If you want to limit access to privileged EXEC mode either set the privilege level to 0 or 1 or use the service type command see Step 5 The nopassword keyword creates a user account with no password The encrypted and nt encrypted keywords are typically for display only When you define a password in the username command the...

Page 873: ...ocal database See the Limiting User CLI and ASDM Access with Management Authorization section on page 1 22 for information about configuring a user on a AAA server to accommodate management authorization See the following prerequisites for each user type Configure local database users at a privilege level from 0 to 15 using the username command Configure the level of access using the service type ...

Page 874: ...min nas prompt remote access Example hostname config username service type admin Optional Configures the user level if you configured management authorization in Step 2 The admin keyword allows full access to any services specified by the aaa authentication console LOCAL commands The admin keyword is the default The nas prompt keyword allows access to the CLI when you configure the aaa authenticat...

Page 875: ...can use a Cisco Vendor Specific Attribute VSA Cisco Priv Level to assign a privilege level to an authenticated user This section includes the following topics Using Local Authentication page 1 30 Using RADIUS Authentication page 1 30 Command Purpose username user attributes ssh authentication publickey key hashed Example hostname config username anyuser ssh authentication publickey key hashed Enab...

Page 876: ...me service type remote access Using RADIUS Authentication The RADIUS IETF service type attribute when sent in an access accept message as the result of a RADIUS authentication and authorization request is used to designate which type of service is granted to the authenticated user The supported attribute values are the following administrative 6 nas prompt 7 Framed 2 and Login 1 For a list of supp...

Page 877: ...1 host 10 20 30 1 hostname config aaa server host ldap attribute map admin control Note When an authenticated user tries administrative access to the ASA through ASDM SSH or Telnet but does not have the appropriate privilege level to do so the ASA generates syslog message 113021 This message informs the user that the attempted login failed because of inappropriate administrative privileges Using T...

Page 878: ...rvers show running config zonelabs integrity Shows the Zone Labs Integrity server configuration To clear the Zone Labs Integrity server configuration use the clear configure zonelabs integrity command show ad groups name filter string Applies only to AD servers using LDAP and shows groups that are listed on an AD server ...

Page 879: ...ted to implementing LDAP mapping see the RFCs section on page 1 33 RFCs Feature History for AAA Servers Table 1 3 lists each feature change and the platform release in which it was implemented RFC Title 2138 Remote Authentication Dial In User Service RADIUS 2139 RADIUS Accounting 2548 Microsoft Vendor specific RADIUS Attributes 2868 RADIUS Attributes for Tunnel Protocol Support ...

Page 880: ...group tunnel group tunnel group general attributes map name map value ldap attribute map zonelabs Integrity server address zonelabs integrity port zonelabs integrity interface zonelabs integrity fail timeout zonelabs integrity fail close zonelabs integrity fail open zonelabs integrity ssl certificate port zonelabs integrity ssl client authentication enable disable client firewall opt req zonelabs ...

Page 881: ... 2 Features of the Identity Firewall page 1 3 Deployment Scenarios page 1 4 Overview of the Identity Firewall In an enterprise users often need access to one or more server resources Typically a firewall is not aware of the users identities and therefore cannot apply security policies based on identity To configure per user access policies you must configure a user authentication proxy which requi...

Page 882: ...wall include Decoupling network topology from security policies Simplifying the creation of security policies Providing the ability to easily identify user activities on network resources Simplify user activity monitoring Architecture for Identity Firewall Deployments The Identity Firewall integrates with Window Active Directory in conjunction with an external Active Directory AD Agent that provid...

Page 883: ... logs Alternatively the client can log onto the network through a cut through proxy or by using VPN 2 ASA AD Server The ASA sends an LDAP query for the Active Directory groups configured on the AD Server The ASA consolidates local and Active Directory groups and applies access rules and MPF security policies based on user identity 5 ASA Client Based on the policies configured on the ASA it grants ...

Page 884: ...ppings in active ASA policies for the ASA 5505 Supports up to 256 user groups in active ASA policies A single rule can contain one or more user groups or users Supports multiple domains Availability The ASA retrieves group information from Active Directory and falls back to web authentication for IP addresses that the AD Agent cannot map a source IP address to a user identity The AD Agent continue...

Page 885: ...eployment with multiple Active Directory servers and multiple AD Agents installed on separate Windows servers Figure 1 3 Deployment Scenario with Redundant Components As shown in Figure 1 4 all Identity Firewall components Active Directory server the AD Agent and the clients are installed and communicate on the LAN Figure 1 4 LAN based Deployment ASA AD Server AD Agent 304005 Scenario 1 Scenario 2...

Page 886: ...mote site The remote clients connect to the Active Directory servers at the main site over a WAN Figure 1 6 WAN based Deployment with Remote AD Agent Figure 1 7 shows an expanded remote site installation An AD Agent and Active Directory servers are installed at the remote site The clients access these components locally when logging into network resources located at the main site The remote Active...

Page 887: ... status and domain status are replicated User and user group records are not replicated to the standby ASA When failover is configured the standby ASA must also be configured to connect to the AD Agent directly to retrieve user groups The standby ASA does not send NetBIOS packets to clients even when the NetBIOS probing options are configured for the Identity Firewall When a client is determined a...

Page 888: ...tures do not support using the identity based object and FQDN in an extended ACL route map Crypto map WCCP NAT group policy except VPN filter DAP When you use the Cisco Context Directory Agent CDA in conjunction with the ASA or Cisco Ironport Web Security Appliance WSA make sure that you open the following ports Authentication port for UDP 1645 Accounting port for UDP 1646 Listening port for UDP 3...

Page 889: ...e Active Directory server See the documentation for Microsft Active Diretory for the steps to enable SSL for Active Directory Note Before running the AD Agent Installer you must install the following patches on every Microsoft Active Directory server that the AD Agent monitors These patches are required even when the AD Agent is installed directly on the domain controller server See the README Fir...

Page 890: ...ry domain controller To configure the Active Directory domain perform the following steps Command Purpose Step 1 hostname config aaa server server tag protocol ldap Example hostname config aaa server adserver protocol ldap Creates the AAA server group and configures AAA server parameters for the Active Directory server Step 2 hostname config aaa server group aaa server server tag interface name ho...

Page 891: ... type microsoft Configures the LDAP server model for the Microsoft Active Directory server Step 8 hostname config aaa server host ldap group base dn string Example hostname config aaa server host ldap group base dn OU Sample Groups DC SAMPLE DC com Specifies location of the Active Directory groups configuration in the Active Directory domain controller If not specified the value in ldap base dn is...

Page 892: ...roup aaa server server tag interface name host server ip name key timeout seconds Example hostname config aaa server group aaa server adagent inside host 192 168 1 101 For the AD Agent configures the AAA server as part of a AAA server group and the AAA server parameters that are host specific Step 3 hostname config aaa server host key key Example hostname config aaa server host key mysecret Specif...

Page 893: ...e to add or edit the Identity Firewall feature select the Enable check box to enable the feature By default the Identity Firewall feature is disabled Prerequisites Before configuring the identify options for the Identity Firewall you must you must meet the prerequisites for the AD Agent and Microsoft Active Directory See Prerequisites page 1 8 the requirements for the AD Agent and Microsoft Active...

Page 894: ... Active Directory domain controller If the domain name does not match the AD Agent will incorrectly associate the user identity IP address mappings with the domain name you enter when configuring the ASA To view the NetBIOS domain name open the Active Directory user event security log in any text editor The Identity Firewall uses the LOCAL domain for all locally defined user groups or locally defi...

Page 895: ... only one in the NetBIOS response Otherwise the user identity of that IP address is considered invalid user not needed As long as the ASA received a NetBIOS response from the client the user identity is considered valid The Identity Firewall only performs NetBIOS probing for those users identities that are in the active state and exist in at least one security policy The ASA does not perform NetBI...

Page 896: ...led Step 8 hostname config user identity action domain controller down domain_nickname disable user identity rule Example hostname config user identity action domain controller down SAMPLE disable user identity rule Specifies the action when the domain is down because Active Directory domain controller is not responding When the domain is down and the disable user identity rule keyword is configur...

Page 897: ...e full download Defines how the ASA retrieves the user identity IP address mapping information from the AD Agent full download Specifies that the ASA send a request to the AD Agent to download the entire IP user mapping table when the ASA starts and then to receive incremental IP user mapping when users log in and log out on demand Specifies that the ASA retrieve the user mapping information of an...

Page 898: ... For example for any user without a valid login you can trigger a AAA rule To ensure that the AAA rule is only triggered for users that do not have valid logins you can specify special usernames in the extended ACL used for the access rule and for the AAA rule None users without a valid login and Any users with a valid login In the access rule configure your policy as usual for users and groups bu...

Page 899: ...Example 1 This example shows a typical cut through proxy configuration to allow a user to log in through the ASA In this example the following conditions apply The ASA IP address is 172 1 1 118 The Active Directory domain controller has the IP address 71 1 2 93 The end user client has the IP address 172 1 1 118 and uses HTTPS to log in through a web portal The user is authenticated by the Active D...

Page 900: ... There are two different ways to apply IDFW rules on VPN users Apply VPN Filter with bypassing access list check disabled Apply VPN Filter with bypassing access list check enabled Configuration Example VPN with IDFW Rule 1 By default sysopt connection permit vpn is enabled and VPN traffic is exempted from access list check In order to apply regular interface based ACL rules for VPN traffic VPN tra...

Page 901: ...ctions for the Identify Firewall enter the following command Monitoring the Identity Firewall This section contains the following topics Monitoring AD Agents page 1 22 Monitoring Groups page 1 22 Monitoring Memory Usage for the Identity Firewall page 1 22 Monitoring Users for the Identity Firewall page 1 23 Command Purpose user statistics accounting scanning Example hostname config class map c ide...

Page 902: ...ty Firewall displays the list of user groups in the following format domain group_name Monitoring Memory Usage for the Identity Firewall You can monitor the memory usage that the Identity Firewall consumes on the ASA Use the show user identity memory command to obtain troubleshooting information for the Identity Firewall The command displays the memory usage in bytes of various modules in the Iden...

Page 903: ...for users The default domain name can be the real domain name a special reserved word or LOCAL The Identity Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users users who log in and authenticate by using a VPN or web portal When default domain is not specified the default domain is LOCAL The idle time is stored on a per user basis instead of per the IP a...

Page 904: ...tity default domain user identity domain user identity logout probe user identity inactive user timer user identity poll import user group timer user identity action netbios response fail user identity user not found user identity action ad agent down user identity action mac address mismatch user identity action domain controller down user identity ad agent active user database user identity ad a...

Page 905: ...the following topics Information about Cisco TrustSec page 1 1 About SGT and SXP Support in Cisco TrustSec page 1 2 Roles in the Cisco TrustSec Solution page 1 3 Security Group Policy Enforcement page 1 3 How the ASA Enforces Security Group Based Policies page 1 4 About Speaker and Listener Roles on the ASA page 1 5 Features of the ASA Cisco TrustSec Integration page 1 6 Information about Cisco Tr...

Page 906: ... IT resources Reduces total cost of ownership through centralized highly secure access policy management and scalable enforcement mechanisms For information about Cisco TrustSec see http www cisco com go trustsec About SGT and SXP Support in Cisco TrustSec In the Cisco TrustSec solution security group access transforms a topology aware network into a role based network thus enabling end to end pol...

Page 907: ...ntity repository by providing Cisco TrustSec tag to user identity mapping and Cisco Trustsec tag to server resource mapping In the Cisco TrustSec solution the Cisco Secure Access Control System a policy server with integrated 802 1x and SGT support acts as the PAP Policy Enforcement Point PEP A policy enforcement point is the entity that carries out the decisions policy rules and actions made by t...

Page 908: ...uring the Identity Firewall for information about configuring user based security policies As part of configuring the ASA to function with Cisco TrustSec you must import a Protected Access Credential PAC file from the ISE Importing a Protected Access Credential PAC File page 1 13 Importing the PAC file to the ASA establishes a secure communication channel with the ISE After the channel is establis...

Page 909: ...e ASA transmits all IP SGT mappings to its SXP peers See About Speaker and Listener Roles on the ASA page 1 5 5 If a security policy is configured on the ASA with that SGT or security group name the ASA enforces the policy You can create security policies on the ASAthat contain SGTs or security group names To enforce policies based on security group names the ASA needs the security group table to ...

Page 910: ...timer then the ASA updates the IP SGT mapping database to learn the latest mappings Features of the ASA Cisco TrustSec Integration The ASA leverages Cisco TrustSec as part of its identity based firewall feature The integrating the ASA with Cisco TrustSec provides the following key features Flexibility The ASA can be configured as an SXP Speaker or Listener or both See About Speaker and Listener Ro...

Page 911: ...s for IP SGT Mappings ASA Platform Number of IP SGT Mapped Entries 5505 250 5510 1000 5520 2500 5540 5000 5550 7500 5580 20 10 000 5580 40 20 000 5585 X with SSP 10 18 750 5585 X with SSP 20 25 000 5585 X with SSP 40 50 000 5585 X with SSP 60 100 000 Table 1 2 SXP Connections ASA Platform Number of SXP TCP Connections 5505 10 5510 25 5520 50 5540 100 5550 150 5580 20 250 5580 40 500 5585 X with SS...

Page 912: ...A uses this shared secret to communicate with the ISE 6 Specify a device name device ID password and a download interval for the ASA See the ISE documentation for the details to perform these tasks Creating a Security Group on the ISE When configuring the ASA to communicate with the ISE you specify a AAA server When configuring the AAA server on the ASA you must specify a server group The security...

Page 913: ...ported in SXP messages SXP conveys IP SGT mappings to enforcement points in the network If an access layer switch belongs to a different NAT domain than the enforcing point the IP SGT map it uploads is invalid and an IP SGT mappings database lookup on the enforcement device will not yield valid results therefore the ASA cannot apply security group aware security policy on the enforcement device Yo...

Page 914: ... the security group table on the ASA to pick up changes from the ISE The multicast types are not supported in ISE 1 0 An SXP connection stays in the initializing state among two SXP peers interconnected by the ASA as shown in the following example SXP peer A ASA SXP peer B Therefore when configuring the ASA to integrate with Cisco TrustSec you must enable the no NAT no SEQ RAND and MD5 AUTHENTICAT...

Page 915: ...n page 1 8 for information Task Flow in the ASA To configure the ASA to integrate with Cisco TrustSec perform the following tasks Step 1 Configure the AAA server See Configuring the AAA Server for Cisco TrustSec Integration page 1 11 Step 2 Import the PAC file from the ISE See Importing a Protected Access Credential PAC File page 1 13 Step 3 Enable and set the default values for SXP See Configurin...

Page 916: ...server ISEserver inside host 192 0 2 1 Configures a AAA server as part of a AAA server group and sets host specific connection data Where interface name specifies the network interface where the ISE server resides The parentheses are required in this parameter Where server tag is the name of the AAA server group that you specified in step 1 in the server tag argument Where server ip specifies the ...

Page 917: ...s a radius transaction with the ISE using the PAC for authentication Tip The PAC file contains a shared key that allows the ASA and ISE to secure the RADIUS transactions that occur between them Given the sensitive nature of this key it must be stored securely on the ASA After successfully importing the file the ASA download Cisco TrustSec environment data from the ISE without requiring the device ...

Page 918: ...ctions The Cisco TrustSec SXP reconcile period Command Purpose Step 1 hostname config cts import pac filepath password value Example hostname config cts import pac disk0 xyz pac password IDFW pac99 Imports a Cisco TrustSec PAC file Where filepath is entered as one of the following exec mode commands and options Single Mode disk0 Path and filename on disk0 disk1 Path and filename on disk1 flash Pat...

Page 919: ...ace If the source IP address does not match the address of the outbound interface SXP connections will fail When a source IP address for an SXP connection is not configured the ASA performs a route ARP lookup to determine the outbound interface for the SXP connection See Adding an SXP Connection Peer page 1 17 for information about configuring a default source IP address for all SXP connections St...

Page 920: ...ctions that are off or in a pending on state the ASA restarts the retry timer We recommend you configure the retry timer to a different value from its SXP peer devices Step 5 hostname config cts sxp reconciliation period timervalue Example hostname config cts sxp reconciliation period 60 Specifies the value of the default reconcile timer After an SXP peer terminates its SXP connection the ASAstart...

Page 921: ...ate with Cisco TrustSec Configuring the ASA for Cisco TrustSec Integration hostname config cts sxp retry period 60 hostname config cts sxp reconcile period 60 Adding an SXP Connection Peer SXP connections between peers are point to point and use TCP as the underlying transport protocol ...

Page 922: ...ng interface Source IP Address Optional Where source_ip_address is the local IPv4 or IPv6 address of the SXP connection The source IP address must be the same as the ASA outbound interface or the connection will fail We recommend that you do not configure a source IP address for an SXP connection and allow the ASA to perform a route ARP lookup to determine the source IP address for the SXP connect...

Page 923: ... data Normally you will not need to manually refresh the environment data from the ISE however security groups can change on the ISE These changes are not reflected on the ASA until you refresh the data in the ASA security group table Refresh the data on the ASA to make sure any security group made on the ISE are reflected on the ASA Tip We recommend that you schedule policy configuration changes ...

Page 924: ...rity group tag 1 object group security objgrp hr admin security group name hr admin sg name single sg_name group object it admin locally defined object group as nested object object group security objgrp hr servers security group name hr servers sg name object group security objgrp hr network security group tag 2 access list hr acl permit ip object group security objgrp hr admin any object group s...

Page 925: ...policies object group security objgrp it admin security group name it admin sg name security group tag 1 object group security objgrp hr admin security group name hr admin sg name group object it admin object group security objgrp hr servers security group name hr servers sg name access list hr acl permit ip object group security objgrp hr admin any object group security objgrp hr servers Command ...

Page 926: ...rustSec infrastructure and the SXP commands Output This example displays the basic Cisco TrustSec configuration settings hostname show running config cts cts server group ctsgroup cts sxp enable cts sxp connection peer 192 16 1 1 password none mode speaker This example displays the Cisco TrustSec configuration settings including the default settings hostname show running config all cts cts server ...

Page 927: ...value when the security group name is unknown Note Security group data is not available for stub connections because stub connection do not go through the slow path Stub connections maintain only the information necessary to forward packets to the owner of the connection You can specify a single security group name to display all connections in a cluster for example the following example displays ...

Page 928: ...assword Set Delete hold down timer Running Reconciliation timer Not Running Duration since last state change 0 00 00 16 dd hr mm sec Peer IP 3 3 3 1 Local IP 3 3 3 2 Conn status On Local mode Listener Ins number 2 TCP conn password Default Delete hold down timer Not Running Reconciliation timer Not Running Duration since last state change 0 00 05 49 dd hr mm sec This example displays data for all ...

Page 929: ...d range Output This example displays the environment data that appears when the ASA is unable to import the PAC file hostname show cts environment data CTS Environment Data Status Expired Last download attempt Failed Retry_timer 60 secs is running This example displays the environment data that appears when the ASA has successfully imported the PAC file hostname show cts environment data CTS Envir...

Page 930: ...iption This command displays the active IP SGT mappings consolidated from SXP Include the detail keyword to display more information such as the security group names with the SGT values included brackets If a security group name is not available only the SGT value is displayed without the bracket Output This example shows IP SGT mappings that have IPv6 addresses hostname show cts sgt map ipv6 Acti...

Page 931: ... Bindings Information IP SGT Active Bindings Summary Total number of SXP bindings 2 Total number of active bindings 2 This example shows how to display IP SGT mappings that fall within a specific subnet hostname show cts sgt map address 10 10 10 5 mask 255 255 255 255 Active IP SGT Bindings Information IP Address SGT Source 10 10 10 5 1234 SXP IP SGT Active Bindings Summary Total number of SXP bin...

Page 932: ...ppings 3 SGT STBU 7 IPv4 2 2 2 1 Peer IP 2 2 2 1 Ins Num 1 Status Active SGT STBU 7 IPv4 2 2 2 0 Peer IP 3 3 3 1 Ins Num 1 Status Inactive SGT 6 IPv6 1234 A8BB CCFF FE00 110 Peer IP 2 2 2 1 Ins Num 1 Status Active This example summarizes of the mapping information from IP SGT mapping database hostname show cts sxp sgt map brief Total number of IP SGT mappings 3 SGT IPv4 7 2 2 2 1 SGT IPv4 7 3 3 3 ...

Page 933: ...89 12 05 56 34 0 0 338 192 4 4 4 345 This example shows the IP SGT map information in the ASP table for a specific IP address hostname show asp table cts sgt map address 10 10 10 5 IP Address SGT 10 10 10 5 1234 This example shows the IP SGT map information in the ASP table for all IPv6 address hostname show asp table cts sgt map ipv6 IP Address SGT FE80 A8BB CCFF FE00 110 17 FE80 A8BB CCFF FE00 1...

Page 934: ...ring WARNING The pac will expire in less than 10 days WARNING The pac expired at Apr 30 2011 21 03 49 and needs to be refreshed Output hostname show cts pacs AID CAFECAFECAFECAFECAFECAFECAFECAFE PAC Info Valid until Apr 06 2002 01 00 31 UTC AID CAFECAFECAFECAFECAFECAFECAFECAFE I ID someASA A ID Info Cisco Policy Manager PAC type Cisco trustsec PAC Opaque 00020082000100040010DEADBEEFDEADBEEF1111111...

Page 935: ...e role based and identity based access control decisions In this release the ASA integrates with Cisco TrustSec to provide security group based policy enforcement Access policies within the Cisco TrustSec domain are topology independent based on the roles of source and destination devices rather than on network IP addresses The ASA can utilize the Cisco TrustSec solution for other types of securit...

Page 936: ...1 32 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec Feature History for the ASA Cisco TrustSec Integration ...

Page 937: ...ible for managing certificate requests and issuing digital certificates A digital certificate includes information that identifies a user or device such as a name serial number company department or IP address A digital certificate also includes a copy of the public key for the user or device A CA can be a trusted third party such as VeriSign or a private in house CA that you establish within your...

Page 938: ...ire a configuration change on each peer with which it needs to communicate securely When you use digital certificates each peer is enrolled with a CA When two peers try to communicate they exchange certificates and digitally sign data to authenticate each other When a new peer is added to the network you enroll that peer with a CA and none of the other peers need modification When the new peer att...

Page 939: ...dation command For automatic enrollment a trustpoint must be configured with an enrollment URL and the CA that the trustpoint represents must be available on the network and must support SCEP You can export and import the keypair and issued certificates associated with a trustpoint in PKCS12 format This format is useful to manually duplicate a trustpoint configuration on a different ASA Certificat...

Page 940: ...oked and unrevoked certificates with their certificate serial numbers The ASA evaluates certificates according to CRLs also called authority revocation lists from the identity certificate up the chain of subordinate certificate authorities OCSP offers a more scalable method of checking revocation status in that it localizes certificate status through a validation authority which it queries for sta...

Page 941: ...tly used CRL to make room for a newly retrieved CRL OCSP OCSP provides the ASA with a way of determining whether a certificate that is within its valid time range has been revoked by the issuing CA OCSP configuration is part of trustpoint configuration OCSP localizes certificate status on a validation authority an OCSP server also called the responder which the ASA queries for the status of a spec...

Page 942: ...t based SSL VPN connections Provides trusted digital certificates to users without the need to rely on external certificate authorization Provides a secure in house authority for certificate authentication and offers straightforward user enrollment by means of a website login Storage for Local CA Files The ASA accesses and implements user information issued certificates and revocation lists using ...

Page 943: ...g the Hostname Domain Name and Passwords section on page 1 1 Make sure that the ASA clock is set accurately before configuring the CA Certificates have a date and time that they become valid and expire When the ASA enrolls with a CA and obtains a certificate the ASA checks that the current time is within the valid range for the certificate If it is outside that range enrollment fails For informati...

Page 944: ...r more information see CSCty43366 When a certificate enrollment is completed the ASA stores a PKCS12 file containing the user s keypair and certificate chain which requires about 2 KB of flash memory or disk space per enrollment The actual amount of disk space depends on the configured RSA key size and certificate fields Keep this guideline in mind when adding a large number of pending certificate...

Page 945: ...11h CRYPTO_PKI Failed to verify the ID certificate using the CA certificate in trustpoint mm CERT C E cert c source p7contnt c 169 Error 703h crypto_certc_pkcs7_extract_certs_and_crls failed 1795 crypto_certc_pkcs7_extract_certs_and_crls failed CRYPTO_PKI status 1795 failed to verify or insert the cert into storage Configuring Digital Certificates This section describes how to configure local CA c...

Page 946: ...ulus is 1024 To specify other modulus sizes use the modulus keyword Note Many SSL connections using identity certificates with RSA key pairs that exceed 1024 bits can cause high CPU usage on the ASA and rejected clientless logins Step 2 crypto key generate rsa label key pair label Example hostname contexta config crypto key generate rsa label exchange Optional Assigns a label to each key pair The ...

Page 947: ...ll Requests automatic enrollment using SCEP with the specified trustpoint and configures the enrollment URL enrollment terminal Example hostname contexta config ca trustpoint enrollment terminal Requests manual enrollment with the specified trustpoint by pasting the certificate received from the CA into the terminal Step 3 revocation check crl none revocation check crl revocation check none Exampl...

Page 948: ... keypair name Example hostname contexta config ca trustpoint keypair exchange Specifies the key pair whose public key is to be certified Step 11 match certificate map name override ocsp Example hostname contexta config ca trustpoint match certificate examplemap override ocsp Configures OCSP URL overrides and trustpoints to use for validating OCSP responder certificates Step 12 ocsp disable nonce E...

Page 949: ... Inc Step 17 serial number Example hostname contexta config ca trustpoint serial number JMX1213L2A7 During enrollment asks the CA to include the ASA serial number in the certificate Step 18 write memory Example hostname contexta config write memory Saves the running configuration Command Purpose Command Purpose Step 1 crypto ca trustpoint trustpoint name Example hostname config crypto ca trustpoin...

Page 950: ...4 url n url Example hostname config ca crl url 2 http www example com If you used the keywords static or both when you configured the CRL policy you must configure URLs for CRL retrieval You can enter up to five URLs ranked 1 through 5 The n is the rank assigned to the URL To remove a URL use the no url n command Step 5 protocol http ldap scep Example hostname config ca crl protocol http Configure...

Page 951: ...name instead of an IP address to specify the LDAP server make sure that you have configured the ASA to use DNS Step 9 ldap dn admin DN password Example hostname config ca crl ldap dn cn admin ou devtest o engineering c00lRunZ Allows CRL retrieval if the LDAP server requires credentials Step 10 crypto ca crl request trustpoint Example hostname config ca crl crypto ca crl request Main Retrieves the ...

Page 952: ... name in the certificate will be securityappliance example com Enter the base 64 encoded certificate End with a blank line or the word quit on a line by itself certificate data omitted quit INFO Certificate successfully imported Command Purpose crypto ca import trustpoint pkcs12 Example hostname config crypto ca import Main pkcs12 Imports keypairs and issued certificates that are associated with a...

Page 953: ...s which is also the subject name DN of the self signed CA certificate Use commas to separate attribute value pairs Insert quotation marks around any value that includes a comma An issuer name must be less than 500 alphanumeric characters The default issuer name is cn hostame domain name Step 3 subject name attr tag eq co ne nc string Example hostname config ca cert map subject name attr cn eq myce...

Page 954: ...stpoint For more information see the Configuring Trustpoints section on page 1 11 Step 2 crypto ca enroll trustpoint Example hostname config crypto ca enroll Main Start certificate enrollment The fully qualified domain name in the certificate will be securityappliance example com Include the device serial number in the subject name yes no n Display Certificate Request to terminal yes no y Certific...

Page 955: ...icate data omitted quit INFO Certificate successfully imported Imports each certificate you receive from the CA Requests that you paste the certificate to the terminal in base 64 format Step 4 show crypto ca server certificate Example hostname config show crypto ca server certificate Main Verifies that the enrollment process was successful by displaying certificate details issued for the ASA and t...

Page 956: ...l Main Enrolls the ASA with the trustpoint Retrieves a certificate for signing data and depending on the type of keys that you have configured for encrypting data Before entering this command contact the CA administrator who may need to authenticate the enrollment request manually before the CA grants certificates If the ASA does not receive a certificate from the CA within one minute the default ...

Page 957: ...general scep enrollment enable INFO authentication aaa certificate must be configured to complete setup of this option Enables SCEP enrollment for the tunnel group Enter this command in tunnel group general attributes configuration mode Step 3 scep forwarding url value URL Example hostname config group policy scep forwarding url value http ca example com 80 Enrolls the SCEP CA for the group policy...

Page 958: ...her IKEv2 or SSL You must use the hide keyword to support the SCEP proxy Step 6 secondary username from certificate use entire name use script primary_attr secondary attr no certificate fallback cisco secure desktop machine unique id Example hostname config tunnel webvpn secondary username from certificate CN no certificate fallback cisco secure desktop machine unique id Supplies the username when...

Page 959: ... thumbprint MD5 76dd1439 ac94fdbc 74a0a89f cb815acc CA certificate fingerprint thumbprint SHA1 58754ffd 9f19f9fd b13b4b02 15b3e4be b70b5a83 Last certificate issued serial number 0x6 CA certificate expiration timer 14 25 11 UTC Jan 16 2008 CRL NextUpdate timer 16 09 55 UTC Jan 24 2007 Current primary storage dir flash Configuring the Local CA Server To configure the local CA server perform the foll...

Page 960: ...ssued by the local CA server If you do not specify a subject name DN you must specify the exact subject name DN to be included in a user certificate each time that you add a user to the user database Note Make sure that you review all optional parameters carefully before you enable the configured local CA because you cannot change issuer name and keysize server values after you enable the local CA...

Page 961: ...the subject field of all e mail messages sent from the local CA server Step 4 smtp from address e mail_address Example hostname config ca server smtp from address SecurityAdmin example com Specifies the e mail address that is to be used as the From field of all e mail messages that are generated by the local CA server Step 5 subject name default dn Example hostname config ca server subject name de...

Page 962: ...er Displays debugging messages when you configure and enable the local CA server Performs level 1 debugging functions levels 1 255 are available Note Debugging commands might slow down traffic on busy networks Levels 5 and higher are reserved for raw data dumps and should be avoided during normal debugging because of excessive output Command Purpose Step 1 crypto ca server Example hostname config ...

Page 963: ...xternal Local CA File Storage page 1 31 Downloading CRLs page 1 33 Storing CRLs page 1 34 Setting Up Enrollment Parameters page 1 35 Adding and Enrolling Users page 1 36 Renewing Users page 1 38 Restoring Users page 1 39 Removing Users page 1 39 Revoking Certificates page 1 40 Maintaining the Local CA Certificate Database page 1 40 Rolling Over Local CA Certificates page 1 40 Archiving the Local C...

Page 964: ...l CA Step 2 issuer name DN string Example hostname config ca server issuer name CN xx5520 CN 30 132 0 25 ou DevTest ou QA O ABC Systems Specifies the local CA certificate subject name The configured certificate issuer name is both the subject name and issuer name of the self signed local CA certificate as well as the issuer name in all issued client certificates and in the issued CRL The default i...

Page 965: ...cal CA certificate after the current local CA certificate has expired The following preexpiration syslog message is generated ASA 1 717049 Local CA Server certificate is due to expire in days days and a replacement certificate is available for export Note When notified of this automatic rollover the administrator must make sure that the new local CA certificate is imported onto all required device...

Page 966: ...he default time period is six hours Step 3 crypto ca server crl issue Example hostname config crypto ca server crl issue A new CRL has been issued Forces the issuance of a CRL at any time which immediately updates and regenerates a current CRL to overwrite the existing CRL Note Do not use this command unless the CRL file has been removed in error or has been corrupted and must be regenerated Comma...

Page 967: ...ial 0x2 issued 12 27 59 UTC Thu Jan 3 2008 expired 12 17 37 UTC Sun Dec 31 2017 status Not Revoked More Setting Up External Local CA File Storage You can store the local CA server configuration users issued certificates and CRLs in the local CA server database either in flash memory or in an external local CA file system To configure external local CA file storage perform the following steps Comma...

Page 968: ...nt name directory path Example hostname config ca server database path mydata newuser Specifies the location of mydata the premounted CIFS file system to be used for the local CA server database Establishes a path to the server and then specifies the local CA file or folder name to use for storage and retrieval To return local CA file storage to the ASA flash memory use the no database path comman...

Page 969: ...tional port selections are as follows inside Name of interface GigabitEthernet0 1 management Name of interface Management0 0 outside Name of interface GigabitEthernet0 0 Port numbers can range from 1 65535 TCP port 80 is the HTTP default port number Note If you do not specify this command the CRL is not accessible from the CDP location because this command is required to open an interface to downl...

Page 970: ...default URL location is http hostname domain CSCOCA asa_ca crl The local CA updates and reissues the CRL each time a user certificate is revoked or unrevoked If no revocation changes occur the CRL is reissued once each CRL lifetime If this command is set to serve the CRL directly from the local CA ASA see the Downloading CRLs section on page 1 33 for instructions about opening a port on an interfa...

Page 971: ...rtificate on the enrollment website is also used as the password to unlock the PKCS12 file that includes the issued certificate and keypair for the specified user Step 3 enrollment retrieval timeout Example hostname config ca server enrollment retrieval 120 Specifies the number of hours an already enrolled user can retrieve a PKCS12 enrollment file This time period begins when the user is successf...

Page 972: ... user as necessary for enrollment invitations dn The distinguished name a global authoritative name of an entry in the OSI Directory X 500 for example cn user1 example com cn Engineer o Example Company c US e mail address The e mail address of the new user to which OTPs and notices are to be sent Step 2 crypto ca server user db allow user Example hostname config ca server crypto ca server user db ...

Page 973: ...S12 file which includes a keypair for the user and a user certificate that is based on the public key from the keypair generated and the subject name DN specified when the user is added The PKCS12 file contents are protected by a passphrase the OTP The OTP can be handled manually or the local CA can e mail this file to the user to download after the administrator allows enrollment The PKCS12 file ...

Page 974: ...tificate expires it becomes invalid Renewal notices and the times they are e mailed to users are variable and can be configured by the administrator during local CA server configuration Three reminders are sent An e mail is automatically sent to the certificate owner for each of the three reminders provided an e mail address is specified in the user database If no e mail address exists for the use...

Page 975: ...kes a previously revoked certificate that was issued by the local CA server The local CA maintains a current CRL with serial numbers of all revoked user certificates This list is available to external devices and can be retrieved directly from the local CA if it is configured to do so with the cdp url command and the publish crl command When you revoke or unrevoke any current certificate by certif...

Page 976: ...y fail The local CA certificate rolls over automatically after expiration using the same keypair The rollover certificate is available for export in base 64 format Examples The following example shows a base 64 encoded local CA certificate MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAYJKo ZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy GGG2dJnB...

Page 977: ... the console in base 64 format and the rollover certificate when available including the rollover certificate thumbprint for verification of the new certificate during import onto other devices show crypto ca server crl Shows CRLs show crypto ca server user db Shows users and their status which can be used with the following qualifiers to reduce the number of displayed records allowed Shows only u...

Page 978: ...ef 14f9e6ac eca141e4 276d7358 f7f50d13 79020301 0001 Key pair was generated at 16 34 54 central Feb 10 2010 The following example shows the local CA CRL hostname config show crypto ca server crl Certificate Revocation List Issuer cn xx5520 1 3 2007 1 This Update 13 32 53 UTC Jan 4 2010 Next Update 13 32 53 UTC Feb 3 2010 Number of CRL entries 2 CRL size 270 bytes Revoked Certificates Serial Number...

Page 979: ...certificates provide digital identification for authentication A digital certificate includes information that identifies a device or user such as the name serial number company department or IP address CAs are trusted authorities that sign certificates to verify their authenticity thereby guaranteeing the identity of the device or user CAs issue digital certificates in the context of a PKI which ...

Page 980: ...wn otp expiration timeout renewal reminder time show crypto ca server show crypto ca server cert db user username allowed enrolled expired on hold serial certificate serial number show crypto ca server certificate show crypto ca server crl show crypto ca server user db expired allowed on hold enrolled show crypto key name of key show running config shutdown SCEP proxy 8 4 1 We introduced this feat...

Page 981: ...P A R T 2 Configuring Access Control ...

Page 982: ......

Page 983: ...and EtherType rules for Layer 2 traffic To access the ASA interface for management access you do not also need an access rule allowing the host IP address You only need to configure management access according to Chapter 1 Configuring Management Access Information About Access Rules You create an access rule by applying an extended or EtherType access list to an interface or globally for all inter...

Page 984: ...affic are allowed through by default Unicast IPv4 traffic from a higher security interface to a lower security interface Unicast IPv6 traffic from a higher security interface to a lower security interface ARPs in both directions Note ARP traffic can be controlled by ARP inspection but cannot be controlled by an access rule BPDUs in both directions For other traffic you need to use either an extend...

Page 985: ...e global rule is processed See the following order of operations 1 Interface access rule 2 Global access rule 3 Implicit deny Inbound and Outbound Rules The ASA supports two types of access lists Inbound Inbound access rules apply to traffic as it enters an interface Global access rules are always inbound Outbound Outbound access lists apply to traffic as it exits an interface Note Inbound and out...

Page 986: ...cess rules and includes the following topics Access Rules for Returning Traffic page 1 4 Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules page 1 5 Management Access Rules page 1 5 Access Rules for Returning Traffic For TCP and UDP connections for both routed and transparent mode you do not need an access rule to allow returning traffic because the ASA al...

Page 987: ...both interfaces so returning traffic is allowed through Table 1 1 lists common traffic types that you can allow through the transparent firewall Management Access Rules You can configure access rules that control management traffic destined to the ASA Access control rules for to the box management traffic defined by such commands as http ssh or telnet have higher precedence than an management acce...

Page 988: ...herTypes are connectionless you need to apply the rule to both interfaces if you want traffic to pass in both directions Allowing MPLS If you allow MPLS ensure that Label Distribution Protocol and Tag Distribution Protocol TCP connections are established through the ASA by configuring both MPLS routers connected to the ASA to use the IP address on the ASA interface as the router id for LDP or TDP ...

Page 989: ...mix of IPv4 and IPv6 addresses Per User Access List Guidelines If there is no per user access list associated with a packet the interface access rule is applied The per user access list uses the value in the timeout uauth command but it can be overridden by the AAA per user session timeout value If traffic is denied because of a per user access list syslog message 109025 is logged If traffic is pe...

Page 990: ...o the outbound traffic Specify the interface name The per user override keyword for inbound access lists only allows dynamic user access lists that are downloaded for user authorization to override the access list assigned to the interface For example if the interface access list denies all traffic from 10 0 0 0 but the dynamic access list permits all traffic from 10 0 0 0 then the dynamic access ...

Page 991: ...d permit ip host 209 168 200 4 any hostname config access group ANY in interface inside hostname config access group ANY in interface hr hostname config access group OUT out interface outside For example the following sample access list allows common EtherTypes originating on the inside interface hostname config access list ETHER ethertype permit ipx hostname config access list ETHER ethertype per...

Page 992: ...elease in which it was implemented Table 1 2 Feature History for Access Rules Feature Name Platform Releases Feature Information Interface access rules 7 0 1 Controlling network access through the ASA using access lists We introduced the following command access group Global access rules 8 3 1 Global access rules were introduced We modified the following command access group Support for Identity F...

Page 993: ...Pv6 specific ACLs are deprecated Existing IPv6 ACLs are migrated to extended ACLs See the release notes for more information about migration We modified the following commands access list extended access list webtype We removed the following commands ipv6 access list ipv6 access list webtype ipv6 vpn filter Extended ACLand object enhancement to filter ICMP traffic by ICMP code 9 0 1 ICMP traffic c...

Page 994: ...1 12 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Access Rules Feature History for Access Rules ...

Page 995: ...page 1 33 Note To access the ASA interface for management access you do not also need an access list allowing the host IP address You only need to configure management access according to the sections in this chapter Configuring ASA Access for ASDM Telnet or SSH This section describes how to allow clients to access the ASA using ASDM Telnet or SSH and includes the following topics Licensing Requir...

Page 996: ...h a VPN connection See the Configuring Management Access Over a VPN Tunnel section on page 1 13 The ASA allows A maximum of 5 concurrent Telnet connections per context if available with a maximum of 100 connections divided among all contexts A maximum of 5 concurrent SSH connections per context if available with a maximum of 100 connections divided among all contexts A maximum of 5 concurrent ASDM...

Page 997: ...work to access the ASA on the inside interface hostname config telnet 192 168 3 0 255 255 255 0 inside Using a Telnet Client To gain access to the ASA CLI using Telnet enter the login password set by the password command 9 0 2 and later The default Telnet login password was removed you must manually set the password before using Telnet See the Setting the Login Password section on page 16 2 Comman...

Page 998: ...ole LOCAL Enables local authentication for SSH access You can alternatively configure authentication using a AAA server See the Configuring Authentication for CLI and ASDM Access section on page 1 20 for more information Step 4 username username password password Creates a user in the local database that can be used for SSH access Step 5 ssh source_IP_address mask source_interface Example hostname...

Page 999: ...30 The following example shows how to allow all users on the 192 168 3 0 network to access the ASA on the inside interface hostname config ssh 192 168 3 0 255 255 255 0 inside Using an SSH Client In the SSH client on your management host enter the username and password that you configured in the Configuring SSH Access section on page 1 4 When starting an SSH session a dot displays on the ASA conso...

Page 1000: ... shows how to allow all users on the 192 168 3 0 network to access ASDM on the inside interface hostname config http 192 168 3 0 255 255 255 0 inside Configuring CLI Parameters This section includes the following topics Licensing Requirements for CLI Parameters page 1 7 Guidelines and Limitations page 1 7 Configuring a Login Banner page 1 7 Customizing a CLI Prompt page 1 8 Changing the Console Ti...

Page 1001: ...ser enters privileged EXEC mode Restrictions After a banner is added Telnet or SSH sessions to ASA may close if There is not enough system memory available to process the banner message s A TCP write error occurs when trying to display banner message s Guidelines From a security perspective it is important that your banner discourage unauthorized access Do not use the words welcome or please as th...

Page 1002: ...the day motd when a user logs in login and when a user accesses privileged EXEC mode exec When a user connects to the ASA the message of the day banner appears first followed by the login banner and prompts After the user successfully logs in to the ASA the exec banner appears To add more than one line precede each line by the banner command For the banner text Spaces are allowed but tabs cannot b...

Page 1003: ... is enabled and the unit is actively passing traffic stby Failover is enabled and the unit is not passing traffic and is in a standby failed or another inactive state actNoFailover Failover is not enabled and the unit is actively passing traffic stbyNoFailover Failover is not enabled and the unit is not passing traffic This condition might occur when there is an interface failure above the thresho...

Page 1004: ...es and informational messages like ICMP echo request and reply messages Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path MTU discovery We recommend that you always grant permission for the ICMP unreachable message type type 3 Denying ICMP unreachable messages disables ICMP path MTU discovery which can halt IPsec and PPTP traffic See RFC 1195 and RFC 1435 f...

Page 1005: ...nsparent firewall mode IPv6 Guidelines Supports IPv6 Additional Guidelines The ASA does not respond to ICMP echo requests directed to a broadcast address The ASA only responds to ICMP traffic sent to the interface that traffic comes in on you cannot send ICMP traffic through an interface to a far interface If you cannot ping the ASA interface make sure that you enable ICMP to the ASA for your IP a...

Page 1006: ...00 0 0 4 2 or hosts on prefix 2001 64 to ping the outside interface hostname config ipv6 icmp permit host 2000 0 0 4 2 echo reply outside hostname config ipv6 icmp permit 2001 64 echo reply outside hostname config ipv6 icmp permit any packet too big outside Command Purpose For IPv4 icmp permit deny host ip_address ip_address mask any icmp_type interface_name Example hostname config icmp deny host ...

Page 1007: ...age 1 13 Guidelines and Limitations page 1 2 Configuring a Management Interface page 1 14 Licensing Requirements for a Management Interface The following table shows the licensing requirements for this feature Guidelines and Limitations This section includes the guidelines and limitations for this feature Context Mode Guidelines Supported in single mode Firewall Mode Guidelines Supported in routed...

Page 1008: ...ut AAA for System Administrators page 1 14 Licensing Requirements for AAA for System Administrators page 1 18 Prerequisites page 1 18 Guidelines and Limitations page 1 19 Default Settings page 1 19 Configuring Authentication for CLI and ASDM Access page 1 20 Configuring Authentication to Access Privileged EXEC Mode the enable Command page 1 20 Limiting User CLI and ASDM Access with Management Auth...

Page 1009: ...ation If you configure enable authentication see the Configuring Authentication to Access Privileged EXEC Mode the enable Command page 1 20 the ASA prompts you for your username and password again This feature is particularly useful when you perform command authorization in which usernames are important in determining the commands that a user can enter For enable authentication using the local dat...

Page 1010: ... ASA places you in level 15 You can then create enable passwords for every level so that when you enter enable n 2 to 15 the ASA places you in level n These levels are not used unless you enable local command authorization see the Configuring Local Command Authorization section on page 1 24 See the command reference for more information about the enable command TACACS server privilege levels On th...

Page 1011: ... than for the user in the previous context session This behavior also affects command accounting which is useful only if you can accurately associate each command that is issued with a particular administrator Because all administrators with permission to use the changeto command can use the enable_15 username in other contexts command accounting records may not readily identify who was logged in ...

Page 1012: ... CLI and ASDM Access section on page 1 20 enable authentication is essential for maintaining the username after the user accesses the enable command Alternatively you can use the login command which is the same as the enable command with authentication for the local database only which requires no configuration We do not recommend this option because it is not as secure as enable authentication Yo...

Page 1013: ...idelines Supported in single and multiple context mode Firewall Mode Guidelines Supported in routed and transparent firewall mode IPv6 Guidelines Supports IPv6 Default Settings Default Command Privilege Levels By default the following commands are assigned to privilege level 0 All other commands are assigned to privilege level 15 show checksum show curpriv enable help show history login logout pag...

Page 1014: ... For the ASASM this keyword also affects the session from the switch using the session command For multiple mode access see the Authenticating Sessions from the Switch to the ASA Services Module section on page 1 15 The ssh keyword controls SSH access The SSH default usernames asa and pix are no longer supported The http keyword controls ASDM access The serial keyword controls console port access ...

Page 1015: ...and authorization Without command authorization users can access privileged EXEC mode and all commands at the CLI using their own password if their privilege level is 2 or greater 2 is the default Alternatively you can use a AAA server for authentication or you can set all local users to level 1 so you can control who can use the system enable password to access privileged EXEC mode To log in as a...

Page 1016: ...ion If you configure CLI or enable authentication you can limit a local user RADIUS TACACS or LDAP user if you map LDAP attributes to RADIUS attributes from accessing the CLI ASDM or the enable command Note Serial access is not included in management authorization so if you configure the aaa authentication serial consolecommand then any user who authenticates can access the console port ...

Page 1017: ...thentication console commands excluding the serial keyword serial access is allowed Remote access IPsec and SSL users can still authenticate and terminate their remote access sessions Configure Cisco VSA CVPN3000 Privilege Level with a value between 0 and 15 and then map the LDAP attributes to Cisco VAS CVPN3000 Privilege Level using the ldap map attributes command For more information see the Con...

Page 1018: ...use one of two command authorization methods Local privilege levels TACACS server privilege levels For more information about command authorization see the Information About Command Authorization section on page 1 16 This section includes the following topics Configuring Local Command Authorization page 1 24 Viewing Local Command Privilege Levels page 1 28 Configuring Commands on the TACACS Server...

Page 1019: ...m Administrators The ASA supports user privilege levels defined in the local database a RADIUS server or an LDAP server if you map LDAP attributes to RADIUS attributes See the Configuring LDAP Attribute Maps section on page 1 20 To configure local command authorization perform the following steps Detailed Steps ...

Page 1020: ...either as the unmodified command without the show or clear prefix or as the no form If you do not use one of these keywords all forms of the command are affected level level A level between 0 and 15 mode enable configure If a command can be entered in user EXEC or privileged EXEC mode as well as configuration mode and the command performs different actions in each mode you can set the privilege le...

Page 1021: ...enable The following example shows an additional command the configure command which uses the mode keyword hostname config privilege show level 5 mode cmd command configure Step 2 aaa authorization exec authentication server Example hostname config aaa authorization exec authentication server Supports administrative user privilege levels from RADIUS Enforces user specific access levels for users w...

Page 1022: ...ge configure level 15 command aaa server privilege show level 15 command access group privilege clear level 15 command access group privilege configure level 15 command access group privilege show level 15 command access list privilege clear level 15 command access list privilege configure level 15 command access list privilege show level 15 command activation key privilege configure level 15 comm...

Page 1023: ...ou do not explicitly deny by checking the Permit Unmatched Args check box For example you can configure just the show command and then all the show commands are allowed We recommend using this method so that you do not have to anticipate every variant of a command including abbreviations and a question mark which shows CLI usage For commands that are a single word you must permit unmatched argumen...

Page 1024: ...and another to interface 2 You can also configure local command authorization as a fallback method if the TACACS server is unavailable In this case you need to configure local users and command privilege levels according to procedures listed in the Configuring Command Authorization section on page 1 24 To configure TACACS command authorization enter the following command Detailed Steps Configuring...

Page 1025: ...d server group protocols are RADIUS and TACACS Step 2 aaa accounting command privilege level server tag Example hostname config aaa accounting command privilege 15 group_1 Enables command accounting Only TACACS servers support command accounting Where privilege level is the minimum privilege level and server tag is the name of the TACACS server group to which the ASA should send command accounting...

Page 1026: ...mmands 2 Configure the local database as a fallback method so you do not get locked out when the server is down 1 If the server is unreachable because the network configuration is incorrect on the ASA session into the ASA from the switch From the system execution space you can change to the context and reconfigure your network settings 2 Configure the local database as a fallback method so you do ...

Page 1027: ...ommand LOCAL aaa accounting serial telnet ssh enable console show curpriv aaa accounting command privilege Increased SSH security the SSH default username is no longer supported 8 4 2 Starting in 8 4 2 you can no longer connect to the ASA using SSH with the pix or asa username and the login password To use SSH you must configure AAA authentication using the aaa authentication ssh console LOCAL com...

Page 1028: ...1 34 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Management Access Feature History for Management Access ...

Page 1029: ...pt Traffic from Authentication and Authorization page 1 23 Feature History for AAA Rules page 1 25 AAA Performance The ASA uses cut through proxy to significantly improve performance compared to a traditional proxy server The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model The ASA cut through proxy challenges a user initi...

Page 1030: ...ing Authentication for Network Access This section includes the following topics Information About Authentication page 1 2 Configuring Network Access Authentication page 1 7 Enabling Secure Authentication of Web Clients page 1 10 Authenticating Directly with the ASA page 1 11 Information About Authentication The ASA lets you configure network access authentication using AAA servers This section in...

Page 1031: ...tion prompt You can optionally configure the ASA to redirect users to an internal web page where they can enter their username and password configured with the aaa authentication listener command For HTTPS the ASA generates a custom login screen You can optionally configure the ASA to redirect users to an internal web page where they can enter their username and password configured with the aaa au...

Page 1032: ...ntity firewall to allow these types of authentication in connection with identity based access policies Figure 1 1 shows a deployment to support a cut through proxy authentication captive portal Active Directory servers and the AD Agent are installed on the main site LAN However the identity firewall is configured to support authentication of clients that are not part of the Active Directory domai...

Page 1033: ...res or a valid user has not yet logged into AD For example for any user without a valid login you can trigger a AAA rule To ensure that the AAA rule is only triggered for users that do not have valid logins you can specify special usernames in the extended ACL that are used for the access rule and for the AAA rule None users without a valid login and Any users with a valid login In the access rule...

Page 1034: ...apped server ftp ftp object network internal nat inside outside dynamic mapped server The second line ensures that all PAT bindings are accounted for This accounting is necessary to avoid connection failure from port collision As the the mapped address is placed under dynamic PAT any additional service that is to be accessed through the mapped address must also be explicitly configured For example...

Page 1035: ...s see Chapter 1 Adding an Extended Access Control List If you specify identity firewall arguments in the ACL then the following keywords in the ACL are specifically relevant to AAA rules The keywords user group any and user group none can be specified to support cut through proxy authentication any The access list matches any IP addresses that has already been associated with any users none The ac...

Page 1036: ...lnet hostname config aaa authentication match TELNET_AUTH outside AuthInbound Step 4 aaa authentication listener http s interface_name port portnum redirect Example hostname config aaa authentication listener http inside redirect Optional Enables the redirection method of authentication for HTTP or HTTPS connections The interface_name argument is the interface on which you want to enable listening...

Page 1037: ...name config http server enable hostname config http 0 0 0 0 0 0 0 0 inside hostname config hostname config auth prompt prompt Enter Your Authentication hostname config auth prompt accept You are Good hostname config auth prompt reject Goodbye In this example the following guidelines apply In access list commands you should configure permit user NONE rules before entering the access list 100 ex den...

Page 1038: ...se this method alone or in conjunction with either of the other methods so you can maximize your security After enabling this feature when a user requires authentication when using HTTP the ASA redirects the HTTP user to an HTTPS prompt After you authenticate correctly the ASA redirects you to the original HTTP URL Secured web client authentication has the following limitations A maximum of 64 con...

Page 1039: ...section on page 1 7 the ASA uses basic HTTP authentication by default To continue to use basic HTTP authentication and to enable direct authentication for HTTP and HTTPS enter the following command If the destination HTTP server requires authentication in addition to the ASA then to authenticate separately with the ASA via a AAA server and with the HTTP server enter the following command Command P...

Page 1040: ...name and password Because the username and password are not included in the HTTP packet the HTTP server prompts the user separately for the HTTP server username and password For inbound users from lower security to higher security you must also include the virtual HTTP address as a destination interface in the access list applied to the source interface In addition you must add a static NAT comman...

Page 1041: ...d Purpose virtual telnet ip_address Example hostname config virtual telnet 209 165 202 129 Configures a virtual Telnet server The ip_address argument sets the IP address for the virtual Telnet server Make sure this address is an unused address that is routed to the ASA You must configure authentication for Telnet access to the virtual Telnet address as well as the other services that you want to a...

Page 1042: ...is is because each authorization rule that you enter can specify only one source and destination subnet and service whereas an access list can include many entries Authentication and authorization statements are independent however any unauthenticated traffic matched by an authorization rule will be denied For authorization to succeed 1 A user must first authenticate with the ASA Because a user at...

Page 1043: ...terface_name server_group Example hostname config aaa authentication match MAIL_AUTH inside AuthOutbound Configures authentication The acl_name argument is the name of the access list that you created in Step 2 The interface_name argument is the name of the interface specified with the nameif command and the server_group argument is the AAA server group that you created in Step 1 Note You can alte...

Page 1044: ... TELNET_AUTH extended permit tcp any any eq telnet Create an access list that identifies the source addresses and destination addresses of traffic that you want to authorize For instructions see Chapter 1 Adding an Extended Access Control List The permit ACEs mark matching traffic for authorization while deny entries exclude matching traffic from authorization The access list that you use for auth...

Page 1045: ...ces be aware of the following effects of the per user override keyword on authorization by user specific access lists Without the per user override keyword traffic for a user session must be permitted by both the interface access list and the user specific access list With the per user override keyword the user specific access list determines what is permitted For more information see the access g...

Page 1046: ...ncludes the date and time that it was last modified matching the name sent by Cisco Secure ACS to the name of an access list previously downloaded means that the ASA has the most recent version of the downloadable access list If the ASA has not previously received the named downloadable access list it may have an out of date version of the access list or it may not have downloaded any version of t...

Page 1047: ...ntil Cisco Secure ACS sends the last of the access list in an access accept message Configuring Cisco Secure ACS for Downloadable Access Lists You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and then assign the access list to a group or to an individual user The access list definition consists of one or more ASA commands that are similar to the extende...

Page 1048: ... that are similar to the access list extended command see command reference except that you replace the following command prefix access list acl_name extended with the following text ip inacl nnn The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command statement to be configured on the ASA If this parameter is omitted the sequence value is 0 and the or...

Page 1049: ...g the configuration of the downloadable access lists on the RADIUS server You configure access list netmask conversion on a per server basis using the acl netmask convert command available in the aaa server configuration mode For more information about configuring a RADIUS server see the Configuring AAA Server Groups section on page 1 11 For more information about the acl netmask convert command s...

Page 1050: ...onfiguring Network Access Authentication section on page 1 7 If you want the ASA to provide accounting data per IP address enabling authentication is not necessary Creates an access list that identifies the source addresses and destination addresses of traffic for which you want accounting data For instructions see Chapter 1 Adding an Extended Access Control List The permit ACEs mark matching traf...

Page 1051: ...match SERVER_AUTH inside AuthOutbound hostname config aaa accounting match SERVER_AUTH inside AuthOutbound Using MAC Addresses to Exempt Traffic from Authentication and Authorization The ASA can exempt from authentication and authorization any traffic from specific MAC addresses For example if the ASA authenticates TCP traffic originating on a particular network but you want to allow unauthenticat...

Page 1052: ...as needed with the same ID value Because you can only use one MAC list for AAA exemption be sure that your MAC list includes all the MAC addresses that you want to exempt You can create multiple MAC lists but you can only use one at a time The order of entries matters because the packet uses the first entry it matches instead of a best match scenario If you have a permit entry and you want to deny...

Page 1053: ...re History for AAA Rules Table 1 1 lists each feature change and the platform release in which it was implemented Table 1 1 Feature History for AAA Rules Feature Name Platform Releases Feature Information AAA Rules 7 0 1 AAA Rules describe how to enable AAA for network access We introduced the following commands aaa authentication match aaa authentication include exclude aaa authentication listene...

Page 1054: ...1 26 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring AAA Rules for Network Access Feature History for AAA Rules ...

Page 1055: ...cache instead of the web server WCCP specifies interactions between the ASA and external web caches The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times The ASA only supports WCCP Version 2 Using an ASA as an intermediary eliminates the need for a separate router to do the WCCP redirection because the ASA ...

Page 1056: ...en a cache miss happens on a cache engine and it requests data from a web server then the contents of the traffic flow is subject to all the other configured features of the ASA If you have two WCCP services and they use two different redirection ACLs that overlap and match the same packets with a deny or a permit action the packets behave according to the first service group found and installed r...

Page 1057: ...he WCCP router ID This address is used to establish a GRE tunnel with the cache engine WCCP redirection is supported only on the ingress of an interface The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the ASA The following configuration tasks assume y...

Page 1058: ...en 0 and 254 For example to transparently redirect native FTP traffic to a cache engine use WCCP service 60 You can enter this command multiple times for each service group that you want to enable The redirect list access_list argument controls traffic that is redirected to this service group The group list access_list argument determines which web cache IP addresses are allowed to participate in ...

Page 1059: ... Table 1 2 lists the release history for this feature Command Purpose show running config wccp Shows the current WCCP configuration show running config wccp interface Shows the current WCCP interfaces status Table 1 2 Feature History for WCCP Feature Name Releases Feature Information WCCP 7 2 1 WCCP specifies interactions between the ASA and external web caches We introduced the following commands...

Page 1060: ...1 6 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Web Cache Services Using WCCP Feature History for WCCP ...

Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...

Page 1062: ......

Page 1063: ...ies page 1 6 Guidelines and Limitations page 1 6 Default Settings page 1 8 Task Flows for Configuring Service Policies page 1 9 Identifying Traffic Layer 3 4 Class Maps page 1 12 Defining Actions Layer 3 4 Policy Map page 1 15 Applying Actions to an Interface Service Policy page 1 17 Monitoring Modular Policy Framework page 1 18 Configuration Examples for Modular Policy Framework page 1 18 Feature...

Page 1064: ...g Inspection for Voice and Video Protocols Chapter 1 Configuring Inspection of Database and Directory Protocols Chapter 1 Configuring Inspection for Management Application Protocols Chapter 1 Configuring the ASA for Cisco Cloud Web Security ASA CSC Yes No Chapter 1 Configuring the ASA CSC Module ASA IPS Yes No Chapter 1 Configuring the ASA IPS Module ASA CX Yes No Chapter 1 Configuring the ASA CX ...

Page 1065: ...e 2 When the packet matches a class map for a feature type the ASA does not attempt to match it to any subsequent class maps for that feature type 3 If the packet matches a subsequent class map for a different feature type however then the ASA also applies the actions for the subsequent class map if supported See the Incompatibility of Certain Feature Actions section on page 1 5 for more informati...

Page 1066: ...ions are applied because the IPv6 inspection can be combined with any other type of inspection Order in Which Multiple Feature Actions are Applied The order in which different types of actions in a policy map are performed is independent of the order in which the actions appear in the policy map Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order indepen...

Page 1067: ...acket based on the destination port of the traffic For example when UDP traffic for port 69 reaches the ASA then the ASA applies the TFTP inspection when TCP traffic for port 21 arrives then the ASA applies the FTP inspection So in this case only you can configure multiple inspections for the same class map Normally the ASA does not use the port number to determine which inspection to apply thus g...

Page 1068: ... of the outside interface nor by the egress policy of the inside interface For traffic that is not treated as a flow for example ICMP when you do not enable stateful ICMP inspection returning traffic can match a different policy map on the returning interface For example if you configure IPS on the inside and outside interfaces but the inside policy uses virtual sensor 1 while the outside policy u...

Page 1069: ...ce service policies take precedence over the global service policy for a given feature For example if you have a global policy with FTP inspection and an interface policy with TCP normalization then both FTP inspection and TCP normalization are applied to the interface However if you have a global policy with FTP inspection and an interface policy with FTP inspection then only the interface policy...

Page 1070: ...y you need to either edit the default policy or disable it and apply a new one An interface policy overrides the global policy for a particular feature The default policy includes the following application inspections DNS inspection for the maximum message length of 512 bytes FTP H323 H225 H323 RAS RSH RTSP ESMTP SQLnet Skinny SCCP SunRPC XDMCP SIP NetBios TFTP IP Options The default policy config...

Page 1071: ...c for port 69 reaches the ASA then the ASA applies the TFTP inspection when TCP traffic for port 21 arrives then the ASA applies the FTP inspection So in this case only you can configure multiple inspections for the same class map Normally the ASA does not use the port number to determine which inspection to apply thus giving you the flexibility to apply inspections to non standard ports for examp...

Page 1072: ...er than 1000 bytes You can create a self contained inspection policy map that identifies the traffic directly with match commands or you can create an inspection class map for reuse or for more complicated matching See the Defining Actions in an Inspection Policy Map section on page 1 4 and the Identifying Traffic in an Inspection Class Map section on page 1 5 Step 3 Create a regular expression If...

Page 1073: ...c Shaping If you enable QoS traffic shaping for a class map then you can optionally enable priority queueing for a subset of shaped traffic To do so you need to create a policy map for the priority queueing and then within the traffic shaping policy map you can call the priority class map Only the traffic shaping class map is applied to an interface See Chapter 1 Information About QoS for more inf...

Page 1074: ...s Layer 3 and 4 traffic to which you want to apply actions You can create multiple Layer 3 4 class maps for each Layer 3 4 policy map This section includes the following topics Creating a Layer 3 4 Class Map for Through Traffic page 1 12 Creating a Layer 3 4 Class Map for Management Traffic page 1 15 Creating a Layer 3 4 Class Map for Through Traffic A Layer 3 4 class map matches traffic based on ...

Page 1075: ...ket based on the destination port of the traffic For example when UDP traffic for port 69 reaches the ASA then the ASA applies the TFTP inspection when TCP traffic for port 21 arrives then the ASA applies the FTP inspection So in this case only you can configure multiple inspections for the same class map with the exception of WAAS inspection which can be configured with other inspections See the ...

Page 1076: ...ue8 Example hostname config cmap match dscp af43 cs1 ef Matches DSCP value in an IP header up to eight DSCP values match precedence value1 value2 value3 value4 Example hostname config cmap match precedence 1 4 Matches up to four precedence values represented by the TOS byte in the IP header where value1 through value4 can be 0 to 7 corresponding to the possible precedences match rtp starting_port ...

Page 1077: ... type management all_mgmt Creates a management class map where class_map_name is a string up to 40 characters in length The name class default is reserved All types of class maps use the same name space so you cannot reuse a name already used by another type of class map The CLI enters class map configuration mode Step 2 Optional description string Example hostname config cmap description All mana...

Page 1078: ...hostname config pmap class http_traffic hostname config pmap c set connection timeout idle 0 10 0 Command Purpose Step 1 policy map policy_map_name Example hostname config policy map global_policy Adds the policy map The policy_map_name argument is the name of the policy map up to 40 characters in length All types of policy maps use the same name space so you cannot reuse a name already used by an...

Page 1079: ...config pmap c set connection conn max 50 hostname config pmap class tcp_traffic hostname config pmap c set connection timeout idle 2 0 0 hostname config pmap c set connection conn max 2000 When a Telnet connection is initiated it matches class telnet_traffic Similarly if an FTP connection is initiated it matches class ftp_traffic For any TCP connection other than Telnet and FTP it will match class...

Page 1080: ...nd Connection Limits to HTTP Traffic to Specific Servers page 1 20 Applying Inspection to HTTP Traffic with NAT page 1 21 Command Purpose service policy policy_map_name interface interface_name fail close Example hostname config service policy inbound_policy interface outside Creates a service policy by associating a policy map with an interface Specify the fail close option to generate a syslog 7...

Page 1081: ...onfig policy map http_traffic_policy hostname config pmap class http_traffic hostname config pmap c inspect http hostname config pmap c police output 250000 hostname config service policy http_traffic_policy interface outside Applying Inspection to HTTP Traffic Globally In this example see Figure 1 2 any HTTP connection TCP traffic on port 80 that enters the ASA through any interface is classified...

Page 1082: ...cific Servers See the following commands for this example hostname config object network obj 192 168 1 2 hostname config network object host 192 168 1 2 hostname config network object nat inside outside static 209 165 201 1 hostname config object network obj 192 168 1 0 hostname config network object subnet 192 168 1 0 255 255 255 0 hostname config network object nat inside outside dynamic 209 165...

Page 1083: ... in the class map If you applied it to the outside interface you would also use the real address Figure 1 4 HTTP Inspection with NAT See the following commands for this example hostname config object network obj 192 168 1 1 hostname config network object host 192 168 1 1 hostname config network object nat VM1 outside static 209 165 200 225 hostname config access list http_client extended permit tc...

Page 1084: ... introduced for use with RADIUS accounting traffic The following commands were introduced class map type management and inspect radius accounting Inspection policy maps 7 2 1 The inspection policy map was introduced The following command was introduced class map type inspect Regular expressions and policy maps 7 2 1 Regular expressions and policy maps were introduced to be used under inspection po...

Page 1085: ...tion Policy Maps page 1 7 Information About Inspection Policy Maps See the Configuring Application Layer Protocol Inspection section on page 1 7 for a list of applications that support inspection policy maps An inspection policy map consists of one or more of the following elements The exact options available for an inspection policy map depends on the application Traffic matching command You can ...

Page 1086: ...s multiple different match or class commands then the order in which the ASA applies the actions is determined by internal ASA rules and not by the order they are added to the inspection policy map The internal rules are determined by the application type and the logical progression of parsing a packet and are not user configurable For example for HTTP traffic parsing a Request Method field preced...

Page 1087: ...atch filename command They are matched according to the order in the policy map ftp3 and then ftp2 class map type inspect ftp match all ftp1 match request cmd get class map type inspect ftp match all ftp2 match filename regex abc class map type inspect ftp match all ftp3 match request cmd get match filename regex abc policy map type inspect ftp ftp class ftp3 log class ftp2 log class ftp1 log Defa...

Page 1088: ...ap type inspect http http_policy Creates the inspection policy map See the Configuring Application Layer Protocol Inspection section on page 1 7 for a list of applications that support inspection policy maps The policy_map_name argument is the name of the policy map up to 40 characters in length All types of policy maps use the same name space so you cannot reuse a name already used by another typ...

Page 1089: ...config pmap c inspect http http map1 hostname config pmap c service policy test interface outside Identifying Traffic in an Inspection Class Map This type of class map allows you to match criteria that is specific to an application For example for DNS traffic you can match the domain name in a DNS query A class map groups multiple traffic matches in a match all class map or lets you match any of a...

Page 1090: ... match all match any class_map_name Example hostname config class map type inspect http http_traffic hostname config cmap Creates an inspection class map where the application is the application you want to inspect For supported applications see the CLI help for a list of supported applications or see Chapter 1 Getting Started with Application Layer Protocol Inspection The class_map_name argument ...

Page 1091: ...Policies Feature Name Releases Feature Information Inspection policy maps 7 2 1 The inspection policy map was introduced The following command was introduced class map type inspect Regular expressions and policy maps 7 2 1 Regular expressions and policy maps were introduced to be used under inspection policy maps The following commands were introduced class map type regex regex match regex Match a...

Page 1092: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Special Actions for Application Inspections Inspection Policy Map Feature History for Inspection Policy Maps ...

Page 1093: ...P A R T 2 Configuring Application Inspection ...

Page 1094: ......

Page 1095: ...ncludes the following sections Information about Application Layer Protocol Inspection page 1 1 Guidelines and Limitations page 1 3 Default Settings page 1 4 Configuring Application Layer Protocol Inspection page 1 7 Information about Application Layer Protocol Inspection This section includes the following topics How Inspection Engines Work page 1 1 When to Use Application Protocol Inspection pag...

Page 1096: ...nnection database and forwards the packet because it belongs to an established session The default configuration of the ASA includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required When to Use Application Protocol Inspection When a user establishes a connection the ASA checks the packet...

Page 1097: ...ted and transparent firewall mode Failover Guidelines State information for multimedia sessions that require inspection are not passed over the state link for stateful failover The exception is GTP which is replicated over the state link IPv6 Guidelines Supports IPv6 for the following inspections DNS FTP HTTP ICMP SIP SMTP IPsec pass through IPv6 Supports NAT64 for the following inspections DNS FT...

Page 1098: ...her edit the default policy or disable it and apply a new one Table 1 1 lists all inspections supported the default ports used in the default class map and the inspection engines that are on by default shown in bold This table also notes any NAT limitations Table 1 1 Supported Application Inspection Engines Application1 Default Port NAT Limitations Standards2 Comments CTIQBE TCP 2748 No extended P...

Page 1099: ... NAT64 RFC 2637 RADIUS Accounting 1646 No NAT64 RFC 2865 RSH TCP 514 No PAT No NAT64 Berkeley UNIX RTSP TCP 554 No extended PAT No outside NAT No NAT64 RFC 2326 2327 1889 No handling for HTTP cloaking ScanSafe Cloud Web Security TCP 80 TCP 413 These ports are not included in the default inspection traffic class for the ScanSafe inspection SIP TCP 5060 UDP 5060 No outside NAT No NAT on same securit...

Page 1100: ...inspect xdmcp SNMP UDP 161 162 No NAT or PAT RFC 1155 1157 1212 1213 1215 v 2 RFC 1902 1908 v 3 RFC 2570 2580 SQL Net TCP 1521 No extended PAT No NAT64 v 1 and v 2 Sun RPC over UDP and TCP UDP 111 No extended PAT No NAT64 The default rule includes UDP port 111 if you want to enable Sun RPC inspection for TCP port 111 you need to create a new rule that matches TCP port 111 and performs Sun RPC insp...

Page 1101: ... traffic class along with match any which is not typically used for inspection matches both IPv4 and IPv6 traffic for inspections that support IPv6 See the Guidelines and Limitations section on page 1 3 for a list of IPv6 enabled inspections You can specify a match access list command along with the match default inspection traffic command to narrow the matched traffic to specific IP addresses Bec...

Page 1102: ... section on page 1 12 GTP See the Configuring a GTP Inspection Policy Map for Additional Inspection Control section on page 1 4 H323 See the Configuring an H 323 Inspection Policy Map for Additional Inspection Control section on page 1 6 HTTP See the Configuring an HTTP Inspection Policy Map for Additional Inspection Control section on page 1 16 Instant Messaging See the Configuring an Instant Mes...

Page 1103: ...cy map identify a different name You can combine multiple class maps in the same policy if desired so you can create one class map to match certain traffic and another to match different traffic However if traffic matches a class map that contains an inspection command and then matches another class map that also has an inspection command only the first matching class is used For example SNMP matc...

Page 1104: ... according to Configuring an H 323 Inspection Policy Map for Additional Inspection Control section on page 1 6 identify the map name in this command h323 ras map_name If you added an H323 inspection policy map according to Configuring an H 323 Inspection Policy Map for Additional Inspection Control section on page 1 6 identify the map name in this command http map_name If you added an HTTP inspect...

Page 1105: ...on policy map according to Configuring a RADIUS Inspection Policy Map for Additional Inspection Control section on page 1 9 identify the map name in this command rsh rtsp map_name If you added a RTSP inspection policy map according to Configuring an RTSP Inspection Policy Map for Additional Inspection Control section on page 1 16 identify the map name in this command scansafe map_name If you added...

Page 1106: ...applies the policy to one interface By default the default policy map global_policy is applied globally Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface sunrpc The default class map includes UDP port 111 if you want to enable Sun RPC inspection for TCP port 111 you...

Page 1107: ...he ASA by default but you might need to enable others depending on your network This chapter includes the following sections DNS Inspection page 1 1 FTP Inspection page 1 10 HTTP Inspection page 1 15 ICMP Inspection page 1 20 ICMP Error Inspection page 1 20 Instant Messaging Inspection page 1 20 IP Options Inspection page 1 24 IPsec Pass Through Inspection page 1 25 IPv6 Inspection page 1 26 NetBI...

Page 1108: ...asks Translate the DNS record based on the NAT configuration For more information see the DNS and NAT section on page 3 30 Enforce message length domain name length and label length Verify the integrity of the domain name referred to by the pointer if compression pointers are encountered in the DNS message Check to see if a compression pointer loop exists Inspect packets based on the DNS header ty...

Page 1109: ... section on page 1 17 Detailed Steps Command Purpose Step 1 Do one of the following class map type inspect dns match all match any class_map_name Example hostname config class map type inspect dns match all dns class map Creates a DNS inspection class map where class_map_name is the name of the class map The match all keyword is the default and specifies that traffic must match all criteria to mat...

Page 1110: ...nspection policy map specify the action s for the match drop log Drops the packet log also logs the packet drop connection log Drops the packet and closes the connection log also logs the packet enforce tsig drop log Enforces the TSIG resource record in a message drop drops a packet without the TSIG resource record log also logs the packet mask log Masks out the matching portion of the packet log ...

Page 1111: ...record log also logs the packet log Logs the packet Step 5 match question resource record answer authority additional For direct match only drop log drop connection log enforce tsig drop log log Example hostname config pmap match resource record answer hostname config pmap c drop connection Matches a DNS question or resource record where the question keyword specifies the question portion of a DNS...

Page 1112: ...gument is a regular expression The class regex_class_name is a regular expression class map See the Prerequisites section on page 1 3 To specify traffic that should not match use the match not command If you are matching directly in the inspection policy map specify the action for the match drop log Drops the packet log also logs the packet drop connection log Drops the packet and closes the conne...

Page 1113: ...forcement tsig enforced action drop log Example hostname config pmap parameters hostname config pmap p dns guard hostname config pmap p id mismatch action log hostname config pmap p message length maximum 1024 hostname config pmap p nat rewrite hostname config pmap p protocol enforcement Enters parameters configuration mode so you can set one or more parameters dns guard Enables DNS Guard The ASA ...

Page 1114: ...ludes many default inspections on default ports applied globally on all interfaces A common method for customizing the inspection configuration is to customize the default global policy The steps in this section show how to edit the default global policy but you can alternatively create a new service policy as desired for example an interface specific policy Detailed Steps Command Purpose Step 1 c...

Page 1115: ...ns dns_policy_map dynamic filter snoop Example hostname config class no inspect dns hostname config class inspect dns dns map Configures DNS inspection Specify the inspection policy map you created in the Optional Configuring a DNS Inspection Policy Map and Class Map section on page 1 3 For information about the Botnet Traffic Filter dynamic filter snoop keyword see the Enabling DNS Snooping secti...

Page 1116: ... service policy command The following is sample output from the show service policy command hostname show service policy Interface outside Service policy sample_policy Class map dns_port Inspect dns maximum length 1500 packet 0 drop 0 reset drop 0 FTP Inspection This section describes the FTP inspection engine This section includes the following topics FTP Inspection Overview page 1 10 Using the s...

Page 1117: ...sed Incorrect command Checks the FTP command to see if it ends with CR LF characters as required by the RFC If it does not the connection is closed Size of RETR and STOR commands These are checked against a fixed constant If the size is greater then an error message is logged and the connection is closed Command spoofing The PORT command should always be sent from the client The TCP connection is ...

Page 1118: ...steps A class map groups multiple traffic matches Traffic must match all of the match commands to match the class map You can alternatively identify match commands directly in the policy map The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria and you can reuse class maps T...

Page 1119: ... g Optional To match an FTP username enter the following command hostname config cmap match not username regex regex_name class regex_class_name Where the regex_name is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 Step 4 Create an FTP inspection policy map enter the following command hostname config policy map typ...

Page 1120: ...t message_rate Not all options are available for each match or class command See the CLI help or the command reference for the exact options available The drop keyword drops all packets that match The send protocol error keyword sends a protocol error message The drop connection keyword drops the packet and closes the connection The mask keyword masks out the matching portion of the packet The res...

Page 1121: ... is retrieved or uploaded The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands are logged The username is obtained by looking up a table providing the IP address The username source IP address destination IP address NAT address and the file operation are logged Audit record 201005 is generated if the secondary dynamic channel preparation failed due to memory ...

Page 1122: ...nal Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 1 14 See the types of text you can match in the match commands described in Step 3 Step 2 Optional Create one or more regular expression class maps to group regular expressions according to the Creating a Regular Expression Class Map section on page 1 17 Step ...

Page 1123: ... argument is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 The length gt max_bytes is the maximum message body length in bytes f Optional To match text found in the HTTP request message header or to restrict the count or length of the header enter the following command hostname config cmap match not request header ...

Page 1124: ...nd hostname config cmap match not response status line regex regex_name class regex_class_name Where the regex regex_name argument is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 Step 4 Create an HTTP inspection policy map enter the following command hostname config policy map type inspect http policy_map_name hos...

Page 1125: ...es the connection The reset action closes the connection and sends a TCP reset to the client The log action sends a system log message when this policy map matches traffic c To substitute a string for the server header field enter the following command hostname config pmap p spoof server string Where the string argument is the string to substitute for the server header field Note WebVPN streams ar...

Page 1126: ...ate nodes between the inside host and the ASA reach the outside host without consuming any additional NAT resource This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the ASA When the ASA does not translate the intermediate hops all the intermediate hops appear with the mapped destination IP address The ICMP payload is scanned ...

Page 1127: ...rence between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria and you can reuse class maps To specify traffic that should not match the class map use the match not command For example if the match not command specifies the string example com then any traffic that includes example com does no...

Page 1128: ...nal To match the destination IP address of the IM message enter the following command hostname config cmap match not peer ip address ip_address ip_address_mask Where the ip_address and the ip_address_mask is the IP address and netmask of the message destination i Optional To match the version of the IM message enter the following command hostname config cmap match not version regex class class_nam...

Page 1129: ...egex 1 0 hostname config regex gif_files gif hostname config regex exe_files exe hostname config class map type regex match any yahoo_src_login_name_regex hostname config cmap match regex loginname1 hostname config cmap match regex loginname2 hostname config class map type regex match any yahoo_dst_login_name_regex hostname config cmap match regex loginname3 hostname config cmap match regex loginn...

Page 1130: ... not coincide with the end of the header according to the header length No Operation NOP or IP Option 1 The Options field in the IP header can contain zero one or more options which makes the total length of the field variable However the IP header must be a multiple of 32 bits If the number of bits of all options is not a multiple of 32 bits the NOP option is used as internal padding to align the...

Page 1131: ...o mark the end of a list of options This might not coincide with the end of the header according to the header length c To allow or clear packets with the No Operation NOP option enter the following command hostname config pmap p nop action allow clear The Options field in the IP header can contain zero one or more options which makes the total length of the field variable However the IP header mu...

Page 1132: ...e for defining the parameters for the inspection Configure a policy map for Specify IPsec Pass Through inspection to access the parameters configuration which lets you specify the restrictions for ESP or AH traffic You can set the per client max connections and the idle timeout in parameters configuration NAT and non NAT traffic is permitted However PAT is not supported Example for Defining an IPs...

Page 1133: ...If you enable IPv6 inspection and do not specify an inspection policy map then the default IPv6 inspection policy map is used and the following actions are taken Allows only known IPv6 extension headers Enforces the order of IPv6 extension headers as defined in the RFC 2460 specification If you create an inspection policy map the above actions are taken by default unless you explicitly disable the...

Page 1134: ...ptional drop action for each extension you want to match ah Matches the IPv6 Authentication extension header count gt number Specifies the maximum number of IPv6 extension headers from 0 to 255 destination option Matches the IPv6 destination option extension header esp Matches the IPv6 Encapsulation Security Payload ESP extension header fragment Matches the IPv6 fragment extension header hop by ho...

Page 1135: ... map name Example hostname config policy map ipv6_policy Adds or edits a policy map that sets the actions to take with the class map traffic Step 4 class name Example hostname config pmap class ipv6_traffic Identifies the class map created in Step 1 Step 5 inspect ipv6 ipv6_policy_map Example hostname config class inspect ipv6 ipv6 map Configures IPv6 inspection Specify the inspection policy map y...

Page 1136: ...is enabled by default The NetBios inspection engine translates IP addresses in the NetBios name service NBNS packets according to the ASA NAT configuration Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter create a NETBIOS inspection policy map You can then apply the inspection policy map when you enable NETBIOS ins...

Page 1137: ...mmand reference for the exact options available The drop keyword drops all packets that match The send protocol error keyword sends a protocol error message The drop connection keyword drops the packet and closes the connection The mask keyword masks out the matching portion of the packet The reset keyword drops the packet closes the connection and sends a TCP reset to the server and or client The...

Page 1138: ...rol channel is disabled if the version announced by either side is not Version 1 In addition the outgoing call request and reply sequence are tracked Connections and xlates are dynamic allocated as necessary to permit subsequent secondary GRE data traffic The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT Additionally PAT is only performed for a modified version of...

Page 1139: ... rules are not observed SMTP commands must be at least four characters in length must be terminated with carriage return and line feed and must wait for a response before issuing the next reply An SMTP server responds to client requests with numeric reply codes and optional human readable strings SMTP application inspection controls and reduces the commands that the user can use as well as the mes...

Page 1140: ...y_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 4 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 5 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of ...

Page 1141: ...e following example shows how to define an ESMTP inspection policy map hostname config regex user1 user1 cisco com hostname config regex user2 user2 cisco com hostname config regex user3 user3 cisco com hostname config class map type regex senders_black_list hostname config cmap description Regular expressions to filter out undesired senders hostname config cmap match regex user1 hostname config c...

Page 1142: ... read RRQ or write WRQ request This secondary channel is subsequently used by TFTP for file transfer or error notification Only the TFTP server can initiate traffic over the secondary channel and at most one incomplete secondary channel can exist between the TFTP client and server An error notification from the server closes the secondary channel TFTP inspection must be enabled if static PAT is us...

Page 1143: ...ers depending on your network This chapter includes the following sections CTIQBE Inspection page 1 1 H 323 Inspection page 1 3 MGCP Inspection page 1 11 RTSP Inspection page 1 15 SIP Inspection page 1 18 Skinny SCCP Inspection page 1 25 CTIQBE Inspection This section describes CTIQBE application inspection This section includes the following topics CTIQBE Inspection Overview page 1 1 Limitations ...

Page 1144: ...xplicitly in its Cisco TSP configuration on the PC When using PAT or Outside PAT if the Cisco CallManager IP address is to be translated its TCP port 2748 must be statically mapped to the same port of the PAT interface address for Cisco IP SoftPhone registrations to succeed The CTIQBE listening port TCP 2748 is fixed and is not user configurable on Cisco CallManager Cisco IP SoftPhone or Cisco TSP...

Page 1145: ...UDP PAT from inside 10 0 0 99 16908 to outside 172 29 1 99 1028 flags ri idle 0 00 00 timeout 0 04 10 UDP PAT from inside 10 0 0 99 16909 to outside 172 29 1 99 1029 flags ri idle 0 00 23 timeout 0 04 10 The show conn state ctiqbe command displays the status of CTIQBE connections In the output the media connections allocated by the CTIQBE inspection engine are denoted by a C flag The following is ...

Page 1146: ... establish a TCP connection to an H 323 server using TCP port 1720 to request Q 931 call setup As part of the call setup process the H 323 terminal supplies a port number to the client to use for an H 245 TCP connection In environments where H 323 gatekeeper is in use the initial packet is transmitted using UDP H 323 inspection monitors the Q 931 TCP connection to determine the H 245 port number I...

Page 1147: ...dpoints when the Gatekeeper is inside the network The ASA includes options to open pinholes for calls based on the RegistrationRequest RegistrationConfirm RRQ RCF messages Because these RRQ RCF messages are sent to and from the Gatekeeper the calling endpoint s IP address is unknown and the ASA opens a pinhole through source IP address port 0 0 By default this option is disabled To enable call set...

Page 1148: ...he destCallSignalAddress field to point to itself rather than the NetMeeting destination endpoint To workaround this limitation perform one of the following actions Configure the ASA so that either H 323 inspection or communication in and out of the same interface but not both is set up on the device To disable communication on the same interface remove the same security traffic permit intra inter...

Page 1149: ...of the criteria The CLI enters class map configuration mode where you can enter one or more match commands b Optional To add a description to the class map enter the following command hostname config cmap description string Where string is the description of the class map up to 200 characters c Optional To match a called party enter the following command hostname config cmap match not called party...

Page 1150: ...engine perform the following steps a To enter parameters configuration mode enter the following command hostname config pmap parameters hostname config pmap p b To enable call setup betweeen H 323 Endpoings enter the following command hostname config ras rcf pinholes enable You can enable call setup between H 323 endpoints when the Gatekeeper is inside the network The ASA includes options to open ...

Page 1151: ...fig pmap p state checking h225 ras The following example shows how to configure phone number filtering hostname config regex caller 1 5551234567 hostname config regex caller 2 5552345678 hostname config regex caller 3 5553456789 hostname config class map type inspect h323 match all h323_traffic hostname config pmap c match called party regex caller1 hostname config pmap c match calling party regex...

Page 1152: ...points even though the H 225 session still exists This could happen if at the time of the show h225 command the call has already ended but the H 225 session has not yet been deleted Alternately it could mean that the two endpoints still have a TCP connection opened between them because they set maintainConnection to TRUE so the session is kept open until they set it to FALSE again or until the ses...

Page 1153: ...een the gatekeeper 172 30 254 214 and its client 10 130 56 14 MGCP Inspection This section describes MGCP application inspection This section includes the following topics MGCP Inspection Overview page 1 11 Configuring an MGCP Inspection Policy Map for Additional Inspection Control page 1 13 Configuring MGCP Timeout Values page 1 14 Verifying and Monitoring MGCP Inspection page 1 14 MGCP Inspectio...

Page 1154: ...ommunicate changes in service state to the call agent MGCP transactions are composed of a command and a mandatory response There are eight types of commands CreateConnection ModifyConnection DeleteConnection NotificationRequest Notify AuditEndpoint AuditConnection RestartInProgress The first four commands are sent by the call agent to the gateway The Notify command is sent by the gateway to the ca...

Page 1155: ...mmand to specify a group of call agents that can manage one or more gateways The call agent group information is used to open connections for the call agents in the group other than the one a gateway sends a command to so that any of the call agents can send the response call agents with the same group_id belong to the same group A call agent may belong to more than one group The group_id option i...

Page 1156: ...ds Verifying and Monitoring MGCP Inspection The show mgcp commands command lists the number of MGCP commands in the command queue The show mgcp sessions command lists the number of existing MGCP sessions The detail option includes additional information about each command or session in the output The following is sample output from the show mgcp commands command hostname show mgcp commands 1 in us...

Page 1157: ...x real rdt x real rdt udp and x pn tng udp The ASA parses Setup response messages with a status code of 200 If the response message is travelling inbound the server is outside relative to the ASA and dynamic channels need to be opened for connections coming inbound from the server If the response message is outbound then the ASA does not need to open dynamic channels Because RFC 2326 does not requ...

Page 1158: ...Step 1 Optional Add one or more regular expressions for use in traffic matching commands according to the Configuring Regular Expressions section on page 1 14 See the types of text you can match in the match commands described in Step 3 Step 2 Optional Create one or more regular expression class maps to group regular expressions according to the Creating a Regular Expression Class Map section on p...

Page 1159: ...y_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 5 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 6 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of ...

Page 1160: ... the URL length in bytes 0 to 6000 The following example shows a how to define an RTSP inspection policy map hostname config regex badurl1 www url1 com rtsp avi hostname config regex badurl2 www url2 com rtsp rm hostname config regex badurl3 www url3 com rtsp asp hostname config class map type regex match any badurl list hostname config cmap match regex badurl1 hostname config cmap match regex bad...

Page 1161: ...he outside network The port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server If a SIP device transmits a packet in which the SDP portion has an IP address in the owner creator field o that is different than the IP address in the connection field c the IP address in the o field may not be properly translated This is due to a limitation in the SIP prot...

Page 1162: ...ponse messages within one minute the signaling connection is torn down Once the final handshake is made the call state is moved to active and the signaling connection remains until a BYE message is received If an inside endpoint initiates a call to an outside endpoint a media hole is opened to the outside interface to allow RTP RTCP UDP packets to flow to the inside endpoint media address and medi...

Page 1163: ...nd hostname config cmap match not called party regex class class_name regex_name Where the regex regex_name argument is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 d Optional To match a calling party as specified in the From header enter the following command hostname config cmap match not calling party regex cla...

Page 1164: ... the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 5 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 6 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following methods Specify the SIP...

Page 1165: ...ds validation action drop drop connection reset log log e To enable check on RTP packets flowing on the pinholes for protocol conformance enter the following command hostname config pmap p rtp conformance enforce payloadtype Where the enforce payloadtype keyword enforces the payload type to be audio or video based on the signaling exchange f To identify the Server and User Agent header fields whic...

Page 1166: ...nd hostname config timeout sip_media hh mm ss This command configures the idle timeout after which a SIP media connection is closed Verifying and Monitoring SIP Inspection The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspect protocol sip udp 5060 command The show timeout sip command displays the timeout value of the designated protocol The ...

Page 1167: ...24 SCCP Inspection Overview Note For specific information about setting up the Phone Proxy on the ASA which is part of the Cisco Unified Communications architecture and supports IP phone deployment see Chapter 1 Configuring the Cisco Phone Proxy Skinny SCCP is a simplified protocol used in VoIP networks Cisco IP Phones using SCCP can coexist in an H 323 environment When used with Cisco CallManager...

Page 1168: ...ace compared to the TFTP server and Cisco CallManager no access list or static entry is required to allow the Cisco IP Phones to initiate the connection Restrictions and Limitations The following are some of the known issues and limitations when using SCCP application inspection PAT does not work with configurations containing the alias command Outside NAT or PAT is not supported If the address of...

Page 1169: ... enters policy map configuration mode Step 4 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 5 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following methods Specify the SCCP class map that you created in Step 3 by entering the fol...

Page 1170: ...essage ID in hex d To check RTP packets flowing on the pinholes for protocol conformance enter the following command hostname config pmap p rtp conformance enforce payloadtype Where the enforce payloadtype keyword enforces the payload type to be audio or video based on the signaling exchange e To set the maximum and minimum SCCP prefix length value allowed enter the following command hostname conf...

Page 1171: ...al Cisco IP Phone at local address 10 0 0 22 and the same Cisco CallManager hostname show skinny LOCAL FOREIGN STATE 1 10 0 0 11 52238 172 18 1 33 2000 1 MEDIA 10 0 0 11 22948 172 18 1 22 20798 2 10 0 0 22 52232 172 18 1 33 2000 1 MEDIA 10 0 0 22 20798 172 18 1 11 22948 The output indicates that a call has been established between two internal Cisco IP Phones The RTP listening ports of the first a...

Page 1172: ...1 30 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Inspection for Voice and Video Protocols Skinny SCCP Inspection ...

Page 1173: ... used to register and locate endpoints in the ILS or SiteServer Directory PAT cannot be supported because only IP addresses are stored by an LDAP database For search responses when the LDAP server is located outside NAT should be considered to allow internal peers to communicate locally while registered to external LDAP servers For such search responses xlates are searched first and then DNAT entr...

Page 1174: ...tories cannot be recognized by NAT Note Because H225 call signalling traffic only occurs on the secondary UDP channel the TCP connection is disconnected after the interval specified by the TCP timeout command By default this interval is set at 60 minutes SQL Net Inspection SQL Net inspection is enabled by default The SQL Net protocol consists of different packet types that the ASA handles to make ...

Page 1175: ...he following topics Sun RPC Inspection Overview page 1 3 Managing Sun RPC Services page 1 4 Verifying and Monitoring Sun RPC Inspection page 1 4 Sun RPC Inspection Overview The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol Sun RPC is used by NFS and NIS Sun RPC services can run on any port When a client attempts to access an Sun RPC service on a serv...

Page 1176: ...ermine the service type which in this example is 100003 use the sunrpcinfo command at the UNIX or Linux command line on the Sun RPC server machine To clear the Sun RPC configuration enter the following command hostname config clear configure sunrpc server This removes the configuration performed using the sunrpc server command The sunrpc server command allows pinholes to be created with a specifie...

Page 1177: ...y in the LOCAL column shows the IP address of the client or server on the inside interface while the value in the FOREIGN column shows the IP address of the client or server on the outside interface To view information about the Sun RPC services running on a Sun RPC server enter the rpcinfo p command from the Linux or UNIX server command line The following is sample output from the rpcinfo p comma...

Page 1178: ...1 6 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection ...

Page 1179: ...nspection page 1 3 RADIUS Accounting Inspection page 1 8 RSH Inspection page 1 10 SNMP Inspection page 1 10 XDMCP Inspection page 1 11 DCERPC Inspection This section describes the DCERPC inspection engine This section includes the following topics DCERPC Overview page 1 1 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control page 1 2 DCERPC Overview DCERPC is a protocol wide...

Page 1180: ...wing command hostname config policy map type inspect dcerpc policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 To configure parameters that affect the inspection engine perform the fo...

Page 1181: ...orporate networks or the Internet The GGSN is the interface between the GPRS wireless data network and other networks The SGSN performs mobility data session management and data compression The UMTS is the commercial convergence of fixed line telephony mobile Internet and computer technology UTRAN is the networking protocol used for implementing wireless networks in this system GTP allows multi pr...

Page 1182: ...p The CLI enters policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 To match an Access Point name enter the following command hostname config pmap match not apn regex regex_name class regex_class_name Step 4 To match a message ID enter the following command hostname config pmap match not me...

Page 1183: ...in the GTP request This situation occurs when you use load balancing among a pool of GSNs to provide efficiency and scalability of GPRS You can enable support for GSN pooling by using the permit response command This command configures the ASA to allow responses from any of a designated set of GSNs regardless of the GSN to which a GTP request was sent You identify the pool of load balancing GSNs a...

Page 1184: ... object group named sgsn32 hostname config gtp map permit response to object group sgsn32 from object group gsnpool32 The following example shows how to support GSN pooling by defining network objects for the GSN pool and the SGSN An entire Class C network is defined as the GSN pool but you can identify multiple individual IP addresses one per network object command instead of identifying whole ne...

Page 1185: ...is the maximum number of tunnels allowed from 1 to 4294967295 The default is 500 New requests will be dropped once the number of tunnels specified by this command is reached The following example shows how to limit the number of tunnels in the network hostname config policy map type inspect gtp gmap hostname config pmap parameters hostname config pmap p tunnel limit 3000 hostname config policy map...

Page 1186: ...p context detail 1 in use 1 most used timeout 0 00 00 Version TID MS Addr SGSN Addr Idle APN v1 1234567890123425 10 0 1 1 10 0 0 2 0 00 13 gprs cisco com user_name IMSI 214365870921435 MS address 1 1 1 1 primary pdp Y nsapi 2 sgsn_addr_signal 10 0 0 2 sgsn_addr_data 10 0 0 2 ggsn_addr_signal 10 1 1 1 ggsn_addr_data 10 1 1 1 sgsn control teid 0x000001d1 sgsn data teid 0x000001d3 ggsn control teid 0...

Page 1187: ...the message If the shared secret is not configured the security appliance does not need to validate the source of the message and will only check that the source IP address is one of the configured addresses allowed to send the RADIUS messages Note When using RADIUS accounting inspection with GPRS enabled theASA checks for the 3GPP Session Stop Indicator in the Accounting Request STOP messages to ...

Page 1188: ...n Overview SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP Earlier versions of SNMP are less secure therefore denying certain SNMP versions may be required by your security policy The ASA can deny SNMP versions 1 2 2c or 3 You control the versions permitted by creating an SNMP map You then apply the SNMP map when you enable SNMP inspection according to the ...

Page 1189: ...en established For successful negotiation and start of an XWindows session the ASA must allow the TCP back connection from the Xhosted computer To permit the back connection use the established command on the ASA Once XDMCP negotiates the port to send the display The established command is consulted to verify if this back connection should be permitted During the XWindows session the manager talks...

Page 1190: ...1 12 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Inspection for Management Application Protocols XDMCP Inspection ...

Page 1191: ...P A R T 2 Configuring Unified Communications ...

Page 1192: ......

Page 1193: ...r to apply security policies while maintaining confidentiality of connections The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments The Cisco UC Proxy includes the following solutions Phone Proxy Secure remote access for Cisco encrypted endpoints and VLAN traversal for Cisco softphones The phone proxy feature enables termina...

Page 1194: ...nating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA As part of the proxy security functionality inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol MMP the protocol between Cisco UMC and Cisco UMA Presence Federation Proxy Secure connectivity between Cisco Unified Presence servers and Cisco Microsoft Presence servers Cisco Unified Presence solution colle...

Page 1195: ... in secured mode even when the Cisco UCM cluster is in non secure mode The TLS proxy is implemented on the ASA to intercept the TLS signaling from IP phones The TLS proxy decrypts the packets sends packets to the inspection engine for NAT rewrite and protocol conformance optionally encrypts packets and sends them to Cisco UCM or sends them in clear text if the IP phone is configured to be in nonse...

Page 1196: ...ingforCiscoUnifiedCommunicationsProxyFeatures The Cisco Unified Communications proxy features supported by the ASA require a Unified Communications Proxy license Phone proxy TLS proxy for encrypted voice inspection Presence federation proxy Intercompany media engine proxy Note In Version 8 2 2 and later the Mobility Advantage proxy no longer requires a Unified Communications Proxy license The foll...

Page 1197: ...view the limits of your model enter the tls proxy maximum sessions command When you apply a UC license that is higher than the default TLS proxy limit the security appliance automatically sets the TLS proxy limit to match the UC limit The TLS proxy limit takes precedence over the UC license limit if you set the TLS proxy limit to be less than the UC license then you cannot use all of the sessions ...

Page 1198: ...sions depending on your model You can manually configure the TLS proxy limit using the tls proxy maximum sessions command To view the limits of your model enter the tls proxy maximum sessions command If you also install the UC license then the TLS proxy sessions available for UC are also available for IME sessions For example if the configured limit is 1000 TLS proxy sessions and you purchase a 75...

Page 1199: ...ng the Phone Proxy page 1 14 Troubleshooting the Phone Proxy page 1 28 Configuration Examples for the Phone Proxy page 1 44 Feature History for the Phone Proxy page 1 54 Information About the Cisco Phone Proxy The Cisco Phone Proxy on the ASA bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted networ...

Page 1200: ...converted to RTP In a mixed mode cluster where the internal IP phone is configured as encrypted the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone Since the main purpose of the phone proxy is to make the phone behave securely while making calls to a nonsecure cluster the phone proxy performs the following major func...

Page 1201: ...ns Manager Security Guide for information on Using the Certificate Authority Proxy Function CAPF to install a locally significant certificate LSC Supported Cisco UCM and IP Phones for the Phone Proxy Cisco Unified Communications Manager The following release of the Cisco Unified Communications Manager are supported with the phone proxy Cisco Unified CallManager Version 4 x Cisco Unified CallManage...

Page 1202: ...from Cisco IP Phones running SCCP protocol version 19 and earlier Licensing Requirements for the Phone Proxy The Cisco Phone Proxy feature supported by the ASA require a Unified Communications Proxy license The following table shows the Unified Communications Proxy license details by platform Note This feature is not available on No Payload Encryption models Model License Requirement1 ASA 5505 Bas...

Page 1203: ...s of your model enter the tls proxy maximum sessions command When you apply a UC license that is higher than the default TLS proxy limit the ASA automatically sets the TLS proxy limit to match the UC limit The TLS proxy limit takes precedence over the UC license limit if you set the TLS proxy limit to be less than the UC license then you cannot use all of the sessions in your UC license Note For l...

Page 1204: ...ddress for different interfaces However you cannot use a global media termination address and media termination addresses configured for each interface at the same time If you configure a media termination address for multiple interfaces you must configure an address on each interface that the ASA uses when communicating with IP phones For example if you had three interfaces on the ASA one interna...

Page 1205: ... address you must configure and enable DNS lookup on the ASA For information about the dns domain lookup command and how to use it to configure DNS lookup see command reference After configuring the DNS lookup make sure that the ASA can ping the Cisco UCM with the configured FQDN You must configure DNS lookup when you have a CAPF service enabled and the Cisco UCM is not running on the Publisher bu...

Page 1206: ...p_port 443 Therefore if global_sccp_port is 7000 then the global secure SCCP port is 7443 Reconfiguring the port might be necessary when the phone proxy deployment has more than one Cisco UCM and they must share the interface IP address or a global IP address use the default ports for the first CUCM object network obj 10 0 0 1 01 host 10 0 0 1 nat inside outside static interface service tcp 2000 2...

Page 1207: ...ide interfaces outside interface In the CTL file the Cisco UCM must have two entries because of the two different IP addresses For example if the static statements for the Cisco UCM are as follows object network obj 10 0 0 5 01 host 10 0 0 5 nat inside outside static 209 165 202 129 object network obj 10 0 0 5 02 host 10 0 0 5 nat inside dmz static 198 168 1 2 There must be two CTL file record ent...

Page 1208: ...you must include the following command when configuring the phone proxy instance cipc security mode authenticated Because CIPC requires an LSC to perform the TLS handshake CIPC needs to register with the Cisco UCM in nonsecure mode using cleartext signaling To allow the CIPC to register create an ACL that allows the CIPC to connect to the Cisco UCM on the nonsecure SIP SCCP signalling ports 5060 2...

Page 1209: ...and the Modular Policy Framework Begin by determining the conformance rate that is required for the phone proxy To determine the conformance rate use the following formula X Y 8 Where X requests per second Y size of each packet which includes the L2 L3 and L4 plus the payload Therefore if a rate of 300 TFTP requests second is required then the conformance rate would be calculated as follows 300 re...

Page 1210: ...isco UCM Better user experience because the phone does not have to download firmware from over a broadband connection which can be slow and require the user to wait for a longer time Option 2 Send the IP phone to the end user When using option 2 the user must be provided instructions to change the settings on phones with the appropriate Cisco UCM and TFTP server IP address Note As an alternative t...

Page 1211: ...on for information about setting this configuration option When used with CIPC the phone proxy does not support end users resetting their device name in CIPC Preferences Network tab Use this Device Name field or Administrators resetting the device name in Cisco Unified CM Administration console Device menu Phone Configuration Device Name field To function with the phone proxy the CIPC configuratio...

Page 1212: ...must be on different network interfaces you must add routes for the internal IP phones to access the network interface of the media termination address where Cisco UMC resides When the phone proxy is configured to use a global media termination address all IP phones see the same global address which is a public routable address If you decide to configure a media termination address on interfaces r...

Page 1213: ...tored on the Cisco UCM See Certificates from the Cisco UCM page 1 7 and Importing Certificates from the Cisco UCM page 1 15 Step 2 Create the CTL file for the phone proxy See Creating the CTL File page 1 19 Step 3 Create the TLS proxy instance See Creating the TLS Proxy Instance for a Non secure Cisco UCM Cluster page 1 21 Step 4 Create the media termination instance for the phone proxy See Creati...

Page 1214: ...extension Step 5 Click Download and save the file as a text file Step 6 On the ASA create a trustpoint for the Cisco Manufacturing CA and enroll via terminal by entering the following commands Enroll via terminal because you will paste the certificate you downloaded in Step 4 hostname config crypto ca trustpoint trustpoint_name hostname config ca trustpoint enrollment terminal Step 7 Authenticate ...

Page 1215: ...page 1 7 and Importing Certificates from the Cisco UCM page 1 15 Step 2 Create the CTL file for the phone proxy See Creating the CTL File page 1 19 Note When the phone proxy is being configured to run in mixed mode clusters you have the following option to use an existing CTL file to install the trustpoints See Using an Existing CTL File page 1 20 Step 3 Create the TLS proxy instance See Creating ...

Page 1216: ...to trust the Cisco UCM Prerequisites Import the required certificates which are stored on the Cisco UCM See Certificates from the Cisco UCM page 1 7 and Importing Certificates from the Cisco UCM page 1 15 Command Purpose Step 1 hostname config crypto key generate rsa label key pair label modulus size Example crypto key generate rsa label cucmtftp_kp modulus 1024 Creates a keypair that can be used ...

Page 1217: ...P address on the ASA for example dns name server 10 2 3 4 IP address of your DNS server Note You can enter the dns domain lookup command multiple times to enable DNS lookup on multiple interfaces If you enter multiple commands the ASA tries each interface in the order it appears in the configuration until it receives a response See the command reference for information about the dns domain lookup ...

Page 1218: ... a CTL file exists for the cluster copy the CTL file to Flash memory When you copy the CTL file to Flash memory rename the file and do not name the file CTLFile tlv If you are using domain names for your Cisco UCM and TFTP server you must configure DNS lookup on the ASA See the prerequisites for Creating the CTL File page 1 19 Step 3 hostname config ctl file record entry cucm trustpoint trustpoint...

Page 1219: ... Creating the Phone Proxy Instance page 1 24 Creating the TLS Proxy for a Mixed mode Cisco UCM Cluster For mixed mode clusters there might be IP phones that are already configured as encrypted so it requires TLS to the Cisco UCM You must configure the LDC issuer for the TLS proxy Command Purpose Step 1 hostname config ctl file ctl_name Example ctl file myctl Creates the CTL file instance Step 2 ho...

Page 1220: ...ple hostname config ca trustpoint subject name cn FW_LDC_SIGNER_172_23_45_200 Includes the indicated subject DN in the certificate during enrollment Where the X 500_name is for the LDC Use commas to separate attribute value pairs Insert quotation marks around any value that contains commas or spaces For example cn crl ou certs o cisco systems inc c US The maximum length is 500 characters Step 7 ho...

Page 1221: ...al CA certificate and installs it as a trusted certificate on the Cisco Unified Communications Manager server by performing one of the following actions hostname config crypto ca export trustpoint identity certificate Example hostname config crypto ca export ldc_server identity certificate Exports the certificate if a trustpoint with proxy ldc issuer is used as the signer of the dynamic certificat...

Page 1222: ...s used by the media termination instance The phone proxy uses this address for SRTP and RTP For the media termination instance you can configure a global media termination address for all interfaces or configure a media termination address for different interfaces However you cannot use a global media termination address and media termination addresses configured for each interface at the same tim...

Page 1223: ...rface on which the TFTP server resides Step 4 hostame config phone proxy tls proxy proxy_name Example hostame config phone proxy tls proxy mytls Configures the TLS proxy instance that you have already created Step 5 hostname config phone proxy ctl file ctl_name Example hostame config phone proxy ctl file myctl Configures the CTL file instance that you have already created Step 6 hostname config ph...

Page 1224: ... data VLAN scenario See Cisco IP Communicator Prerequisites page 1 10 for all requirements for using the phone proxy with CIPC Step 8 hostname config phone proxy no disable service settings Optional Preserve the settings configured on the Cisco UCM for each IP phone configured By default the following settings are disabled on the IP phones PC Port Gratuitous ARP Voice VLAN access Web Access Span t...

Page 1225: ...ostname config cmap match port tcp eq 5061 Matches the TCP port 5061 to which you want to apply actions for secure SIP inspection Step 6 hostname config cmap exit Exits from the Class Map configuration mode Step 7 hostname config policy map name Example policy map pp_policy Configure the policy map and attach the action to the class of traffic Step 8 hostname config pmap class classmap name Exampl...

Page 1226: ...ns Gaming or the Port Forwarding tab whichever is present on your router Step 3 Locate the table containing the port forwarding data and add an entry containing the following values Step 4 Click Save Settings Port forwarding is configured Troubleshooting the Phone Proxy This section includes the following topics Debugging Information from the Security Appliance page 1 28 Debugging Information from...

Page 1227: ...he debug skinny command if your IP phone is experiencing call failures or audio problems To show error and event messages of signaling sessions for SIP and Skinny inspections related to the phone proxy debug phone proxy signaling events errors Use this command in conjunction with the debug sip command and the debug skinny command if your IP phone is failing to register with the Cisco UCM or if you...

Page 1228: ...des to see the transaction and where the problem could be To capture data from the TLS proxy when there is a non secure IP phone connecting to the phone proxy on the inside interface capture capture_name packet length bytes interface inside buffer buf_size To capture encrypted data from the TLS proxy when there are secure IP phones connecting to the phone proxy on the inside interface capture capt...

Page 1229: ...or the domain inspect phone proxy is set for hosts to the configured TFTP server under the phone proxy instance If the IP phones are failing to register use this command to make sure there is a classification rule for the domain app redirect set for the IP phones that cannot register To show the connections that are to the ASA or from the ASA in addition to through traffic connections show conn al...

Page 1230: ...e packets might be denied or there are translation failures To show the corresponding media sessions stored by the phone proxy show phone proxy media sessions Use this command to display output from successful calls Additionally use this command to troubleshoot problems with IP phone audio such as one way audio To show the IP phones capable of Secure mode stored in the database show phone proxy se...

Page 1231: ...tion in the left pane click Console Logs IP Phone Registration Failure The following errors can make IP phones unable to register with the phone proxy TFTP Auth Error Displays on IP Phone Console page 1 33 Configuration File Parsing Error page 1 34 Configuration File Parsing Error Unable to Get DNS Response page 1 34 Non configuration File Parsing Error page 1 35 Cisco UCM Does Not Respond to TFTP...

Page 1232: ... PP Beginning of element tag is missing got PP error parsing config file PP Error modifying config file dropping packet Solution Perform the following actions to troubleshoot this problem Step 1 Enter the following URL in a web browser to obtain the IP phone configuration file from the Cisco Unified CM Administration console http cucm_ip 6970 config_file_name For example if the Cisco UCM IP addres...

Page 1233: ...figuration file When the phone proxy TFTP state gets out of state the phone proxy cannot detect when it is attempting to parse a file other than the IP phone configuration file and the error above appears in the ASA output from the debug phone proxy tftp command Perform the following actions to troubleshoot this problem Step 1 Reboot the IP phone Step 2 On the ASA enter the following command to ob...

Page 1234: ...rmation from the Security Appliance page 1 28 IP Phone Does Not Respond After the Security Appliance Sends TFTP Data Problem When the ASA receives a TFTP request from the IP phone for the CTL file and forwards the data to the IP phone the phone might not see the data and the TFTP transaction fails The following errors appear in the debug output debug phone proxy tftp PP Client outside 68 207 118 9...

Page 1235: ...IP phone cannot be converted to Secure encrypted mode Solution If the IP phone did not have an existing CTL file check the Status messages by selecting the Settings button Status Status Messages If the list contains a Status message indicating the IP phone encountered a CTL File Auth error obtain the IP phone console logs open a TAC case and send them the logs Solution This error can appear in the...

Page 1236: ...Step 2 Determine if the TLS proxy is configured correctly for the phone proxy a Display all currently running TLS proxy configurations by entering the following command hostname show running config tls proxy tls proxy proxy server trust point _internal_PP_ ctl_file_instance_name client ldc issuer ldc_signer client ldc key pair phone_common no client cipher suite hostname b Verify that the output c...

Page 1237: ...eds but signaling connections are failing Solution Perform the following actions Check to see if SIP and Skinny signaling is successful by using the following commands debug sip debug skinny If the TLS handshake is failing and you receive the following syslog the SSL encryption method might not be set correctly ASA 6 725001 Starting SSL handshake with client dmz 171 169 0 2 53097 for TLSv1 session...

Page 1238: ...information about checking the IP phone to determine if it has MIC installed on it Step 2 Verify that the list of installed certificates contains all required certificates for the phone proxy See Table 1 2 Certificates Required by the Security Appliance for the Phone Proxy for information Step 3 Import any missing certificates onto the ASA See also Importing Certificates from the Cisco UCM page 1 ...

Page 1239: ... the IP phones The certificate information is shown under the Security Configuration menu See Debugging Information from IP Phones page 1 32 for information about checking the IP phone to determine if it has the MIC installed on it Step 2 Verify that the list of installed certificates contains all required certificates for the phone proxy See Table 1 2 Certificates Required by the Security Applian...

Page 1240: ...onfig show running config all phone proxy asa2 config show running config all phone proxy phone proxy mypp media termination address 10 10 0 25 cipc security mode authenticated cluster mode mixed disable service settings timeout secure phones 0 05 00 hostname config Make sure that each media termination instance is created correctly and that the address or addresses are set correctly The ASA must ...

Page 1241: ...BhIEggYOMIIGCjCCBgYGCSqGSIb3DQEH snip mGF hfDDNAICBAA End This line not part of the pkcs12 hostname config Note Save this output somewhere secure Step 2 Import the SAST keys to a new ASA a To import the SAST key enter the following command hostname config crypto ca import trustpoint pkcs12 passphrase Where trustpoint is _internal_ctl file_name_SAST_X and ctl file name is the name of the CTL file i...

Page 1242: ...s address hostname config ctl file no shutdown Configuration Examples for the Phone Proxy This section includes the following topics Example 1 Nonsecure Cisco UCM cluster Cisco UCM and TFTP Server on Publisher page 1 44 Example 2 Mixed mode Cisco UCM cluster Cisco UCM and TFTP Server on Publisher page 1 46 Example 3 Mixed mode Cisco UCM cluster Cisco UCM and TFTP Server on Different Servers page 1...

Page 1243: ...0 10 0 26 no shutdown tls proxy mytls server trust point _internal_PP_myctl media termination my_mediaterm address 192 0 2 25 interface inside address 10 10 0 25 interface outside phone proxy mypp media termination my_mediaterm tftp server address 192 0 2 101 interface inside tls proxy mytls ctl file myctl class map sec_sccp match port tcp 2443 class map sec_sip match port tcp eq 5061 policy map p...

Page 1244: ...ucm_tftp_server ctl file myctl record entry cucm tftp trustpoint cucm_tftp_server address 10 10 0 26 no shutdown crypto key generate rsa label ldc_signer_key modulus 1024 crypto key generate rsa label phone_common modulus 1024 crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my ldc ca exmaple com subject name cn FW_LDC_SIGNER_172_23_45_200 keypair ldc_signer_key crypto ca enro...

Page 1245: ...ent Servers Figure 1 4 shows an example of the configuration for a mixed mode Cisco UCM cluster using the following topology where the TFTP server resides on a different server from the Cisco UCM In this sample the static interface PAT for the TFTP server is configured to appear like the ASA s outside interface IP address Figure 1 4 Mixed mode Cisco UCM cluster Cisco UCM and TFTP Server on Differe...

Page 1246: ...gner_key crypto ca enroll ldc_server tls proxy my_proxy server trust point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher suite aes128 sha1 aes256 sha1 media termination my_mediaterm address 192 0 2 25 interface inside address 10 10 0 25 interface outside phone proxy mypp media termination my_mediaterm tftp server address 192 0 2 101 interface inside ...

Page 1247: ..._kp crypto ca enroll pri_cucm crypto ca trustpoint sec_cucm enrollment self serial number keypair cluster_kp crypto ca enroll sec_cucm crypto ca trustpoint tftp_server enrollment self fqdn my_tftp example com keypair cluster_kp crypto ca enroll tftp_server ctl file myctl record entry tftp trustpoint tftp_server address 10 10 0 24 record entry cucm trustpoint pri_cucm_server address 10 10 0 27 reco...

Page 1248: ...phone proxy mypp service policy pp_policy interface outside Example 5 LSC Provisioning in Mixed mode Cisco UCM cluster Cisco UCM and TFTP Server on Publisher Figure 1 6 shows an example of the configuration for a mixed mode Cisco UCM cluster where LSC provisioning is required using the following topology Note Doing LSC provisioning for remote IP phones is not recommended because it requires that t...

Page 1249: ...f keypair cluster_kp crypto ca enroll cucm crypto ca trustpoint tftp_server enrollment self serial number keypair cluster_kp crypto ca enroll tftp_server crypto ca trustpoint capf enroll terminal crypto ca authenticate capf ctl file myctl record entry cucm trustpoint cucm_server address 10 10 0 26 record entry capf trustpoint capf address 10 10 0 26 no shutdown crypto key generate rsa label ldc_si...

Page 1250: ...on to force Cisco IP Communicator CIPC softphones to operate in authenticated mode when CIPC softphones are deployed in a voice and data VLAN scenario VLAN transversal is required between CIPC softphones on the data VLAN and hard phones on the voice VLAN In this sample the Cisco UCM cluster mode is nonsecure In this sample you create an access list to allow the IP phones to contact the TFTP server...

Page 1251: ...int cucm_tftp_server enrollment self keypair cucmtftp_kp crypto ca enroll cucm_tftp_server crypto ca trustpoint capf enrollment terminal crypto ca authenticate capf ctl file myctl record entry cucm tftp trustpoint cucm_tftp_server address 10 130 50 5 record entry capf trustpoint capf address 10 130 50 5 no shutdown tls proxy mytls server trust point _internal_PP_myctl media termination my_mediater...

Page 1252: ...d clear configure ctl clear configure phone proxy cluster ctl file cluster mode nonsecure ctl file global ctl file phone proxy debug phone proxy disable service settings media termination address phone proxy proxy server record entry sast show phone proxy show running config ctl show running config phone proxy timeout secure phones tftp server address NAT for the media termination address 8 1 2 Th...

Page 1253: ...tion End to end encryption often leaves network security appliances blind to media and signaling traffic which can compromise access control and threat prevention security functions This lack of visibility can result in a lack of interoperability between the firewall functions and the encrypted voice leaving businesses unable to satisfy both of their key security requirements The ASA is able to in...

Page 1254: ... that the Cisco UCM can verify which is a Local Dynamic Certificate for the phone issued by the certificate authority on the security appliance TLS proxy is supported by the Cisco Unified CallManager Release 5 1 and later You should be familiar with the security features of the Cisco UCM For background and detailed description of Cisco UCM security see the Cisco Unified CallManager document http w...

Page 1255: ...Phone 7941G GE Cisco Unified IP Phone 7940 Cisco Unified Wireless IP Phone 7921 Cisco Unified Wireless IP Phone 7925 Cisco IP Communicator CIPC for softphones CTL Client Overview The CTL Client application supplied by Cisco Unified CallManager Release 5 1 and later supports a TLS proxy server firewall in the CTL file Figure 1 1 through Figure 1 4 illustrate the TLS proxy features supported in the ...

Page 1256: ...Address or Domain Name Figure 1 2 shows support for entering the security appliance IP address or domain name in the CTL Client Figure 1 3 CTL Client TLS Proxy Features CTL Entry for ASA Figure 1 3 shows that the CTL entry for the security appliance as the TLS proxy has been added The CTL entry is added after the CTL Client connects to the CTL Provider service on the security appliance and retriev...

Page 1257: ...A require a Unified Communications Proxy license The following table shows the Unified Communications Proxy license details by platform Note This feature is not available on No Payload Encryption models Model License Requirement1 ASA 5505 Base License and Security Plus License 2 sessions Optional license 24 sessions ASA 5510 Base License and Security Plus License 2 sessions Optional licenses 24 50...

Page 1258: ...essions are used You independently set the TLS proxy limit using the tls proxy maximum sessions command To view the limits of your model enter the tls proxy maximum sessions command When you apply a UC license that is higher than the default TLS proxy limit the security appliance automatically sets the TLS proxy limit to match the UC limit The TLS proxy limit takes precedence over the UC license l...

Page 1259: ...isco IP Phone Import the following certificates which are stored on the Cisco UCM These certificates are required by the ASA for the phone proxy Cisco_Manufacturing_CA CAP RTP 001 CAP RTP 002 CAPF certificate Optional If LSC provisioning is required or you have LSC enabled IP phones you must import the CAPF certificate from the Cisco UCM If the Cisco UCM has more than one CAPF certificate you must...

Page 1260: ...oints and Generating Certificates page 1 9 Step 3 Create the internal CA to sign the LDC for Cisco IP Phones See Creating an Internal CA page 1 10 Step 4 Create the CTL provider instance See Creating a CTL Provider Instance page 1 11 Step 5 Create the TLS proxy instance See Creating the TLS Proxy Instance page 1 12 Step 6 Enable the TLS proxy y with SIP and Skinny inspection See Enabling the TLS P...

Page 1261: ...sco UCM section on page 1 15 Command Purpose Step 1 hostname config crypto key generate rsa label key pair label modulus size Examples hostname config crypto key generate rsa label ccm_proxy_key modulus 1024 hostname config crypto key generate rsa label ldc_signer_key modulus 1024 hostname config crypto key generate rsa label phone_common modulus 1024 Creates the RSA keypair that can be used for t...

Page 1262: ...roxy certificate trustpoint The subject name must be composed of the ordered concatenation of the CN OU and O fields The CN field is mandatory the others are optional Note Each of the concatenated fields when present are separated by a semicolon yielding one of the following forms CN xxx OU yyy O zzz CN xxx OU yyy CN xxx O zzz CN xxx Step 6 hostname config ca trustpoint keypair keyname Example hos...

Page 1263: ...proxy ldc issuer command defines the local CA role for the trustpoint to issue dynamic certificates for TLS proxy This command can only be configured under a trustpoint with enrollment self Step 4 hostname config ca trustpoint fqdn fqdn Example hostname config ca trustpoint fqdn my ldc ca exmaple com Includes the indicated FQDN in the Subject Alternative Name extension of the certificate during en...

Page 1264: ... allowed to connect and ipv4_addr specifies the IP address of the client More than one command may be issued to define multiple clients Step 3 hostname config ctl provider client username user_name password password encrypted Example hostname config ctl provider client username CCMAdministrator password XXXXXX encrypted Specifies the username and password for client authentication The username and...

Page 1265: ...the ASA to act as the server during a TLS handshake or facing the original TLS client Step 3 hostname config tlsp client ldc issuer ca_tp_name Example hostname config tlsp client ldc issuer ldc_server Sets the local dynamic certificate issuer The local CA to issue client dynamic certificates is defined by the crypto ca trustpoint command and the trustpoint must have proxy ldc issuer configured or ...

Page 1266: ... p exit Exits from Policy Map configuration mode Step 7 hostname config policy map name Example hostname config policy map global_policy Configure the policy map and attach the action to the class of traffic Step 8 hostname config pmap class inspection_default Specifies the default class map The configuration includes a default Layer 3 4 class map that the ASA uses in the default global policy It ...

Page 1267: ...7 ASA 7 725011 Cipher 3 AES256 SHA Apr 17 2007 23 13 47 ASA 7 725011 Cipher 4 DES CBC3 SHA Apr 17 2007 23 13 47 ASA 7 725008 SSL client outside 133 9 0 218 49159 proposes the following 2 cipher s Apr 17 2007 23 13 47 ASA 7 725011 Cipher 1 AES256 SHA Apr 17 2007 23 13 47 ASA 7 725011 Cipher 2 AES128 SHA Apr 17 2007 23 13 47 ASA 7 725012 Device chooses cipher AES128 SHA for the SSL session with clie...

Page 1268: ...r of sessions 1200 TLS Proxy sip_proxy ref_cnt 1 seq 3 Server proxy Trust point local_ccm Client proxy Local dynamic certificate issuer LOCAL CA SERVER Local dynamic certificate key pair phone_common Cipher suite aes128 sha1 aes256 sha1 Run time proxies Proxy 0xcbae1538 Class map sip_ssl Inspect sip Active sess 1 most sess 3 byte 3456043 TLS Proxy proxy ref_cnt 1 seq 1 Server proxy Trust point loc...

Page 1269: ...her AES128 SHA Ch 0xca55e398 TxQSize 0 LastTxLeft 0 Flags 0x1 Server State SSLOK Cipher AES128 SHA Ch 0xca55e378 TxQSize 0 LastTxLeft 0 Flags 0x9 Local Dynamic Certificate Status Available Certificate Serial Number 2b Certificate Usage General Purpose Public Key Type RSA 1024 bits Issuer Name cn F1 ASA default domain invalid Subject Name cn SEP0017593F50A8 Validity Date start date 23 13 47 PDT Apr...

Page 1270: ...1 18 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection ...

Page 1271: ...1 Feature History for Cisco Mobility Advantage page 1 14 Information about the Cisco Mobility Advantage Proxy Feature This section contains the following topics Cisco Mobility Advantage Proxy Functionality page 1 1 Mobility Advantage Proxy Deployment Scenarios page 1 2 Trust Relationships for Cisco UMA Deployments page 1 5 Cisco Mobility Advantage Proxy Functionality To support Cisco UMA for the C...

Page 1272: ... 4096 the TCP session is terminated Note 4096 is the value currently used in MMP implementations Because MMP headers and entities can be split across packets the ASA buffers data to ensure consistent inspection The SAPI stream API handles data buffering for pending inspection opportunities MMP header text is treated as case insensitive and a space is present between header text and values Reclaimi...

Page 1273: ...e source IP address 192 0 12 183 hostname config object network obj 0 0 0 0 01 hostname config network object subnet 0 0 0 0 0 0 0 0 hostname config network object nat outside inside dynamic 192 0 2 183 See Chapter 1 Configuring Network Object NAT and Chapter 1 Configuring Twice NAT for information Note This interface PAT rule converges the Cisco UMA client IP addresses on the outside interface of...

Page 1274: ...ge all client traffic into one source IP so that the firewall does not have to open up a wildcard pinhole for inbound traffic hostname config access list cumc extended permit tcp any host 172 16 27 41 eq 5443 versus hostname config access list cumc extended permit tcp host 192 0 2 183 host 172 16 27 41 eq 5443 271642 ASA with TLS Proxy IP Address 172 16 27 41 DMZ routable DMZ MP Conference Voice m...

Page 1275: ...MA server When a Cisco UMA client connects to the Cisco UMA server the ASA intercepts the handshake and uses the Cisco UMA server certificate to perform the handshake with the client The ASA also performs a handshake with the server Figure 1 3 How the Security Appliance Represents Cisco UMA Private Key Sharing Figure 1 4 shows another way to establish the trust relationship Figure 1 4 shows a gree...

Page 1276: ...rypted voice inspection and the Cisco Presence Federation Proxy supported by the ASA require a Unified Communications Proxy license However in Version 8 2 2 and later the Mobility Advantage proxy no longer requires a Unified Communications Proxy license The following table shows the licensing requirements for the Mobility Advantage proxy For more information about licensing see Chapter 1 Managing ...

Page 1277: ...l_ip hostname config network object nat real_ifc mapped_ifc static mapped_ip Step 2 Import the Cisco UMA server certificate onto the ASA by entering the following commands hostname config crypto ca import trustpoint pkcs12 passphrase paste base 64 encoded pkcs12 hostname config quit Step 3 Install the Cisco UMA server certificate on the ASA See Installing the Cisco UMA Server Certificate page 1 7 ...

Page 1278: ... also known as manual enrollment Step 3 hostname config ca trustpoint exit Exits from the CA Trustpoint configuration mode Step 4 hostname config crypto ca authenticate trustpoint Example hostname config crypto ca authenticate cuma_server Enter the base 64 encoded CA certificate End with a blank line or the word quit on a line by itself certificate data omitted Certificate has the following attrib...

Page 1279: ...re incapable of sending a client certificate Step 5 hostname config tlsp client cipher suite cipher_suite Example hostname config tlsp client cipher suite aes128 sha1 aes256 sha1 Specifies cipher suite configuration For client proxy the proxy acts as a TLS client to the server the user defined cipher suite replaces the default cipher suite Command Purpose Command Purpose Step 1 hostname config cla...

Page 1280: ...MP received 60 bytes from outside 1 1 1 1 2000 to inside 2 2 2 2 5443 MMP version OLWP 2 0 MMP forward 60 60 bytes from outside 1 1 1 1 2000 to inside 2 2 2 2 5443 MMP received 100 bytes from inside 2 2 2 2 5443 to outside 1 1 1 1 2000 MMP session id ABCD_1234 MMP status 201 MMP forward 100 100 bytes from inside 2 2 2 2 5443 to outside 1 1 1 1 2000 MMP received 80 bytes from outside 1 1 1 1 2000 t...

Page 1281: ...the ASA to authenticate the Cisco UMA server during handshake between the ASA proxy and Cisco UMA server You create a TLS proxy instance for the Cisco UMA clients connecting to the Cisco UMA server Lastly you must enable TLS proxy for MMP inspection Example 1 Cisco UMC Cisco UMA Architecture Security Appliance as Firewall with TLS Proxy and MMP Inspection As shown in Figure 1 5 scenario 1 the reco...

Page 1282: ..._policy class cuma_proxy inspect mmp tls proxy cuma_proxy service policy global_policy global Example 2 Cisco UMC Cisco UMA Architecture Security Appliance as TLS Proxy Only As shown in Figure 1 6 scenario 2 the ASA functions as the TLS proxy only and works with an existing firewall The ASA and the corporate firewall are performing NAT The corporate firewall will not be able to predict which clien...

Page 1283: ...A server s self signed certificate crypto ca trustpoint cuma_server enrollment terminal crypto ca authenticate cuma_server Enter the base 64 encoded CA certificate End with a blank line or the word quit on a line by itself MIIDRTCCAu gAwIBAgIQKVcqP KW74VP0NZzL JbRTANBgkqhkiG9w0BAQUFADCB certificate data omitted 7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ quit tls proxy cuma_proxy 271642 ASA with TLS Proxy I...

Page 1284: ...a_proxy inspect mmp tls proxy cuma_proxy service policy global_policy global Feature History for Cisco Mobility Advantage Table 1 1 lists the release history for this feature Table 1 1 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Mobility Advantage Proxy 8 0 4 The Cisco Mobility Advantage Proxy feature was introduced Cisco Mobility Advantage Proxy 8 3 1 The...

Page 1285: ...4 Security Certificate Exchange Between Cisco UP and the Security Appliance page 1 5 XMPP Federation Deployments page 1 5 Configuration Requirements for XMPP Federation page 1 6 Architecture for Cisco Unified Presence for SIP Federation Deployments Figure 1 1 depicts a Cisco Unified Presence LCS Federation scenario with the ASA as the presence federation proxy implemented as a TLS proxy The two en...

Page 1286: ...ctions hostname config object network obj 10 0 0 2 01 hostname config network object host 10 0 0 2 hostname config network object nat inside outside static 192 0 2 1 service tcp 5061 5061 The following static PAT must be configured for each Cisco UP that could initiate a connection by sending SIP SUBSCRIBE to the foreign server For Cisco UP with the address 10 0 0 2 enter the following command hos...

Page 1287: ...ork object nat inside outside static 192 0 2 1 service tcp 5060 45060 Dynamic NAT or PAT can be used for the rest of the outbound connections or the TLS handshake The ASA SIP inspection engine takes care of the necessary translation fixup hostname config object network obj 0 0 0 0 01 hostname config network object subnet 0 0 0 0 0 0 0 0 hostname config network object nat inside outside dynamic 192...

Page 1288: ...oll with the CAs The ASA as the TLS proxy must be trusted by both entities The ASA is always associated with one of the enterprises Within that enterprise Enterprise X in Figure 1 1 the entity and the ASA could authenticate each other via a local CA or by using self signed certificates To establish a trusted relationship between the ASA and the remote entity Entity Y the ASA can enroll with the CA...

Page 1289: ...from the Cisco UP into the terminal XMPP Federation Deployments Figure 1 4 provides an example of an XMPP federated network between Cisco Unified Presence enterprise deployment and an IBM Sametime enterprise deployment TLS is optional for XMPP federation ASA acts only as a firewall for XMPP federation it does not provide TLS proxy functionality or PAT for XMPP federation Figure 1 4 Basic XMPP Fede...

Page 1290: ...5269 Allow traffic from any address to any single node on port 5269 access list ALLOW ALL extended permit tcp any host private cup IP address eq 5269 If you do not configure the access list above and you publish additional XMPP federation nodes in DNS you must configure access to each of these nodes for example object network obj_host_ private cup ip address host private cup ip address object netw...

Page 1291: ...ate cup3 ip obj_host_ public cup IP service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 Licensing for Cisco Unified Presence The Cisco Unified Presence feature supported by the ASA require a Unified Communications Proxy license The following table shows the Unified Communications Proxy license details by platform Note This feature is not available on No Payload Encryption models Model License Re...

Page 1292: ...el enter the tls proxy maximum sessions command When you apply a UC license that is higher than the default TLS proxy limit the security appliance automatically sets the TLS proxy limit to match the UC limit The TLS proxy limit takes precedence over the UC license limit if you set the TLS proxy limit to be less than the UC license then you cannot use all of the sessions in your UC license Note For...

Page 1293: ...onfig object network name hostname config network object host real_ip hostname config network object nat real_ifc mapped_ifc static mapped_ip service tcp udp real_port mapped_port Note For each Cisco UP that could initiate a connection by sending SIP SUBSCRIBE to the foreign server you must also configure static PAT by using a different set of PAT ports For outbound connections or the TLS handshak...

Page 1294: ...rustpoints The keypair is used by the self signed certificate presented to the local domain containing the Cisco UP proxy for the remote entity Step 2 hostname config crypto ca trustpoint trustpoint_name Example hostname config crypto ca trustpoint ent_y_proxy Enters the trustpoint configuration mode for the specified trustpoint so that you can create the trustpoint for the remote entity A trustpo...

Page 1295: ...al entity uses a CA issued certificate the CA certificate needs to be installed This configuration shows the commands for using a self signed certificate Step 4 hostname config ca trustpoint exit Exits from the CA Trustpoint configuration mode Step 5 hostname config crypto ca authenticate trustpoint Example hostname config crypto ca authenticate ent_x_cert Enter the base 64 encoded CA certificate ...

Page 1296: ...icate ent_y_ca Enter the base 64 encoded CA certificate End with a blank line or the word quit on a line by itself MIIDRTCCAu gAwIBAgIQKVcqP KW74VP0NZzL JbRTANBgkqhkiG 9w0BAQUFADCB certificate data omitted 7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ Installs and authenticates the CA certificates associated with a trustpoint created for the local entity The ASA prompts you to paste the base 64 formatted CA c...

Page 1297: ... point command is the local entity proxy name Step 7 hostname config tlsp client trust point proxy_trustpoint Example hostname config tlsp client trust point ent_y_proxy Specifies the trustpoint and associated certificate that the ASA uses in the TLS handshake when the ASA assumes the role of the TLS client Where the proxy_trustpoint for the client trust point command is the remote entity proxy St...

Page 1298: ..._name Example hostname config policy map type inspect sip sip_inspect Defines special actions for SIP inspection application traffic Step 6 hostname config pmap parameters SIP inspection parameters Specifies the parameters for SIP inspection Parameters affect the behavior of the inspection engine The commands available in parameters configuration mode depend on the application Step 7 hostname conf...

Page 1299: ...AT or PAT can be used for outbound connections or TLS handshake The ASA SIP inspection engine takes care of the necessary translation fixup When you create the necessary RSA key pairs a key pair is used by the self signed certificate presented to Entity X proxy for Entity Y When you create a proxy certificate for Entity Y the certificate is installed on the Entity X truststore It could also be enr...

Page 1300: ...1 subnet 0 0 0 0 0 0 0 0 nat inside outside dynamic 192 0 2 1 crypto key generate rsa label ent_y_proxy_key modulus 1024 for self signed Entity Y proxy certificate crypto ca trustpoint ent_y_proxy enrollment self fqdn none subject name cn Ent Y Proxy keypair ent_y_proxy_key crypto ca enroll ent_y_proxy crypto ca export ent_y_proxy identity certificate for Entity X s self signed certificate crypto ...

Page 1301: ... 2 1 eq 5061 class map ent_x_to_y match access list ent_x_to_y class map ent_y_to_x match access list ent_y_to_x policy map type inspect sip sip_inspect parameters SIP inspection parameters policy map global_policy class ent_x_to_y inspect sip sip_inspect tls proxy ent_x_to_y class ent_y_to_x inspect sip sip_inspect tls proxy ent_y_to_x service policy global_policy global Example Access List Confi...

Page 1302: ...co Unified Presence Release 7 x IP address 3 3 3 3 XMPP federation listening port 5269 External interface of the foreign XMPP enterprise 100 100 100 100 access list ALLOW ALL extended permit tcp host 100 100 100 100 host 1 1 1 1 eq 5269 access list ALLOW ALL extended permit tcp host 100 100 100 100 host 2 2 2 2 eq 5269 access list ALLOW ALL extended permit tcp host 100 100 100 100 host 3 3 3 3 eq ...

Page 1303: ...MPP federation but a single public IP address in DNS with arbitrary ports published in DNS PAT The following values are used in this sample configuration Public Cisco Unified Presence IP Address 10 10 10 10 Private XMPP federation Cisco Unified Presence Release 8 0 IP address 1 1 1 1 port 5269 Private second Cisco Unified Presence Release 8 0 IP address 2 2 2 2 arbitrary port 25269 Private third C...

Page 1304: ... for this feature Table 1 1 Feature History for Cisco Unified Presence Feature Name Releases Feature Information Cisco Presence Federation Proxy 8 0 4 The Cisco Unified Presence proxy feature was introduced Cisco Presence Federation Proxy 8 3 1 The Unified Communications Wizard was added to ASDM By using the wizard you can configure the Cisco Presence Federation Proxy Support for XMPP Federation w...

Page 1305: ...tion includes the following topics Features of Cisco Intercompany Media Engine Proxy page 1 1 How the UC IME Works with the PSTN and the Internet page 1 2 Tickets and Passwords page 1 3 Call Fallback to the PSTN page 1 5 Architecture and Deployment Scenarios for Cisco Intercompany Media Engine page 1 5 Features of Cisco Intercompany Media Engine Proxy Cisco Intercompany Media Engine enables compan...

Page 1306: ...d extranets Provides worldwide reach Cisco Intercompany Media Engine can connect to any enterprise anywhere in the world as long as the enterprise is running Cisco Intercompany Media Engine technology There are no regional limitations This is because Cisco Intercompany Media Engine utilizes two networks that both have worldwide reach the Internet and the PSTN Allows for unlimited scale Cisco Inter...

Page 1307: ...and begin launching SIP calls into an enterprise running Cisco Intercompany Media Engine Having the Cisco Intercompany Media Engine Proxy verify tickets allows incoming calls from a particular enterprise to a particular number only when that particular enterprise has previously called that phone number on the PSTN To send a spam VoIP call to every phone within an enterprise an organization would h...

Page 1308: ...ket to allow a call to be made between Cisco Intercompany Media Engine SIP trunks A ticket is a signed object that contains a number of fields that grant permission to the calling domain to make a Cisco Intercompany Media Engine call to a specific number The ticket is signed by the ticket password The Cisco Intercompany Media Engine also required that you configure an epoch for the password The ep...

Page 1309: ...ion is initiated to the Cisco UCM SRTP media sent from external IP phones to the internal network IP phone via the adaptive security appliance is converted to RTP The adaptive security appliance inserts itself into the media path by modifying the SIP signaling messages that are sent over the SIP trunk between Cisco UCMs TLS signaling and SRTP are always terminated on the adaptive security applianc...

Page 1310: ...Cisco Intercompany Media Engine Proxy sits in line with the Internet firewall such that all Internet traffic traverses the adaptive security appliance In this deployment a single Cisco UCM or a Cisco UCM cluster is centrally deployed within the enterprise along with a Cisco Intercompany Media Engine server and perhaps a backup As shown in Figure 1 3 the adaptive security appliance sits on the edge...

Page 1311: ... the global IP address on the adaptive security appliance For outbound calls the called party could be any IP address on the Internet therefore the adaptive security appliance is configured with a mapping service that dynamically provides an internal IP address on the adaptive security appliance for each global IP address of the called party on the Internet Cisco UCM sends all outbound calls direc...

Page 1312: ...ted by the ASA require a Unified Communications Proxy license The following table shows the details of the Unified Communications Proxy license Note This feature is not available on No Payload Encryption models PSTN Inside Enterprise DMZ 248763 Internet Firewall PSTN Gateway UC IME Server Intranet Firewall ASA enabled with UC IME proxy Outside Enterprise V Permiter Security Only UC IME calls pass ...

Page 1313: ...plus an additional number of sessions depending on your model You can manually configure the TLS proxy limit using the tls proxy maximum sessions command To view the limits of your model enter the tls proxy maximum sessions command If you also install the UC license then the TLS proxy sessions available for UC are also available for IME sessions For example if the configured limit is 1000 TLS prox...

Page 1314: ...e failure is due to failover the connections from the primary ASA are not synchronized to the standby ASA After the clear connection all command is issued on an ASA enabled with a UC IME Proxy and the IME call fails over to the PSTN the next IME call between an originating and terminating SCCP IP phone completes but does not have audio and is dropped after the signaling session is established An I...

Page 1315: ...11 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy ...

Page 1316: ...ME Bootstrap Server ASA outside interface 209 165 200 225 M Local Cisco UCMs Local ASA Corporate Network Local Enterprise M IP IP IP 192 168 10 30 199 168 10 31 TLS TCP M 248905 Internet Configure NAT 192 168 10 30 192 168 10 31 209 165 200 227 209 165 200 228 Outside Cisco UCM addresses 209 165 200 227 209 165 200 228 Local Cisco UCM Local ASA Corporate Network Local Enterprise IP IP IP 192 168 1...

Page 1317: ...e config network object host 209 165 200 228 Specifies the mapped IP address of the Cisco UCM host for the network object Step 7 Optional hostname config network object description string Example hostname config network object description Cisco UCM Mapped Address Provides a description of the network object Step 8 hostname config network object exit Exits from the objects configuration mode Step 9...

Page 1318: ... the Cisco UCM host for the network object Step 9 hostname config network object exit Exits from the objects configuration mode Step 10 hostname config object service name Examples hostname config object service tcp_5570 hostname config object service tcp_5571 Creates a service objects for Cisco UCM SIP port Step 11 hostname config service object tcp source eq port Example hostname config service ...

Page 1319: ...k settings configured on Cisco UCM See the Cisco Unified Communications Manager documentation for information about this configuration setting Step 4 hostname config access list id extended permit tcp ip_address mask any range range Example hostname config access list ime outbound sip extended permit tcp 192 168 10 30 255 255 255 255 any range 5000 6000 Adds an ACE This ACE allows the ASA to allow...

Page 1320: ...Step 3 hostname config media termination address ip_address interface intf_name Examples hostname config media termination address 192 168 10 3 interface inside Configures a media termination address used by the inside interface of the ASA Note The IP address must be an unused IP address within the same subnet on that interface Step 4 Optional hostname config media termination rtp min port port1 r...

Page 1321: ...here mta_instance_name is the instance_name that you created in Step 1 of See page 1 12 for the steps to create the media termination instance Step 3 hostname config uc ime ucm address ip_address trunk security mode nonsecure secure Example hostname config uc ime ucm address 192 168 10 30 trunk security mode non secure Specifies the Cisco UCM server in the enterprise You must specify the real IP a...

Page 1322: ...time your change the password Typically you increment the epoch sequentially however the ASA allows you to choose any value when you update the epoch If you change the epoch value the current password is invalidated and you must enter a new password Where password contains a minimum of 10 and a maximum of 64 printable character from the US ASCII character set The allowed characters include 0x21 to...

Page 1323: ... milliseconds for the monitoring timer and the allowed range is 10 600 ms Specifying hold down timer sets the amount of time that ASA waits before notifying Cisco UCM whether to fall back to PSTN Where timer_sec specifies the length of the hold down timer By default the length is 20 seconds for the hold down timer and the allowed range is 10 360 seconds If you do not use this command to specify fa...

Page 1324: ...ocal_ent Enters the trustpoint configuration mode for the specified trustpoint so that you can create the trustpoint for the local entity A trustpoint represents a CA identity and possibly a device identity based on a certificate issued by the CA Maximum name length is 128 characters Step 3 hostname config ca trustpoint subject name X 500_name Example hostname config ca trustpoint subject name cn ...

Page 1325: ...tname config crypto ca import remote ent certificate Imports the signed certificate received from the CA in response to a manual enrollment request Where trustpoint specifies the trustpoint you created in Step 2 The ASA prompts you to paste the base 64 formatted signed certificate onto the terminal Step 9 hostname config crypto ca authenticate trustpoint Example hostname config crypto ca authentic...

Page 1326: ...t point local ent For inbound connections specifies the proxy trustpoint certificate presented during TLS handshake The certificate must be owned by the adaptive security appliance identity certificate Where proxy_trustpoint specifies the trustpoint defined by the crypto ca trustpoint command in Step 2 in section on page 1 12 Because the TLS proxy has strict definition of client proxy and server p...

Page 1327: ... policy map so that you can assign actions to the class map traffic Where classmap_name is the name of the SIP class map that you created in Step 1 in this task Step 9 hostname config pmap c inspect sip sip_map tls proxy proxy_name uc ime uc_ime_map Examples hostname config pmap c inspect sip tls proxy local_to_remote ent uc ime local ent ime Enables the TLS proxy and Cisco Intercompany Media Engi...

Page 1328: ...see the Cisco Unified Communications Manager documentation for information Step 2 hostname config ca trustpoint exit Exits from Trustpoint Configuration mode Step 3 hostname config crypto ca export trustpoint identity certificate Example hostname config crypto ca export local asa identity certificate Exports the certificate you created in Step 1 The certificate contents appear on the terminal scre...

Page 1329: ... in Step 2 of the task Note In this step you are creating different trustpoints for the client and the server Step 8 hostname config tlsp exit Exits from TLS Proxy Configuration mode Step 9 hostname config tls proxy proxy_name hostname config tlsp server trust point proxy_trustpoint hostname config tlsp client trust point proxy_trustpoint hostname config tlsp client cipher suite aes128 sha1 aes256...

Page 1330: ...a Engine Proxy that you created in the task page 1 12 Where uc_ime_name is the name you specified in Step 1 of page 1 12 Step 6 hostname config mapping service listening interface interface_name listening port port uc ime interface uc ime interface_name Example hostname config uc ime mapping service listening interface inside listening port 8060 uc ime interface outside For the off path ASA adds t...

Page 1331: ...oxy was introduced The following commands were added to the CLI to support configuration of this new feature no uc ime uc_ime_name no fallback hold down monitoring timer value no fallback sensitivity file filename no mapping service listening interface ifc_name listening port port uc ime interface b2b ifc no ticket epoch epoch password pwd no ucm address ip_addr trunk security mode nonsecure secur...

Page 1332: ...1 28 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy ...

Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...

Page 1334: ......

Page 1335: ...n About Connection Settings page 1 1 Licensing Requirements for Connection Settings page 1 4 Guidelines and Limitations page 1 5 Default Settings page 1 5 Configuring Connection Settings page 1 6 Monitoring Connection Settings page 1 14 Configuration Examples for Connection Settings page 1 14 Feature History for Connection Settings page 1 16 Information About Connection Settings This section descr...

Page 1336: ...t Detection Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility By default TCP management connections have TCP Intercept always enabled When TCP Intercept is enabled it intercepts the 3 way TCP connection establishment handshake packets and thus deprives the ASA from processing the packets for clientless SSL Clientless SSL requires the ability to process the 3 way hands...

Page 1337: ...example the ASA can allow drop or clear the packets TCP normalization helps protect the ASA from attacks TCP normalization is always enabled but you can customize how some features behave The TCP normalizer includes non configurable actions and configurable actions Typically non configurable actions that drop or clear connections apply to packets that are always bad Configurable actions as detaile...

Page 1338: ...assed through But if subsequent packets go to ASA 2 where there was not a SYN packet that went through the session management path then there is no entry in the fast path for the connection and the packets are dropped Figure 1 1 shows an asymmetric routing example where the outbound traffic goes through a different ASA than the inbound traffic Figure 1 1 Asymmetric Routing If you have asymmetric r...

Page 1339: ...with one ASA traffic returning via the other ASA will be denied because the user did not authenticate with that ASA TCP Intercept maximum embryonic connection limit TCP sequence number randomization The ASA does not keep track of the state of the connection so these features are not applied TCP normalization The TCP normalizer is disabled SSM and SSC functionality You cannot use TCP state bypass a...

Page 1340: ...ing to the Customizing the TCP Normalizer with a TCP Map section on page 1 6 Step 2 For all connection settings except for global timeouts configure a service policy according to Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Step 3 Configure connection settings according to the Configuring Connection Settings section on page 1 10 Customizing the TCP Normalizer with a TC...

Page 1341: ...ose data length exceeds the TCP maximum segment size invalid ack allow drop Sets the action for packets with an invalid ACK You might see invalid ACKs in the following instances In the TCP connection SYN ACK received status if the ACK number of a received TCP packet is not exactly same as the sequence number of the next TCP packet sending out it is an invalid ACK Whenever the ACK number of a recei...

Page 1342: ...ther TCP traffic out of order packets are now buffered and put in order instead of passed through untouched The timeout seconds argument sets the maximum amount of time that out of order packets can remain in the buffer between 1 and 20 seconds if they are not put in order and passed on within the timeout period then they are dropped The default is 4 seconds You cannot change the timeout for any t...

Page 1343: ...e ack keyword sets the action for the SACK option The timestamp keyword sets the action for the timestamp option Clearing the timestamp option disables PAWS and RTT The widow scale keyword sets the action for the window scale mechanism option The range keyword specifies a range of options The lower argument sets the lower end of the range as 6 7 or 9 through 255 The upper argument sets the upper e...

Page 1344: ...ts with the URG flag The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream The TCP RFC is vague about the exact interpretation of the URG flag therefore end systems handle urgent offsets in different ways which may make the end system vulnerable to attacks The allow keyword allows packets with the URG flag Default The cle...

Page 1345: ...tion Step 2 match parameter Example hostname config cmap match access list bypass Specifies the traffic in the class map See the Identifying Traffic Layer 3 4 Class Maps section on page 1 12 for more information Step 3 policy map name Example hostname config policy map tcp_bypass_policy Adds or edits a policy map that sets the actions to take with the class map traffic Step 4 class name Example ho...

Page 1346: ...r the class The embryonic conn max n argument sets the maximum number of simultaneous embryonic connections allowed between 0 and 2000000 The default is 0 which allows unlimited connections The per client embryonic max n argument sets the maximum number of simultaneous embryonic connections allowed per client between 0 and 2000000 The default is 0 which allows unlimited connections The per client ...

Page 1347: ...without expiring connections that can still handle traffic You configure DCD when you want idle but valid connections to persist After a TCP connection times out the ASA sends DCD probes to the end hosts to determine the validity of the connection If one of the end hosts fails to respond after the maximum retries are exhausted the ASA frees the connection If both end hosts respond that the connect...

Page 1348: ...p_map1 Customizes the TCP normalizer See the Customizing the TCP Normalizer with a TCP Map section on page 1 6 to create a TCP map set connection advanced options tcp state bypass Example hostname config pmap c set connection advanced options tcp state bypass Enables TCP state bypass Step 6 service policy policymap_name global interface interface_name Example hostname config service policy tcp_byp...

Page 1349: ...e combined command set connection conn max 600 embryonic conn max 50 Configuration Examples for TCP State Bypass The following is a sample configuration for TCP state bypass hostname config access list tcp_bypass extended permit tcp 10 1 1 0 255 255 255 224 any hostname config class map tcp_bypass hostname config cmap description TCP traffic that bypasses stateful firewall hostname config cmap mat...

Page 1350: ...route becomes available then this timeout lets connections be closed so a connection can be reestablished to use the better route The default is 0 the connection never times out To take advantage of this feature change the timeout to a new value We modified the following command timeout floating conn Configurable timeout for PAT xlate 8 4 3 When a PAT xlate times out by default after 30 seconds an...

Page 1351: ...ing QoS on the switch instead of the ASASM Switches have more capability in this area This chapter describes how to apply QoS policies and includes the following sections Information About QoS page 1 1 Licensing Requirements for QoS page 1 5 Guidelines and Limitations page 1 5 Configuring QoS page 1 6 Monitoring QoS page 1 16 Feature History for QoS page 1 19 Information About QoS You should consi...

Page 1352: ...ate is generally represented as bits per second any two values may be derived from the third by the relation shown as follows average rate burst size time interval Here are some definitions of these terms Average rate Also called the committed information rate CIR it specifies how much data can be sent or forwarded per unit time on average Burst size Also called the Committed Burst Bc size it spec...

Page 1353: ...Standard priority queuing Standard priority queuing uses an LLQ priority queue on an interface see the Configuring the Standard Priority Queue for an Interface section on page 1 8 while all other traffic goes into the best effort queue Because queues are not of infinite size they can fill and overflow When a queue is full any additional packets cannot get into the queue and are dropped This is cal...

Page 1354: ...valent of 200 milliseconds worth of shape rate traffic assuming a 1500 byte packet The minimum queue size is 64 When the queue limit is reached packets are tail dropped Certain critical keep alive packets such as OSPF Hello packets are never dropped The time interval is derived by time_interval burst_size average_rate The larger the time interval is the burstier the shaped traffic might be and the...

Page 1355: ...mine if it requires priority handling and will direct those packets to the LLQ DiffServ marking is preserved on packets when they traverse the service provider backbone so that QoS can be applied in transit QoS tunnel pre classification Licensing Requirements for QoS The following table shows the licensing requirements for this feature Guidelines and Limitations This section includes the guideline...

Page 1356: ... DSCP or precedence setting you cannot match a tunnel group For hierarchical priority queuing IPsec over TCP traffic is not supported You cannot configure traffic shaping and standard priority queuing for the same interface only hierarchical priority queuing is allowed For standard priority queuing the queue must be configured for a physical interface or for the ASA 5505 or ASASM a VLAN For polici...

Page 1357: ...g imposes a limited amount of extra latency for a high priority packet Table 1 1 Queue Limit Worksheet Step 1 __________ Outbound bandwidth Mbps or Kbps 1 1 For example DSL might have an uplink speed of 768 Kbps Check with your provider Mbps x 125 __________ of bytes ms Kbps x 125 __________ of bytes ms Step 2 ___________ of bytes ms from Step 1 __________ Average packet size bytes 2 2 Determine t...

Page 1358: ...rt priority queuing ASA 5580 You cannot create a standard priority queue for a Ten Gigabit Ethernet interface Note For the ASA 5585 X standard priority queuing is supported on a Ten Gigabit Interface ASA 5512 X through ASA 5555 X Priority queuing is not supported on the Management 0 0 interface Detailed Steps 2 Typically the maximum size is 1538 bytes or 1542 bytes for tagged Ethernet If you allow...

Page 1359: ...ropped called tail drop To avoid having the queue fill up you can use the queue limit command to increase the queue buffer size The upper limit of the range of values for the queue limit command is determined dynamically at run time To view this limit enter queue limit on the command line The key determinants are the memory needed to support the queues and the memory available on the device The qu...

Page 1360: ...ypes Detailed Steps Command Purpose Step 1 class map priority_map_name Example hostname config class map priority_traffic For priority traffic creates a class map to identify the traffic for which you want to perform priority queuing Step 2 match parameter Example hostname config cmap match access list priority Specifies the traffic in the class map See the Identifying Traffic Layer 3 4 Class Maps...

Page 1361: ...conform burst argument Specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value between 1000 and 512000000 bytes conform action Sets the action to take when the rate is less than the conform_burst value conform rate Sets the rate limit for this traffic flow between 8000 and 2000000000 bits per second drop Drops the packet excee...

Page 1362: ...ostname config cmap match tunnel group tunnel grp1 hostname config cmap class map TG1 BestEffort hostname config cmap description This class map matches all best effort traffic for tunnel grp1 hostname config cmap match tunnel group tunnel grp1 hostname config cmap match flow ip destination address The following example shows a way of policing a flow within a tunnel provided the classed traffic is...

Page 1363: ... pmap c priority hostname config pmap c class TG1 best effort hostname config pmap c police output 200000 37500 hostname config pmap c class class default hostname config pmap c police output 1000000 37500 hostname config pmap c service policy qos global Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing You can configure traffic shaping for all traffic on an interfac...

Page 1364: ...act section on page 1 4 for information about valid QoS configurations Command Purpose Step 1 class map priority_map_name Example hostname config class map priority_traffic For hierarchical priority queuing creates a class map to identify the traffic for which you want to perform priority queuing Step 2 match parameter Example hostname config cmap match access list priority Specifies the traffic i...

Page 1365: ...e config pmap c shape average 70000 4000 Enables traffic shaping where the average rate argument sets the average rate of traffic in bits per second over a given fixed time period between 64000 and 154400000 Specify a value that is a multiple of 8000 See the Information About Traffic Shaping section on page 1 4 for more information about how the time period is calculated The burst_size argument se...

Page 1366: ...ge 1 17 Viewing QoS Shaping Statistics page 1 17 Viewing QoS Standard Priority Queue Statistics page 1 18 Viewing QoS Police Statistics To view the QoS statistics for traffic policing use the show service policy command with the police keyword hostname show service policy police The following is sample output for the show service policy police command hostname show service policy police Global pol...

Page 1367: ...cs To view statistics for service policies implementing the shape command use the show service policy command with the shape keyword hostname show service policy shape The following is sample output for the show service policy shape command hostname show service policy shape Interface outside Service policy shape Class map class default Queueing queue limit 64 packets queue depth total drops no bu...

Page 1368: ...ow priority queue statistics command for the interface named test and the command output hostname show priority queue statistics test Priority Queue Statistics interface test Queue Type BE Packets Dropped 0 Packets Transmit 0 Packets Enqueued 0 Current Q Length 0 Max Q Length 0 Queue Type LLQ Packets Dropped 0 Packets Transmit 0 Packets Enqueued 0 Current Q Length 0 Max Q Length 0 hostname In this...

Page 1369: ...llowing commands priority queue queue limit tx ring limit priority police show priority queue statistics show service policy police show service policy priority show running config priority queue clear configure priority queue Shaping and hierarchical priority queuing 7 2 4 8 0 4 We introduced QoS shaping and hierarchical priority queuing We introduced the following commands shape show service pol...

Page 1370: ...1 20 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring QoS Feature History for QoS ...

Page 1371: ...SA interfaces and how to allow hosts on one interface to ping through to hosts on another interface We recommend that you only enable pinging and debugging messages during troubleshooting When you are done testing the ASA follow the steps in the Disabling the Test Configuration section on page 1 6 This section includes the following topics Enabling ICMP Debugging Messages and Syslog Messages page ...

Page 1372: ...id 1 seq 768 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 768 209 165 201 1 209 165 201 2 Outbound ICMP echo request len 32 id 1 seq 1024 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 1024 209 165 201 1 209 165 201 2 The output shows the ICMP packet length 32 bytes the ICMP packet identifier 1 and the ICMP sequence number the ICMP sequence number starts...

Page 1373: ... procedure in the Passing Traffic Through the ASA section on page 1 5 See Figure 1 1 Figure 1 1 Network Diagram with Interfaces Routers and Hosts Step 2 Ping each ASA interface from the directly connected routers For transparent mode ping the management IP address This test ensures that the ASA interfaces are active and that the interface configuration is correct A ping might fail if the ASA inter...

Page 1374: ...P Addressing Problems Step 3 Ping each ASA interface from a remote host For transparent mode ping the management IP address This test checks whether the directly connected router can route the packet between the host and the ASA and whether the ASA can correctly route the packet back to the host A ping might fail if the ASA does not have a return route to the host through the intermediate router s...

Page 1375: ...stablished 302020 You can also enter either the show xlate or show conns command to view this information The ping might fail because NAT is not configured correctly In this case a syslog message appears showing that the NAT failed 305005 or 305006 If the ping is from an outside host to an inside host and you do not have a static translation the following syslog message appears ASA 3 106010 deny i...

Page 1376: ... command for each interface that you want to allow ICMP traffic from high to low Note After you apply this ACL to an interface that is not the lowest security interface only ICMP traffic is allowed the implicit permit from high to low is removed For example to allow a DMZ interface level 50 to ping the inside interface level 100 you need to apply this ACL However now traffic from DMZ to outside le...

Page 1377: ... packet changes in a data path Inject tracer packets into the data path Search for an IPv4 or IPv6 address based on the user identity and the FQDN To trace packets enter the following command Monitoring Per Process CPU Usage You can monitor the processes that run on the CPU You can obtain information about the percentage of CPU that is used by a certain process CPU usage statistics are sorted in d...

Page 1378: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Connections and Resources Monitoring Per Process CPU Usage ...

Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...

Page 1380: ......

Page 1381: ... The ASA encrypts and includes the user credentials including usernames and or user groups in the traffic it redirects to Cloud Web Security The Cloud Web Security service then uses the user credentials to match the traffic to the policy It also uses these credentials for user based reporting Without user authentication the ASA can supply an optional default username and or group although username...

Page 1382: ...5 IPv4 and IPv6 Support page 1 6 Failover from Primary to Backup Proxy Server page 1 6 Redirection of Web Traffic to Cloud Web Security When an end user sends an HTTP or HTTPS request the ASA receives it and optionally retrieves the user and or group information If the traffic matches an ASA service policy rule for Cloud Web Security then the ASA redirects the request to the Cloud Web Security pro...

Page 1383: ...at the ASA is associated with valid customer You can use one of two types of authentication keys for your ASA the company key or the group key Company Authentication Key page 1 3 Group Authentication Key page 1 3 Company Authentication Key A Company authentication key can be used on multiple ASAs within the same company This key simply enables the Cloud Web Security service for your ASAs The admin...

Page 1384: ...SA modifies the name to use only one backslash to conform to typical ScanCenter notation The default group name is sent in the following format domain group name On the ASA you need to configure the optional domain name to be followed by 2 backslashes however the ASA modifies the name to use only one backslash to conform to typical ScanCenter notation For example if you specify Cisco Boulder1 the ...

Page 1385: ... rule for the ASA from which it originated Many combinations of keys groups and policy rules are possible Cloud Web Security Actions After applying the configured policies Cloud Web Security either blocks allows or sends a warning about the user request Allows When Cloud Web Security allows the client request it contacts the originally requested server and retrieves the data It forwards the server...

Page 1386: ... proxy server and backup proxy server If any client is unable to reach the primary server then the ASA starts polling the tower to determine availability If there is no client activity the ASA polls every 15 miniutes If the proxy server is unavailable after a configured number of retries the default is 5 this setting is configurable the server is declared unreachable and the backup proxy server be...

Page 1387: ...ge 1 6 Additional Guidelines Cloud Web Security is not supported with ASA clustering Clientless SSL VPN is not supported with Cloud Web Security be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security When an interface to the Cloud Web Security proxy servers goes down output from the show scansafe server command shows both servers up for approximately 15...

Page 1388: ... Cloud Web Security Policy page 1 15 Configuring Communication with the Cloud Web Security Proxy Server Guidelines The public key is embedded in the ASA software so there is no need for you to configure it Detailed Steps Command Purpose Step 1 scansafe general options Example hostname config scansafe general options Enters scansafe general options configuration mode Step 2 server primary ip ip_add...

Page 1389: ...itEthernet0 0 1 allocate interface GigabitEthernet0 1 1 allocate interface GigabitEthernet0 3 1 scansafe config url disk0 one_ctx cfg context two allocate interface GigabitEthernet0 0 2 allocate interface GigabitEthernet0 1 2 allocate interface GigabitEthernet0 3 2 scansafe license 366C1D3F5CE67D33D3E9ACEC26789534 config url disk0 two_ctx cfg Step 4 retry count value Example hostname cfg scansafe ...

Page 1390: ...d for each class of traffic that you want to send to Cloud Web Security The policy_map_name argument can be up to 40 characters in length You enter policy map configuration mode Step 2 parameters Example hostname config pmap parameters Parameters lets you configure the protocol and the default user or group You enter parameters configuration mode Step 3 http https Example hostname config pmap p ht...

Page 1391: ...urity Create an ACL consisting of one or more access control entries ACEs For detailed information about ACLs see Chapter 1 Adding an Extended Access Control List Cloud Web Security only operates on HTTP and HTTPS traffic Each type of traffic is treated separately by the ASA Therefore you need to create HTTP only ACLs and HTTPS only ACLs Create as many ACLs as needed for your policy A permit ACE s...

Page 1392: ...created in Step 9 Step 14 inspect scansafe scansafe_policy_name1 fail open fail close Example hostname config pmap c inspect scansafe cws_inspect_pmap1 fail open Enables Cloud Web Security inspection on the traffic in this class Specify the inspection class map name that you created in Step 1 Specify fail open to allow traffic to pass through the ASA if the Cloud Web Security servers are unavailab...

Page 1393: ...list hostname config object network cisco1 hostname config object network fqdn www cisco com hostname config object network cisco2 hostname config object network fqdn tools cisco com hostname config object network dmz_network hostname config object network subnet 10 1 1 0 255 255 255 0 hostname config access list SCANSAFE_HTTP extended deny tcp any4 object cisco1 eq 80 hostname config access list ...

Page 1394: ...ect_pmap1 hostname config pmap parameters hostname config pmap p http hostname config pmap p default group default_group hostname config pmap p class whitelist1 hostname config pmap c whitelist hostname config policy map type inspect scansafe cws_inspect_pmap2 hostname config pmap parameters Command Purpose Step 1 class map type inspect scansafe match all match any name Example hostname config cla...

Page 1395: ...tion directly from the AD agent Restrictions The ASA can only monitor a maximum of 512 groups including those configured for the user identity monitor and those monitored through active ACLs Detailed Steps Configuring the Cloud Web Security Policy After you configure the ASA service policy rules launch the ScanCenter Portal to configure Web content scanning filtering malware protection services an...

Page 1396: ...are redirected or whitelisted by a particular policy hostname config show service policy inspect scansafe Global policy Service policy global_policy Class map inspection_default Interface inside Service policy scansafe pmap Class map scansafe cmap Inspect scansafe p scansafe fail open packet 0 drop 0 reset drop 0 v6 fail close 0 Number of whitelisted connections 0 Number of connections allowed wit...

Page 1397: ... web extended permit tcp any any eq www hostname config access list https extended permit tcp any any eq https Configure Class Maps hostname config class map cmap http hostname config cmap match access list web hostname config class map cmap https hostname config cmap match access list https Configure Inspection Policy Maps hostname config policy map type inspect scansafe http pmap hostname config...

Page 1398: ...rnet0 0 1 allocate interface GigabitEthernet0 1 1 allocate interface GigabitEthernet0 3 1 scansafe config url disk0 one_ctx cfg context two allocate interface GigabitEthernet0 0 2 allocate interface GigabitEthernet0 1 2 allocate interface GigabitEthernet0 3 2 scansafe license 366C1D3F5CE67D33D3E9ACEC265261E5 config url disk0 two_ctx cfg Whitelist Example Configure what access list traffic should b...

Page 1399: ...er page 1 20 Creating a Link Between the AD Agent and DCs page 1 20 Testing the AD Agent page 1 20 Configuring the Identity Options on the ASA page 1 20 Configuring the User Identity Options and Enabling Granular Reporting page 1 20 Monitoring the Active Directory Groups page 1 21 Downloading the Entire Active User Database from the Active Directory Server page 1 21 Downloading the Database from t...

Page 1400: ...n W2K3DC asascanlab local user administrator password Password1 c IBF CLI adacfg exe dc list Running the last command should show the status as UP For the AD_Agent to monitor logon logoff events you need to ensure that these are logged on ALL DCs that are actively being monitored To do this choose Start Administrative Tools Domain Controller Security Policy Local policies Audit Policy Audit accoun...

Page 1401: ...m the Active Directory Server The following command updates the specified import user group database by querying the Active Directory server immediately without waiting for the expiration of poll import user group timer hostname config user identity update import user Downloading the Database from the AD Agent The following example shows how to manually start the download of the database from the ...

Page 1402: ...isk0 asa100824 32 k8 bin ftp mode passive dns server group DefaultDNS domain name uk scansafe net object network obj0192 168 116 x subnet 192 168 116 0 255 255 255 0 access list 101 extended permit tcp any any eq www access list 101 extended permit tcp any any eq https access list web extended permit tcp any any eq www access list icmp extended permit icmp any any access list https extended permit...

Page 1403: ...erver AD user identity default domain ASASCANLAB user identity action netbios response fail remove user ip user identity poll import user group timer hours 1 user identity ad agent aaa server adagent user identity user not found enable user identity monitor user group ASASCANLAB GROUP1 user identity monitor user group ASASCANLAB GROUPNAME no snmp server location no snmp server contact crypto ca tr...

Page 1404: ...nsafe http pmap fail open class cmap https inspect scansafe https pmap fail open service policy pmap http global prompt hostname context no call home reporting anonymous call home profile CiscoTAC 1 no active destination address http https tools cisco com its service oddce services DDCEService destination address email callhome cisco com destination transport method http subscribe to alert group d...

Page 1405: ... History for Cloud Web Security Feature Name Platform Releases Feature Information Cloud Web Security 9 0 1 This feature was introduced Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic It can also redirect and report about web traffic based on user identity We introduced or modified the following commands class map type inspect scansafe defaul...

Page 1406: ...1 26 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the ASA for Cisco Cloud Web Security Feature History for Cisco Cloud Web Security ...

Page 1407: ...sted addresses still generate syslog messages but because you are only targeting blacklist syslog messages they are informational Note If you do not want to use the Cisco dynamic database at all because of internal requirements you can use the static blacklist alone if you can identify all the malware sites that you want to target This chapter describes how to configure the Botnet Traffic Filter a...

Page 1408: ...cious activity and you can optionally configure it to block suspicious traffic automatically Unlisted addresses do not generate any syslog messages but addresses on the blacklist whitelist and greylist generate syslog messages differentiated by type See the Botnet Traffic Filter Syslog Messaging section on page 1 17 for more information Botnet Traffic Filter Databases The Botnet Traffic Filter use...

Page 1409: ... ups and pop unders for websites spyware and adware Some of these networks send ad oriented HTML emails and email verification services Data Tracking These are sources associated with companies and websites that offer data tracking and metrics services to websites and other online entities Some of these also run small advertising networks Spyware These are sources that distribute spyware adware gr...

Page 1410: ... occurs then that traffic will not be monitored by the Botnet Traffic Filter Information About the DNS Reverse Lookup Cache and DNS Host Cache When you use the dynamic database with DNS snooping entries are added to the DNS reverse lookup cache If you use the static database entries are added to the DNS host cache see the Information About the Static Database section on page 1 3 about using the st...

Page 1411: ...c Filter Works with the Static Database Security Appliance DNS Reverse Lookup Cache Infected Host Malware Home Site 209 165 201 3 Syslog Server Dynamic Database DNS Server DNS Snoop 1 DNS Request bad example com 3 Connection to 209 165 201 3 2 DNS Reply 209 165 201 3 Internet Botnet Traffic Filter 3b Send Syslog Message Drop Traffic 1a Match 3a Match 2a Add 248631 Security Appliance DNS Host Cache...

Page 1412: ...Context Mode Guidelines Supported in single and multiple context mode Firewall Mode Guidelines Supported in routed and transparent firewall mode Failover Guidelines Does not support replication of the DNS reverse lookup cache DNS host cache or the dynamic database in Stateful Failover IPv6 Guidelines Does not support IPv6 Additional Guidelines and Limitations TCP DNS traffic is not supported You c...

Page 1413: ...mes or IP addresses that you want to blacklist or whitelist You might want to use the static database instead of the dynamic database if you do not want to download the dynamic database over the Internet Step 3 Enable DNS snooping See the Enabling DNS Snooping section on page 1 10 This procedure enables inspection of DNS packets compares the domain name with those in the dynamic database or the st...

Page 1414: ...e config changeto context context1 hostname context1 config dynamic filter use database hostname context1 config changeto context context2 hostname context2 config dynamic filter use database The following single mode example enables downloading of the dynamic database and enables use of the database hostname config dynamic filter updater client enable Command Purpose Step 1 dynamic filter updater...

Page 1415: ...le ASA use of a DNS server according to the Configuring the DNS Server section on page 14 11 Detailed Steps Command Purpose Step 1 dynamic filter blacklist Example hostname config dynamic filter blacklist Edits the Botnet Traffic Filter blacklist Step 2 Enter one or both of the following name domain_name Example hostname config llist name bad example com Adds a name to the blacklist You can enter ...

Page 1416: ... adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address The following procedure creates an interface specific service policy for DNS inspection See the DNS Inspection section on page 46 1 and Chapter 35 Configuring a Service Policy Using the Modular Policy Framework ...

Page 1417: ...amples section for the recommended commands for this configuration Detailed Steps Command Purpose Step 1 class map name Example hostname config class map dynamic filter_snoop_class Creates a class map to identify the traffic for which you want to inspect DNS Step 2 match parameters Example hostname config cmap match port udp eq domain Specifies traffic for the class map See the Identifying Traffic...

Page 1418: ...ter compares the source and destination IP address in each initial connection packet to the following Dynamic database IP addresses Static database IP addresses DNS reverse lookup cache for dynamic database domain names DNS host cache for static database domain names When an address matches the ASA sends a syslog message The only additional action currently available is to drop the connection Prer...

Page 1419: ...ist dynamic filter_acl_subset extended permit tcp 10 1 1 0 255 255 255 0 any eq 80 Identifies the traffic that you want to monitor or drop If you do not create an access list for monitoring by default you monitor all traffic You can optionally use an access list to identify a subset of monitored traffic that you want to drop be sure the access list is a subset of the monitoring access list See Cha...

Page 1420: ... specify an access list for the dynamic filter enable command and you specify the action classify list for this command then it must be a subset of the dynamic filter enable access list Make sure you do not specify overlapping traffic in multiple commands for a given interface global policy Because you cannot control the exact order that commands are matched overlapping traffic means you do not kn...

Page 1421: ...log message ASA 4 338002 Dynamic Filter permitted black listed TCP traffic from inside 10 1 1 45 6798 209 165 201 1 7890 to outside 209 165 202 129 80 209 165 202 129 80 destination 209 165 202 129 resolved from dynamic list bad example com You can then perform one of the following actions Create an access list to deny traffic For example using the syslog message above you might want to deny traff...

Page 1422: ...block future connections from 10 1 1 45 and also drop the current connection to the malware site in the syslog message enter hostname config shun 10 1 1 45 209 165 202 129 6798 80 See Blocking Unwanted Connections section on page 62 2 for more information about shunning After you resolve the infection be sure to remove the access list or the shun To remove the shun enter no shun src_ip Searching t...

Page 1423: ...f these domain names are on the blacklist See the syslog messages guide for detailed information about syslog messages Botnet Traffic Filter Commands To monitor the Botnet Traffic Filter enter one of the following commands Command Purpose show dynamic filter statistics interface name detail Shows how many connections were classified as whitelist blacklist and greylist connections and how many conn...

Page 1424: ...osts visited malware sites and malware ports The max connections keyword shows the 20 infected hosts with the most number of connections The latest active keyword shows the 20 hosts with the most recent activity The highest threat keyword shows the 20 hosts that connected to the malware sites with the highest threat level The subnet keyword shows up to 20 hosts within the specified subnet The all ...

Page 1425: ...hosts report at 13 41 06 UTC Jul 15 2009 Configuration Examples for the Botnet Traffic Filter This section includes the recommended configuration for single and multiple context mode as well as other possible configurations This section includes the following topics Recommended Configuration Example page 1 19 Other Configuration Examples page 1 20 Recommended Configuration Example The following re...

Page 1426: ...g dynamic filter use database hostname context2 config class map dynamic filter_snoop_class hostname context2 config cmap match port udp eq domain hostname context2 config cmap policy map dynamic filter_snoop_policy hostname context2 config pmap class dynamic filter_snoop_class hostname context2 config pmap c inspect dns preset_dns_map dynamic filter snoop hostname context2 config pmap c service p...

Page 1427: ...ig pmap c inspect dns preset_dns_map dynamic filter snoop hostname context2 config pmap c service policy dynamic filter_snoop_policy interface outside hostname context2 config pmap c dynamic filter blacklist hostname context2 config llist name bad1 example com hostname context2 config llist name bad2 example com hostname context2 config llist address 10 1 1 1 255 255 255 0 hostname context2 config...

Page 1428: ... 1 This feature was introduced Automatic blocking and blacklist category and threat level reporting 8 2 2 The Botnet Traffic Filter now supports automatic blocking of blacklisted traffic based on the threat level You can also view the category and threat level of malware sites in statistics and reports The 1 hour timeout for reports for top hosts was removed there is now no timeout The following c...

Page 1429: ... to your ASA for example if you enable scanning threat detection then viewing statistics can help you analyze the threat You can configure two types of threat detection statistics Basic threat detection statistics Includes information about attack activity for the system as a whole Basic threat detection statistics are enabled by default and have no performance impact Advanced threat detection sta...

Page 1430: ...ful Firewall check failure Basic firewall checks failed This option is a combined rate that includes all firewall related packet drops in this bulleted list It does not include non firewall related drops such as interface overload packets failed at application inspection and scanning attack detected Suspicious ICMP packets detected Packets failed application inspection Interface overload Scanning ...

Page 1431: ...at detection Default Settings Basic threat detection statistics are enabled by default Table 1 1 lists the default settings You can view all these default settings using the show running config all threat detection command Table 1 1 Basic Threat Detection Default Settings Packet Drop Reason Trigger Settings Average Rate Burst Rate DoS attack detected Bad packet format Connection limits exceeded Su...

Page 1432: ...tinued Packet Drop Reason Trigger Settings Average Rate Burst Rate Command Purpose Step 1 threat detection basic threat Example hostname config threat detection basic threat Enables basic threat detection statistics if you previously disabled it Basic threat detection is enabled by default Step 2 threat detection rate acl drop bad packet drop conn limit drop dos drop fw drop icmp drop inspect drop...

Page 1433: ...a description of each event type see the Information About Basic Threat Detection Statistics section on page 1 2 The output shows the average rate in events sec over two fixed time periods the last 10 minutes and the last 1 hour It also shows the current burst rate in events sec over the last completed burst interval which is 1 30th of the average rate interval or 10 seconds whichever is larger th...

Page 1434: ...s lists Caution Enabling advanced statistics can affect the ASA performance depending on the type of statistics enabled The threat detection statistics host command affects performance in a significant way if you have a high traffic load you might consider enabling this type of statistics temporarily The threat detection statistics port command however has modest impact Guidelines and Limitations ...

Page 1435: ...type shown in this table and do not also enter the command without any options You can enter threat detection statistics without any options and then customize certain statistics by entering the command with statistics specific options for example threat detection statistics host number of rate 2 If you enter threat detection statistics without any options and then enter a command for specific sta...

Page 1436: ... to 2 then the two shortest intervals are maintained The host statistics accumulate for as long as the host is active and in the scanning threat host database The host is deleted from the database and the statistics cleared after 10 minutes of inactivity Step 4 threat detection statistics port number of rate 1 2 3 Example hostname config threat detection statistics port number of rate 2 Optional E...

Page 1437: ... hour 8 hours and 24 hours If you set this keyword to 1 the default then only the shortest rate interval statistics are maintained If you set the value to 2 then the two shortest intervals are maintained Step 6 threat detection statistics tcp intercept rate interval minutes burst rate attacks_per_sec average rate attacks_per_sec Example hostname config threat detection statistics tcp intercept rat...

Page 1438: ...urst interval is 20 seconds If the last burst interval was from 3 00 00 to 3 00 20 and you use the show command at 3 00 25 then the last 5 seconds are not included in the output The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval 1 of 30 when calculating the total events In that case the ASA c...

Page 1439: ... protocol keyword The port protocol keyword shows statistics for both ports and protocols both must be enabled for the display and shows the combined statistics of TCP UDP port and IP protocol types TCP protocol 6 and UDP protocol 17 are not included in the display for IP protocols TCP and UDP ports are however included in the display for ports If you only enable statistics for one of these types ...

Page 1440: ...0 tot ses 1 act ses 0 fw drop 0 insp drop 0 null ses 0 bad acc 0 1 hour Sent byte 0 0 0 614 8 hour Sent byte 0 0 0 614 24 hour Sent byte 0 0 0 614 1 hour Sent pkts 0 0 0 6 8 hour Sent pkts 0 0 0 6 24 hour Sent pkts 0 0 0 6 20 min Sent drop 0 0 0 4 1 hour Sent drop 0 0 0 4 1 hour Recv byte 0 0 0 706 8 hour Recv byte 0 0 0 706 24 hour Recv byte 0 0 0 706 1 hour Recv pkts 0 0 0 7 Table 1 3 shows each...

Page 1441: ...n the burst interval is 20 seconds If the last burst interval was from 3 00 00 to 3 00 20 and you use the show command at 3 00 25 then the last 5 seconds are not included in the output The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval 1 of 30 when calculating the total events In that case th...

Page 1442: ...ost Command Fields continued Field Description Table 1 4 Feature History for Advanced Threat Detection Statistics Feature Name Platform Releases Feature Information Advanced threat detection statistics 8 0 2 Advanced threat detection statistics was introduced The following commands were introduced threat detection statistics show threat detection statistics TCP Intercept statistics 8 0 4 8 1 2 TCP...

Page 1443: ... sends a syslog message 733101 and optionally shuns the attacker The ASA tracks two types of rates the average event rate over an interval and the burst event rate over a shorter burst interval The burst event rate is 1 30th of the average rate interval or 10 seconds whichever is higher For each event detected that is considered to be part of a scanning attack the ASA checks the average and burst ...

Page 1444: ...ic that is denied by an access list does not trigger scanning threat detection only traffic that is allowed through the ASA and that creates a flow is affected by scanning threat detection Default Settings Table 1 5 lists the default rate limits for scanning threat detection The burst rate is calculated as the average rate every N seconds where N is the burst rate interval The burst rate interval ...

Page 1445: ...l Sets the duration of the shun for attacking hosts Step 3 threat detection rate scanning threat rate interval rate_interval average rate av_rate burst rate burst_rate Example hostname config threat detection rate scanning threat rate interval 1200 average rate 10 burst rate 20 hostname config threat detection rate scanning threat rate interval 2400 average rate 10 burst rate 20 Optional Changes t...

Page 1446: ...p_address mask Releases a host from being shunned If you do not specify an IP address all hosts are cleared from the shun list show threat detection scanning threat attacker target Displays hosts that the ASA decides are attackers including hosts on the shun list and displays the hosts that are the target of an attack If you do not enter an option both attackers and target hosts are displayed Comm...

Page 1447: ...rage rate 60 burst rate 100 threat detection statistics threat detection statistics host number of rate 2 threat detection statistics tcp intercept rate interval 60 burst rate 800 average rate 600 threat detection scanning threat shun except ip address 10 1 1 0 255 255 255 0 threat detection rate scanning threat rate interval 1200 average rate 10 burst rate 20 threat detection rate scanning threat...

Page 1448: ...1 20 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Threat Detection Configuration Examples for Threat Detection ...

Page 1449: ...k to the source address See RFC 2267 for more information For outside traffic for example the ASA can use the default route to satisfy the Unicast RPF protection If traffic enters from an outside interface and the source address is not known to the routing table the ASA uses the default route to correctly identify the outside interface as the source interface If traffic enters the outside interfac...

Page 1450: ...connections automatically To shun a connection manually perform the following steps Step 1 If necessary view information about the connection by entering the following command hostname show conn The ASA shows information about each connection such as the following TCP out 64 101 68 161 4300 in 10 86 194 60 23 idle 0 00 00 bytes 1297 flags UIO Step 2 To shun connections from the source IP address e...

Page 1451: ...fo action alarm drop reset Where alarm generates a system message showing that a packet matched a signature drop drops the packet and reset drops the packet and closes the connection If you do not define an action then the default action is to generate an alarm Step 2 To define an IP audit policy for attack signatures enter the following command hostname config ip audit name name attack action ala...

Page 1452: ... the IP option list for the datagram includes option 4 Timestamp 1003 400003 IP options Security Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 Security options 1004 400004 IP options Loose Source Route Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 Loose Source Route 1...

Page 1453: ...ers when an IP datagram is received with the protocol field of the IP header set to 1 ICMP and the type field in the ICMP header set to 4 Source Quench 2003 400013 ICMP Redirect Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 ICMP and the type field in the ICMP header set to 5 Redirect 2004 400014 ICMP Echo Request Informational Triggers when...

Page 1454: ... to 1 ICMP and the type field in the ICMP header set to 18 Address Mask Reply 2150 400023 Fragmented ICMP Traffic Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1 ICMP and either the more fragments flag is set to 1 ICMP or there is an offset indicated in the offset field 2151 400024 Large ICMP Traffic Attack Triggers when a IP datagram is received wi...

Page 1455: ...an attempt to access HINFO records from a DNS server 6051 400035 DNS Zone Transfer Informational Triggers on normal DNS zone transfers in which the source port is 53 6052 400036 DNS Zone Transfer from High Port Informational Triggers on an illegitimate DNS zone transfer in which the source port is not equal to 53 6053 400037 DNS Request for All Records Informational Triggers on a DNS request for a...

Page 1456: ...quest Informational Triggers when a request is made to the portmapper for the mount daemon mountd port 6175 400048 rexd remote execution daemon Portmap Request Informational Triggers when a request is made to the portmapper for the remote execution daemon rexd port 6180 400049 rexd remote execution daemon Attempt Informational Triggers when a call to the rexd program is made The remote execution d...

Page 1457: ...eX objects or Java applets that may pose a security threat in certain situations You can use web traffic filtering to direct specific traffic to an external filtering server such an Secure Computing SmartFilter formerly N2H2 or the Websense filtering server You can enable long URL HTTPS and FTP filtering using either Websense or Secure Computing SmartFilter for web traffic filtering Filtering serv...

Page 1458: ...ring or displaying information As a technology ActiveX creates many potential problems for network clients including causing workstations to fail introducing network security problems or being used to attack servers The filter activex command blocks the HTML object commands by commenting them out within the HTML web page ActiveX filtering of HTML files is performed by selectively replacing the APP...

Page 1459: ...bject blocking applies to HTTP traffic on port 80 from any local host and for connections to any foreign host The following example shows how to configure ActiveX filtering to block all outbound connections hostname config filter activex 80 0 0 0 0 The following example shows how to remove ActiveX filtering hostname config no filter activex 80 0 0 0 0 Command Purpose filter activex port port local...

Page 1460: ...ecurity risks because they can contain code intended to attack hosts and servers on a protected network You can remove Java applets with the filter java command Note Use the filter activex command to remove Java applets that are embedded in object tags The filter java command filters out Java applets that return to the ASA from an outbound connection You still receive the HTML page but the web pag...

Page 1461: ...a protected network hostname config filter java http 192 168 3 3 255 255 255 255 0 0 This command prevents host 192 168 3 3 from downloading Java applets Command Purpose filter java port port local_ip local_mask foreign_ip foreign_mask Example hostname filter java 80 0 0 0 0 Removes Java applets in HTTP traffic passing through the ASA To use this command replace port port with the TCP port to whic...

Page 1462: ...tory for URL Filtering page 1 17 Information About URL Filtering You can apply filtering to connection requests originating from a more secure network to a less secure network Although you can use ACLs to prevent outbound access to specific content servers managing usage this way is difficult because of the size and dynamic nature of the Internet You can simplify configuration and improve ASA perf...

Page 1463: ...ent server to the originating client If the filtering server denies the connection the ASA drops the response and sends a message or return code indicating that the connection was not successful If user authentication is enabled on the ASA then the ASA also sends the username to the filtering server The filtering server can use user specific filtering settings or provide enhanced reporting about u...

Page 1464: ...maximum of 16 of the same type of filtering servers are allowed You can only configure a single type of server Websense or Secure Computing SmartFilter in your configuration Note You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter command If you remove the filtering servers from the configuration then all filter commands are also removed To specif...

Page 1465: ...lies on this port Note The default port is 4005 which is used by the Secure Computing SmartFilter server to communicate to the ASA via TCP or UDP For information about changing the default port see the Filtering by N2H2 Administrator s Guide The timeout seconds option is the number of seconds that the ASA should keep trying to connect to the filtering server The connections number option is the nu...

Page 1466: ... sends the request to the content server and to the filtering server at the same time If the filtering server does not respond before the content server the server response is dropped This behavior delays the web server response for the web client because the web client must reissue the request By enabling the HTTP response buffer replies from web content servers are buffered and the responses are...

Page 1467: ...cache command To improve throughput enter the following command Filtering HTTP URLs This section describes how to configure HTTP filtering with an external filtering server and includes the following topics Enabling HTTP Filtering page 1 12 Enabling Filtering of Long HTTP URLs page 1 12 Truncating Long HTTP URLs page 1 13 Exempting Traffic from Filtering page 1 13 Command Purpose url cache dst src...

Page 1468: ...rt local_ip local_mask foreign_ip foreign_mask allow proxy block Example hostname filter url http 80 allow proxy block Replaces port port with one or more port numbers if a different port than the default port for HTTP 80 is used Replaces local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests Replaces foreign_ip and foreign_mask with the IP address and ...

Page 1469: ...error message such as The Page or the content cannot be displayed Note The ASA does not provide an authentication prompt for HTTPS so you must authenticate with the ASA using HTTP or FTP before accessing HTTPS servers Command Purpose filter url longurl truncate longurl deny cgi truncate Example hostname filter url longurl truncate The longurl truncate option causes the ASA to send only the hostnam...

Page 1470: ... of port numbers if a different port than the default port for HTTPS 443 is used Replaces local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests Replaces foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork responding to requests The allow option causes the ASA to forward HTTPS traffic without filtering when the prim...

Page 1471: ... by cache server 0 0 Requests dropped 0 Server timeouts retries 0 0 Processed rate average 60s 300s 0 0 requests second Denied rate average 60s 300s 0 0 requests second Dropped rate average 60s 300s 0 0 requests second Server Statistics 10 125 76 20 UP Vendor websense Port 15868 Requests total allowed denied 151 140 11 Server timeouts retries 0 0 Responses received 151 Response time average 60s 30...

Page 1472: ... number of packets held global 38 Packets dropped due to exceeding url block buffer limit 7546 HTTP server retransmission 10 Number of packets released back to client 0 The following is sample output from the show url cache stats command hostname show url cache stats URL Filter Cache Stats Size 128KB Entries 1724 In Use 456 Lookups 45 Hits 8 This shows how the cache is used The following is sample...

Page 1473: ...e 1 5 lists the release history for URL filtering ASDM is backwards compatible with multiple platform releases so the specific ASDM release in which support was added is not listed Table 1 5 Feature History for URL Filtering Feature Name Platform Releases Feature Information URL filtering 7 0 1 Filters URLs based on an established set of filtering criteria ...

Page 1474: ...1 18 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Filtering Services Monitoring Filtering Statistics ...

Page 1475: ...P A R T 2 Configuring Modules ...

Page 1476: ......

Page 1477: ... 1 5 Guidelines and Limitations page 1 5 Default Settings page 1 6 Configuring the ASA IPS module page 1 7 Managing the ASA IPS module page 1 21 Monitoring the ASA IPS module page 1 25 Configuration Examples for the ASA IPS module page 1 26 Feature History for the ASA IPS module page 1 26 Information About the ASA IPS module The ASA IPS module runs advanced IPS software that provides proactive ful...

Page 1478: ...llows Note This example is for inline mode See the Operating Modes section on page 1 3 for information about promiscuous mode where the ASA only sends a copy of the traffic to the ASA IPS module 1 Traffic enters the ASA 2 Incoming VPN traffic is decrypted 3 Firewall policies are applied 4 Traffic is sent to the ASA IPS module 5 The ASA IPS module applies its security policy to the traffic and take...

Page 1479: ...traffic or by resetting a connection on the ASA Also while the ASA IPS module is analyzing the traffic a small amount of traffic might pass through the ASA before the ASA IPS module can shun it Figure 1 2 shows the ASA IPS module in promiscuous mode In this example the ASA IPS module sends a shun message to the ASA for traffic it identified as a threat Figure 1 2 ASA IPS module Traffic Flow in the...

Page 1480: ...module and access the module CLI See the Sessioning to the Module from the ASA section on page 1 11 Connecting to the IPS management interface using ASDM or SSH After you launch ASDM from the ASA your management station connects to the module management interface to configure the IPS application For SSH you can access the module CLI directly on the module management interface Telnet access require...

Page 1481: ...equirements for this feature The ASA IPS module requires a separate Cisco Services for IPS license in order to support signature updates All other updates are available without a license Guidelines and Limitations This section includes the guidelines and limitations for this feature Context Mode Guidelines The ASA 5505 does not support multiple context mode so multiple context features such as vir...

Page 1482: ...e total throughput for the ASA plus the IPS module is lower than ASA throughput alone ASA 5512 X through ASA 5555 X See http www cisco com en US prod collateral vpndevc ps6032 ps6094 ps6120 qa_c67 700608 html ASA 5585 X See http www cisco com en US prod collateral vpndevc ps6032 ps6094 ps6120 qa_c67 617018 html ASA 5505 through ASA 5540 See http www cisco com en US prod collateral vpndevc ps6032 p...

Page 1483: ...sion to the module Access the IPS CLI over the backplane See the Sessioning to the Module from the ASA section on page 1 11 Step 3 ASA 5512 X through ASA 5555 X may be required Install the software module See the ASA 5512 X through ASA 5555 X Booting the Software Module section on page 1 11 Step 4 Depending on your ASA model ASA 5510 and higher Configure basic network settings for the IPS module S...

Page 1484: ...ule The IPS module includes a separate management interface from the ASA If you have an inside router If you have an inside router you can route between the management network which can include both the ASA Management 0 0 and IPS Management 1 0 interfaces and the ASA inside network Be sure to also add a route on the ASA to reach the Management network through the inside router ASA 5585 X PW R BOOT...

Page 1485: ...e IPS module as a software module and the IPS management interface shares the Management 0 0 interface with the ASA If you have an inside router If you have an inside router you can route between the Management 0 0 network which includes both the ASA and IPS management IP addresses and the inside network Be sure to also add a route on the ASA to reach the Management network through the inside rout...

Page 1486: ...interfaces If the name is not configured then the IPS address can be on any network for example the ASA inside network ASA 5505 The ASA 5505 does not have a dedicated management interface You must use an ASA VLAN to access an internal management IP address over the backplane Connect the management PC to one of the following ports Ethernet 0 1 through 0 7 which are assigned to VLAN 1 What to Do Nex...

Page 1487: ...u are prompted for the username and password The default username is cisco and the default password is cisco Note The first time you log in to the module you are prompted to change the default password Passwords must be at least eight characters long and cannot be a word in the dictionary Console session software module only session ips console Example hostname session ips console Establishing con...

Page 1488: ...e procedure Step 2 To set the IPS module software location in disk0 enter the following command hostname sw module module ips recover configure image disk0 file_path For example using the filename in the example in Step 1 enter hostname sw module module ips recover configure image disk0 IPS SSP_5512 K9 sys 1 1 a 7 1 4 E4 aip Step 3 To install and load the IPS module software enter the following co...

Page 1489: ... change the management VLAN and IP address if you do not want to use the default and how to set other required network parameters Note Perform this configuration on the ASA 5505 not on the ASA IPS module Prerequisites When you change the IPS VLAN and management address from the default be sure to also configure the matching ASA VLAN and switch port s according to the procedures listed in Chapter 1...

Page 1490: ...ASA IPS module Detailed Steps Command Purpose Step 1 interface vlan number Example hostname config interface vlan 1 Specifies the current management VLAN for which you want to disable IPS management By default this is VLAN 1 Step 2 no allow ssc mgmt Example hostname config if no allow ssc mgmt Disables IPS management for the old VLAN so that you can enable it for a different VLAN Step 3 interface ...

Page 1491: ...on Step 5 hw module module 1 ip ip_address netmask gateway Example hostname hw module module 1 ip 10 1 1 2 255 255 255 0 10 1 1 1 Configures the management IP address for the ASA IPS module Make sure this address is on the same subnet as the ASA VLAN IP address For example if you assigned 10 1 1 1 to the VLAN for the ASA then assign another address on that network such as 10 1 1 2 for the IPS mana...

Page 1492: ...u are done configuring the ASA IPS module exit the IPS software by entering the following command sensor exit If you sessioned to the ASA IPS module from the ASA you return to the ASA prompt What to Do Next For the ASA in multiple context mode see the Assigning Virtual Sensors to a Security Context ASA 5510 and Higher section on page 1 16 For the ASA in single context mode see the Diverting Traffi...

Page 1493: ... sensor name that can be used within the context instead of the actual sensor name If you do not specify a mapped name the sensor name is used within the context For security purposes you might not want the context administrator to know which sensors are being used by the context Or you might want to genericize the context configuration For example if you want all contexts to use sensors called se...

Page 1494: ...tp user1 passw0rd 10 1 1 1 configlets test cfg hostname config ctx member gold hostname config ctx context sample hostname config ctx allocate interface gigabitethernet0 1 200 int1 hostname config ctx allocate interface gigabitethernet0 1 212 int2 hostname config ctx allocate interface gigabitethernet0 1 230 gigabitethernet0 1 235 int3 int8 hostname config ctx allocate ips sensor1 ips1 hostname co...

Page 1495: ...he ASA IPS module you can create multiple class maps for use in the security policy Step 2 match parameter Example hostname config cmap match access list ips_traffic Specifies the traffic in the class map See the Identifying Traffic Layer 3 4 Class Maps section on page 1 12 for more information Step 3 policy map name Example hostname config policy map ips_policy Adds or edits a policy map that set...

Page 1496: ...xt see the Assigning Virtual Sensors to a Security Context ASA 5510 and Higher section on page 1 16 Use the mapped_name if configured in the context If you do not specify a sensor name then the traffic uses the default sensor In multiple context mode you can specify a default sensor for the context In single mode or if you do not specify a default sensor in multiple mode the traffic uses the defau...

Page 1497: ...TFTP server that you specify can transfer files up to 60 MB in size Note This process can take approximately 15 minutes to complete depending on your network and the size of the image Software module Copy the image to the ASA internal flash disk0 before completing this procedure Step 7 Optional ips inline promiscuous fail close fail open sensor sensor_name mapped_name Example hostname config pmap ...

Page 1498: ...5 only These network parameters are configured in ROMMON the network parameters you configured in the module application configuration are not available to ROMMON so you must set them separately here For a software module Specify the location of the image on the local disk You can view the recovery configuration using the show module 1 ips recover command In multiple context mode enter this comman...

Page 1499: ... module password to the default The default password is cisco After resetting the password you should change it to a unique value using the module application Resetting the module password causes the module to reboot Services are not available while the module is rebooting Command Purpose For a physical module for example the ASA 5585 X hw module module 1 shutdown For a software module for example...

Page 1500: ...module 1 password reset For a software module for example the ASA 5545 X sw module module ips password reset Example hostname hw module module 1 password reset Resets the module password to cisco Command Purpose For a physical module for example the ASA 5585 X hw module module 1 reload For a software module for example the ASA 5545 X sw module module ips reload Example hostname hw module module 1 ...

Page 1501: ...1 29 Mgmt Network Mask 255 255 224 0 Mgmt Gateway 209 165 201 30 Mgmt Access List 209 165 201 31 32 209 165 202 158 32 209 165 200 254 24 Mgmt Vlan 20 The following is sample output from the show module ips command for an ASA 5525 X with an IPS SSP software module installed hostname show module ips Mod Card Type Model Serial No ips IPS 5525 Intrusion Protection System IPS5525 FCH1504V03P Mod MAC A...

Page 1502: ...sor2 is used hostname config access list my ips acl permit ip any 10 1 1 0 255 255 255 0 hostname config access list my ips acl2 permit ip any 10 2 1 0 255 255 255 0 hostname config class map my ips class hostname config cmap match access list my ips acl hostname config class map my ips class2 hostname config cmap match access list my ips acl2 hostname config cmap policy map my ips policy hostname...

Page 1503: ...r SSP 40 and SSP 60 you can use two SSPs of the same level in the same chassis Mixed level SSPs are not supported for example an SSP 40 with an SSP 60 is not supported Each SSP acts as an independent device with separate configurations and management You can use the two SSPs as a failover pair if desired Note When using two SSPs in the chassis VPN is not supported note however that VPN has not bee...

Page 1504: ...1 28 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the ASA IPS Module Feature History for the ASA IPS module ...

Page 1505: ...e lets you enforce security based on the complete context of a situation This context includes the identity of the user who the application or website that the user is trying to access what the origin of the access attempt where the time of the attempted access when and the properties of the device used for the access how With the ASA CX module you can extract the full context of a flow and enforc...

Page 1506: ... ASA the ASA CX module might block some traffic according to its security policy and that traffic is not passed on 7 Outgoing VPN traffic is encrypted 8 Traffic exits the ASA Figure 1 1 shows the traffic flow when using the ASA CX module In this example the ASA CX module automatically blocks traffic that is not allowed for a certain application All other traffic is forwarded through the ASA Figure...

Page 1507: ...e mode you can configure the ASA policy for sending traffic to the ASA CX module within PRSM instead of using ASDM or the ASA CLI Using PRSM lets you consolodate management to a single management system However PRSM has some limitations when configuring the ASA service policy see the ASA CX user guide for more information Information About Authentication Proxy When the ASA CX needs to authenticate...

Page 1508: ... features see the following guidelines for traffic that you send to the ASA CX module Do not configure ASA inspection on HTTP traffic Do not configure Cloud Web Security ScanSafe inspection If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic the ASA only performs the ASA CX action Other application inspections on the ASA are compatible with the ASA CX mod...

Page 1509: ...patibility asamatrx html Additional Guidelines and Limitations See the Compatibility with ASA Features section on page 1 4 You cannot change the software type installed on the module if you purchase an ASA CX module you cannot later install other software on it Default Settings Table 1 1 lists the default settings for the ASA CX module Configuring the ASA CX Module This section describes how to co...

Page 1510: ... initial SSH access See the Configuring the ASA CX Management IP Address section on page 1 8 Step 3 On the ASA CX module configure basic settings See the Configuring Basic ASA CX Settings at the ASA CX CLI section on page 1 8 Step 4 On the ASA CX module configure the security policy using PRSM See the Configuring the Security Policy on the ASA CX Module Using PRSM section on page 1 10 Step 5 Optio...

Page 1511: ...port or use ASDM to change the management IP address so you can use SSH If you have an inside router If you have an inside router you can route between the management network which can include both the ASA Management 0 0 and ASA CX Management 1 0 interfaces and the ASA inside network for Internet access Be sure to also add a route on the ASA to reach the Management network through the inside route...

Page 1512: ...ic ASA CX settings See the Configuring Basic ASA CX Settings at the ASA CX CLI section on page 1 8 Configuring the ASA CX Management IP Address If you cannot use the default management IP address 192 168 8 8 then you can set the management IP address from the ASA After you set the management IP address you can access the ASA CX module using SSH to perform initial setup Detailed Steps Configuring B...

Page 1513: ...t to enable DHCP for IPv4 address assignment on management interface y n N N Enter an IPv4 address 192 168 8 8 10 89 31 65 Enter the netmask 255 255 255 0 255 255 255 0 Enter the gateway 192 168 8 1 10 89 31 1 Do you want to configure static IPv6 address on management interface y n N Y Enter an IPv6 address 2001 DB8 0 CD30 1234 64 Enter the gateway 2001 DB8 0 CD30 1 Enter the primary DNS server IP...

Page 1514: ...ercase letter A Z at least one lowercase letter a z and at least one digit 0 9 Enter password Farscape1 Confirm password Farscape1 SUCCESS Password changed for user admin Step 6 Enter the exit command to log out Configuring the Security Policy on the ASA CX Module Using PRSM This section describes how to launch PRSM to configure the ASA CX module application For details on using PRSM to configure ...

Page 1515: ...ring the Authentication Proxy Port The default authentication port is 885 To change the authentication proxy port perform the following steps For more information about the authentication proxy see the Information About Authentication Proxy section on page 1 3 Note You can also set the port as part of the ASDM startup wizard See the Configuring Basic ASA CX Settings at the ASA CX CLI section on pa...

Page 1516: ... which you want to send to the ASA CX module If you want to send multiple traffic classes to the ASA CX module you can create multiple class maps for use in the security policy Step 2 match parameter Example hostname config cmap match access list cx_traffic Specifies the traffic in the class map See the Identifying Traffic Layer 3 4 Class Maps section on page 1 12 for more information Step 3 polic...

Page 1517: ...map class cx_class2 If you created multiple class maps for ASA CX traffic you can specify another class for the policy See the Feature Matching Within a Service Policy section on page 1 3 for detailed information about how the order of classes matters within a policy map Traffic cannot match more than one class map for the same action type Step 7 Optional cxsc fail close fail open auth proxy Examp...

Page 1518: ...eset the module enter one of the following commands at the ASA CLI Detailed Steps Command Purpose hw module module 1 password reset Example hostname hw module module 1 password reset Resets the module password to Admin123 for user admin Command Purpose hw module module 1 reload Example hostname hw module module 1 reload Reloads the module software hw module module 1 reset Example hostname hw modul...

Page 1519: ... messages guide ASA CX syslog messages start with message number 429001 Showing Module Status To check the status of a module enter one of the following commands Examples The following is sample output from the show module command for an ASA with an ASA CX SSP installed hostname show module Mod Card Type Model Serial No 0 ASA 5585 X Security Services Processor 10 wi ASA5585 SSP 10 JAF1507AMKE 1 AS...

Page 1520: ...sabled hostname show service policy cxsc Global policy Service policy global_policy Class map bypass CXSC card status Up mode fail open auth proxy disabled packet input 2626422041 packet output 2626877967 drop 0 reset drop 0 proxied 0 The following is sample output from the show service policy command showing the ASA CX policy and the current statistics as well as the module status when the authen...

Page 1521: ...SC would set the actions to Deny Source Deny Destination or Deny Pkt cxsc fail close The packet is dropped because the card is not up and the policy configured was fail close rather than fail open which allows packets through even if the card was down cxsc fail The CXSC configuration was removed for an existing flow and we are not able to process it through CXSC it will be dropped This should be v...

Page 1522: ... in id 0x7ffed86cc470 priority 121 domain cxsc auth proxy deny false hits 0 user_data 0x7ffed86ca220 cs_id 0x0 flags 0x0 protocol 6 src ip id 0 0 0 0 mask 0 0 0 0 port 0 dst ip id 192 168 0 100 mask 255 255 255 255 port 2000 dscp 0x0 input_ifc inside output_ifc identity in id 0x7ffed86cce20 priority 121 domain cxsc auth proxy deny false hits 0 user_data 0x7ffed86ca220 cs_id 0x0 flags 0x0 protocol ...

Page 1523: ...msg DP CP EVENT QUEUE QUEUE LEN HIGH WATER Punt Event Queue 0 5 Identity Traffic Event Queue 0 0 General Event Queue 0 4 Syslog Event Queue 4 90 Non Blocking Event Queue 0 2 Midpath High Event Queue 0 53 Midpath Norm Event Queue 8074 8288 SRTP Event Queue 0 0 HA Event Queue 0 0 Threat Detection Event Queue 0 3 ARP Event Queue 0 2048 IDFW Event Queue 0 0 CXSC Event Queue 0 1 EVENT TYPE ALLOC ALLOC ...

Page 1524: ...le giving details of IP and port DP CXSC Event Sent Auth proxy tlv for adding Auth Proxy on interface inside4 DP CXSC Event Sent Auth proxy tlv for adding Auth Proxy on interface cx_inside DP CXSC Event Sent Auth proxy tlv for adding Auth Proxy on interface cx_outside When the interface IP address is changed auth proxy tlv updates are sent to CXSC DP CXSC Event Sent Auth proxy tlv for removing Aut...

Page 1525: ...Agent for Windows 2 4 1012 CXSC Event anyconnect data len 0 Problems with the Authentication Proxy If you are having a problem using the authentication proxy feature follow these steps to troubleshoot your configuration and connections 1 Check your configurations On the ASA check the output of the show asp table classify domain cxsc auth proxy command and make sure there are rules installed and th...

Page 1526: ...config access list ASACX permit tcp any any eq port 80 hostname config class map my cx class hostname config cmap match access list ASACX hostname config cmap policy map my cx policy hostname config pmap class my cx class hostname config pmap c cxsc fail close auth proxy hostname config pmap c service policy my cx policy global The following example diverts all IP traffic destined for the 10 1 1 0...

Page 1527: ...e the time of the attempted access when and the properties of the device used for the access how With the ASA CX module you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees We introduced o...

Page 1528: ...1 24 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the ASA CX Module Feature History for the ASA CX Module ...

Page 1529: ...Information About the CSC SSM Some ASA models support the CSC SSM which runs Content Security and Control software The CSC SSM provides protection against viruses spyware spam and other unwanted traffic by scanning the FTP HTTP HTTPS POP3 and SMTP packets that you configure the ASA to send to it For more information about the CSC SSM see the following URL http www cisco com en US products ps6823 i...

Page 1530: ...SM management port Because these two connections are required to manage the CSC SSM any host running ASDM must be able to reach the IP address of both the ASA management port and the SSM management port Figure 1 2 shows an ASA with a CSC SSM that is connected to a dedicated management network While use of a dedicated management network is not required we recommend it In this configuration the foll...

Page 1531: ...to receive POP3 e mail do not configure the ASA to divert POP3 traffic to the CSC SSM Instead block this traffic To maximize performance of the ASA and the CSC SSM divert only the traffic to the CSC SSM that you want the CSC SSM to scan Diverting traffic that you do not want scanned such as traffic between a trusted source and destination can adversely affect network performance Note When traffic ...

Page 1532: ...raffic Selection for CSC Scans In the inside policy the first class inside class1 ensures that the ASA does not scan HTTP traffic between the inside network and the DMZ network The Match column indicates this setting by displaying the Do not match icon This setting does not mean the ASA blocks traffic sent from the 192 168 10 0 network to TCP port 80 on the 192 168 20 0 network Instead this settin...

Page 1533: ...allow management and automatic updates of the CSC SSM software The CSC SSM management port IP address must be accessible by the hosts used to run ASDM You must obtain the following information to use in configuring the CSC SSM The CSC SSM management port IP address netmask and gateway IP address DNS server IP address HTTP proxy server IP address needed only if your security policies require the us...

Page 1534: ... The CSC SSM does not maintain connection information and therefore cannot provide the failover unit with the required information The connections that a CSC SSM is scanning are dropped when the ASA in which the CSC SSM is installed fails When the standby ASA becomes active it forwards the scanned traffic to the CSC SSM and the connections are reset IPv6 Guidelines Does not support IPv6 Model Guid...

Page 1535: ...at the following URL http www cisco com go license After you register you receive activation keys by e mail The activation keys are required before you can complete Step 6 Step 3 Obtain the following information for use in Step 6 Activation keys CSC SSM management port IP address netmask and gateway IP address DNS server IP address HTTP proxy server IP address needed only if your security policies...

Page 1536: ...only from untrusted sources Step 11 To reduce the load on the CSC SSM configure the service policy rules that send packets to the CSC SSM to support only HTTP HTTPS SMTP POP3 or FTP traffic Step 12 Optional Review the default content security policies in the CSC SSM GUI which are suitable for most implementations You review the content security policies by viewing the enabled features in the CSC S...

Page 1537: ...nect to an alternate IP address or hostname on the SSM click Other IP Address or Hostname Step 3 Enter the port number in the Port field and then click Continue Step 4 In the CSC Password field type your CSC password and then click OK Note If you have not completed the CSC Setup Wizard choose Configuration Trend Micro Content Security CSC Setup Wizard Setup complete the configuration in the CSC Se...

Page 1538: ...rmining What Traffic to Scan section on page 1 3 Step 2 class map class_map_name Example hostname config class map class_map_name Creates a class map to identify the traffic that should be diverted to the CSC SSM The class_map_name argument is the name of the traffic class When you enter the class map command the CLI enters class map configuration mode Step 3 match access list acl name Example hos...

Page 1539: ...individual clients can open If a client uses more network resources simultaneously than is desired you can enforce a per client limit for simultaneous connections that the ASA diverts to the CSC SSM The n argument is the maximum number of simultaneous connections that the ASA allows per client This command prevents a single client from abusing the services of the CSC SSM or any server protected by...

Page 1540: ...her limit the traffic selected by the class maps of CSC SSM service policies we recommend using access lists that match the following HTTP HTTPS connections to outside networks FTP connections from clients inside the ASA to servers outside the ASA POP3 connections from clients inside the ASA to servers outside the ASA Incoming SMTP connections destined to inside mail servers The fail close and fai...

Page 1541: ...hostname show module 1 details Getting details from the Service Module please wait ASA 5500 Series Security Services Module 20 Model ASA SSM 20 Hardware version 1 0 Serial Number JAF10333331 Firmware version 1 0 10 0 Software version Trend Micro InterScan Security Module Version 6 2 App name Trend Micro InterScan Security Module App version Version 6 2 Data plane Status Up Status Up HTTP Service U...

Page 1542: ...tting the Module page 1 16 Shutting Down the Module page 1 17 Note This section covers all ASA module types follow the steps appropriate for your module Installing an Image on the Module If the module suffers a failure and the module application image cannot run you can reinstall a new image on the module from a TFTP server Note Do not use the upgrade command within the module software to install ...

Page 1543: ...interface IP address and netmask gateway address and VLAN ID ASA 5505 only These network parameters are configured in ROMMON the network parameters you configured in the module application configuration are not available to ROMMON so you must set them separately here You can view the recovery configuration using the show module 1 recover command In multiple context mode enter this command in the s...

Page 1544: ... cisco The 1 is the specified slot number on the SSM hardware module On the CSC SSM entering this command resets web services on the hardware module after the password has been reset You may lose connection to ASDM or be logged out of the hardware module The CSC SSM supports this command in the most recent version of 6 3 dated January 2010 and in later versions Note Make sure that the SSM hardware...

Page 1545: ...c_in_policy is applied to the outside interface and uses the csc_in access list to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ network are scanned by the CSC SSM Scanning HTTP requests protects the web server from HTTP file uploads hostname config access list csc_out permit tcp 192 168 10 0 255 255 255 0 any eq 21 hostname config access list...

Page 1546: ...5 201 7 255 255 255 255 eq 80 The following example shows how to use the access list on the service policy applied to the outside interface hostname config access list csc_in permit tcp any 192 168 20 0 255 255 255 0 eq 25 The following example shows how to add an ACE to the csc_in access list to use the CSC SSM to protect the web server on a DMZ network from infected files uploaded by HTTP from e...

Page 1547: ...html Related Topic Document Title Table 1 2 Feature History for the CSC SSM Feature Name Platform Releases Feature Information CSC SSM 7 0 1 The CSC SSM runs Content Security and Control software which provides protection against viruses spyware spam and other unwanted traffic We introduced the following commands csc fail close fail open hw module module 1 recover reload reset shutdown session sho...

Page 1548: ...1 20 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the ASA CSC Module Feature History for the CSC SSM ...

Page 1549: ...P A R T 2 Configuring VPN ...

Page 1550: ......

Page 1551: ...Configuring IPsec page 1 18 Clearing Security Associations page 1 38 Clearing Crypto Map Configurations page 1 39 Supporting the Nokia VPN Client page 1 39 Information About Tunneling IPsec and ISAKMP Tunneling makes it possible to use a public TCP IP network such as the Internet to create secure connections between remote users and a private corporate network Each secure connection is called a tu...

Page 1552: ... SA parameters To establish a connection both entities must agree on the SAs Configuration for site to site tasks is performed in both single context mode and multiple context mode Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect clientless SSL VPN the legacy Cisco VPN client the Apple native VPN client the Microsoft native VPN client or cTCP...

Page 1553: ...ss IPsec VPNs The following table shows the licensing requirements for this feature Model License Requirement1 ASA 5505 IPsec remote access VPN using IKEv2 use one of the following AnyConnect Premium license Base license and Security Plus license 2 sessions Optional permanent or time based licenses 10 or 25 sessions Shared licenses are not supported 2 AnyConnect Essentials license3 25 sessions IPs...

Page 1554: ...e 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 or 2500 sessions Optional Shared licenses2 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AnyConnect Essentials license3 2500 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 2500 session...

Page 1555: ...ents of 1000 AnyConnect Essentials license3 250 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 250 sessions ASA 5515 X IPsec remote access VPN using IKEv2 use one of the following AnyConnect Premium license Base license 2 sessions Optional permanent or time based licenses 10 25 50 100 or 250 sessions Optional Shared licenses2 Participant o...

Page 1556: ... 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 2500 or 5000 sessions Optional Shared licenses2 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AnyConnect Essentials license3 5000 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 5000 ses...

Page 1557: ...sessions is 10 for the Base license and 25 for the Security Plus license 2 A shared license lets the ASA act as a shared license server for multiple client ASAs The shared license pool is large but the maximum number of sessions used by each individual ASA cannot exceed the maximum number listed for permanent licenses 3 The AnyConnect Essentials license enables AnyConnect VPN client access to the ...

Page 1558: ...figuring IKEv1 and IKEv2 Policies page 1 8 Enabling IKE on the Outside Interface page 1 12 Disabling IKEv1 Aggressive Mode page 1 13 Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers page 1 13 Enabling IPsec over NAT T page 1 14 Enabling IPsec with IKEv1 over TCP page 1 15 Waiting for Active Sessions to Terminate Before Rebooting page 1 16 Alerting Peers Before Disconnecting page 1 16 Conf...

Page 1559: ...ly difficult attack against MD5 has occurred however the HMAC variant IKE uses prevents this attack group 1 Group 1 768 bit Specifies the Diffie Hellman group identifier which the two IPsec peers use to derive a shared secret without transmitting it to each other The lower the Diffie Hellman group number the less CPU time it requires to execute The higher the Diffie Hellman group number the greate...

Page 1560: ...orithm options to use for IKEv2 encryption The Advanced Encryption Standard supports key lengths of 128 192 256 bits policy_index Accesses the IKEv2 policy sub mode prf sha default SHA 1 HMAC variant Specifies the pseudo random function PRF the algorithm used to generate keying material md5 MD5 HMAC variant The default is SHA 1 MD5 has a smaller digest and is considered to be slightly faster than ...

Page 1561: ...ing with a peer that supports only one of the values for a parameter your choice is limited to that value Note New ASA configurations do not have a default IKEv1 or IKEv2 policy To configure IKE policies in global configuration mode use the crypto ikev1 ikev2 policy priority command to enter IKE policy configuration mode You must include the priority in each of the ISAKMP commands The priority num...

Page 1562: ...efault is preshared keys This example configures RSA signatures authentication pre share crack rsa sig For example hostname config ikev1 policy authentication rsa sig Step 5 Specify the Diffie Hellman group identifier The default is Group 2 This example configures Group 5 group 1 2 5 For example hostname config ikev1 policy group 5 Step 6 Specify the SA lifetime This examples sets a lifetime of 4 ...

Page 1563: ...le Note Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to establish tunnels to the ASA However they may use certificate based authentication that is ASA or RSA to establish tunnels Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers During ISAKMP Phase I negotiations either IKEv1 or IKEv2 the peers must identify themselves to each other You can c...

Page 1564: ... Note When IPsec over TCP is enabled it takes precedence over all other connection methods When you enable NAT T the ASA automatically opens port 4500 on all IPsec enabled interfaces The ASA supports multiple IPsec peers behind a single NAT PAT device operating in one of the following networks but not both LAN to LAN Remote access In a mixed environment the remote access tunnels fail the negotiati...

Page 1565: ...ables secure tunneling through both NAT and PAT devices and firewalls This feature is disabled by default Note This feature does not work with proxy based firewalls IPsec over TCP works with remote access clients You enable it globally and it works on all IKEv1 enabled interfaces It is a client to the ASA feature only It does not work for LAN to LAN connections The ASA can simultaneously support s...

Page 1566: ...ix Alerting Peers Before Disconnecting Remote access or LAN to LAN sessions can drop for several reasons such as an ASA shutdown or reboot session idle timeout maximum connection time exceeded or administrator cut off The ASA can notify qualified peers in LAN to LAN configurations Cisco VPN clients and VPN 3002 hardware clients of sessions that are about to be disconnected The peer or client recei...

Page 1567: ...les by which certificate based ISAKMP sessions map to tunnel groups and to associate the certificate map entries with tunnel groups enter the tunnel group map command in either single or multiple context mode The syntax follows tunnel group map enable rules ou ike id peer ip tunnel group map rule index enable policy Be aware of the following You can invoke this command multiple times as long as ea...

Page 1568: ...ess of the peer hostname config tunnel group map enable peer ip hostname config The following example enables mapping of certificate based ISAKMP sessions based on the organizational unit OU in the subject distinguished name DN hostname config tunnel group map enable ou hostname config The following example enables mapping of certificate based ISAKMP sessions based on established rules hostname co...

Page 1569: ...r proposal to create an SA that protects data flows in the access list for that crypto map With IKEv1 transform sets you set one value for each parameter For IKEv2 proposals you can configure multiple encryption and authentication types and multiple integrity algorithms for a single proposal The ASA orders the settings from the most secure to the least secure and negotiates with the peer using tha...

Page 1570: ...with the crypto map with the lowest sequence number no crypto map map_name map_index set pfs group1 group2 group5 group14 group19 group20 group21 group24 Specifies the ECDH group used for Perfect Forward Secrecy FCS for the cryptography map Prevents you from onfiguring group14 and group24 options for a cryptography map when using an IKEv1 policy no crypto map name priority set validate icmp errors...

Page 1571: ...ed in establishing an SA they must have at least one compatible crypto map To be compatible a crypto map must meet the following criteria The crypto map must contain compatible crypto ACLs for example mirror image ACLs If the responding peer uses dynamic crypto maps so the ASA also must contain compatible crypto ACLs as a requirement to apply IPsec Each crypto map identifies the other peer unless ...

Page 1572: ...prevent the establishment of a Phase 2 SA Note To route inbound unencrypted traffic as clear text insert deny ACEs before permit ACEs Figure 1 1 shows an example LAN to LAN network of ASAs Table 1 3 Special Meanings of Permit and Deny in Crypto Access Lists Applied to Outbound Traffic Result of Crypto Map Evaluation Response Match criterion in an ACE containing a permit statement Halt further eval...

Page 1573: ...aps one for traffic from Host A 3 and the other for traffic from the other hosts in Network A as shown in the following example Crypto Map Seq_No_1 deny packets from A 3 to B deny packets from A 3 to C permit packets from A to B permit packets from A to C Crypto Map Seq_No_2 permit packets from A 3 to B permit packets from A 3 to C After creating the ACLs you assign a transform set to each crypto ...

Page 1574: ...set Gap in a straight line Exit from a crypto map when a packet matches an ACE Packet that fits the description of one ACE Each size ball represents a different packet matching the respective ACE in the figure The differences in size merely represent differences in the source and destination of each packet Redirection to the next crypto map in the crypto map set Response when a packet either match...

Page 1575: ...uation against the next crypto map as determined by the sequence number assigned to it So in the example if Security Appliance A receives a packet from Host A 3 it matches the packet to a deny ACE in the first crypto map and resumes evaluation of the packet against the next crypto map When it matches the packet to the permit ACE in that crypto map it applies the associated IPsec security strong en...

Page 1576: ...rypto maps configured for all three ASAs in Figure 1 1 Figure 1 3 maps the conceptual addresses shown in Figure 1 1 to real IP addresses Figure 1 3 Effect of Permit and Deny ACEs on Traffic Real Addresses Table 1 4 Example Permit and Deny Statements Conceptual Security Appliance A Security Appliance B Security Appliance C Crypto Map Sequence No ACE Pattern Crypto Map Sequence No ACE Pattern Crypto...

Page 1577: ...strator to choose the Suite B ECDSA algorithms when generating or zeroing a keypair Prerequisites If you are configuring a cryptography map to use an RSA or ECDSA trustpoint for authentication you must first generate the key set You can then create the trustpoint and reference it in the tunnel group configuration Restrictions The 4096 bit RSA keys are only supported on the 5580 5585 or later platf...

Page 1578: ...ool of cryptographic cores perform the following steps Limitations Cryptographic core rebalancing is available on the following platforms 5585 5580 5545 5555 ASA SM The large modulus operation is only available for 5510 5520 5540 and 5550 platforms Detailed Steps Step 1 Configure the pool of cryptographic cores specifying one of three mutually exclusive options balanced Equally distributes cryptog...

Page 1579: ...unnel Access lists define which IP traffic to protect For example you can create access lists to protect all IP traffic between two subnets or two hosts These access lists are similar to access lists used with the access group command However with the access group command the access list determines which traffic to forward or block at an interface Before the assignment to crypto maps the access li...

Page 1580: ...cess list the ASA also removes the associated crypto map If you modify an access list currently referenced by one or more crypto maps use the crypto map interface command to reinitialize the run time SA database See the crypto map command for more information We recommend that for every crypto access list specified for a static crypto map that you define at the local peer you define a mirror image...

Page 1581: ...s VPN using the no sysopt permit command in conjunction with an access control list ACL on the outside interface are not successful In this situation when management access inside is enabled the ACL is not applied and users can still connect using SSH to the security appliance Traffic to hosts on the inside network are blocked correctly by the ACL but cannot block decrypted through traffic to the ...

Page 1582: ...ed by crypto Step 2 To configure an IKEv1 transform set that defines how to protect the traffic enter the following command crypto ipsec ikev1 transform set transform set name encryption authentication Encryption specifies which encryption method protects IPsec data flows esp aes Uses AES with a 128 bit key esp aes 192 Uses AES with a 192 bit key esp aes 256 Uses AES with a 256 bit key esp des Use...

Page 1583: ...n on the newer ASA platforms and not 5505 5510 5520 5540 or 5550 Step 3 Optional An administrator can enable path maximum transfer unit PMTU aging and set the interval at which the PMTU value is reset to its original value hostname config ipsec proposal no crypto ipsec security association pmtu aging reset interval Step 4 To create a crypto map perform the following site to site steps using either...

Page 1584: ... map map name seq num set security association lifetime seconds seconds kilobytes kilobytes Map name specifies the name of the crypto map set Seq num specifies the number you assign to the crypto map entry For example crypto map mymap 10 set security association lifetime seconds 2700 This example shortens the timed lifetime for the crypto map mymap 10 to 2700 seconds 45 minutes The traffic volume ...

Page 1585: ...e A dynamic crypto map requires only the transform set parameter Dynamic crypto maps can ease IPsec configuration and we recommend them for use in networks where the peers are not always predetermined Use dynamic crypto maps for Cisco VPN clients such as mobile users and routers that obtain dynamically assigned IP addresses Tip Use care when using the any keyword in permit entries in dynamic crypt...

Page 1586: ... crypto map dyn1 The map sequence number is 10 Step 2 Specify which IKEv1 transform sets or IKEv2 proposals are allowed for this dynamic crypto map List multiple transform sets or proposals in order of priority highest priority first using the command for IKEv1 transform sets or IKEv2 proposals crypto dynamic map dynamic map name dynamic seq num set ikev1 transform set transform set name1 transfor...

Page 1587: ...iority entries highest sequence numbers in a crypto map set crypto map map name seq num ipsec isakmp dynamic dynamic map name Map name specifies the name of the crypto map set Dynamic map name specifies the name of the crypto map entry that refers to a pre existing dynamic crypto map For example crypto map mymap 200 ipsec isakmp dynamic dyn1 Providing Site to Site Redundancy You can define multipl...

Page 1588: ...complete ISAKMP configuration show running config crypto map Displays the complete crypto map configuration show running config crypto dynamic map Displays the dynamic crypto map configuration show all crypto map Displays all of the configuration parameters including those with default values show crypto ikev2 sa detail Shows the Suite B algorithm support in the Encryption statistics show crypto i...

Page 1589: ...rts connections from Nokia VPN clients on Nokia 92xx Communicator series phones using the Challenge Response for Authenticated Cryptographic Keys CRACK protocol CRACK is ideal for mobile IPsec enabled clients that use legacy authentication techniques instead of digital certificates It provides mutual authentication when the client uses a legacy based secret key authentication technique such as RAD...

Page 1590: ...VPNCA hostname config crypto ca trustpoint CompanyVPNCA hostname config ca trustpoint fqdn none Step 2 To configure the identity of the ISAKMP peer perform one of the following steps Use the crypto isakmp identity command with the hostname keyword For example hostname config crypto isakmp identity hostname Use the crypto isakmp identity command with the auto keyword to configure the identity to be...

Page 1591: ... 1 Configuring IPsec and ISAKMP Supporting the Nokia VPN Client To learn more about the Nokia services required to support the CRACK protocol on Nokia clients and to ensure they are installed and configured properly contact your local Nokia representative ...

Page 1592: ...1 42 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring IPsec and ISAKMP Supporting the Nokia VPN Client ...

Page 1593: ...NAS or an endpoint device with a bundled L2TP client such as Microsoft Windows Apple iPhone or Android The primary benefit of configuring L2TP with IPsec IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line which enables remote access from virtually anyplace with POTS An additional benefit is that no additional clien...

Page 1594: ...he true source and destination of the tunneled packets even if they are the same as the tunnel endpoints However the Windows L2TP IPsec client uses IPsec transport mode only the IP payload is encrypted and the original IP headers are left intact This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination ...

Page 1595: ...ng AnyConnect Premium license Base and Security Plus license 2 sessions Optional permanent or time based licenses 10 25 50 100 or 250 sessions Optional Shared licenses2 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AnyConnect Essentials license3 250 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using ...

Page 1596: ...essions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 2500 or 5000 sessions Optional Shared licenses2 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AnyConnect Essentials license3 5000 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 5000 session...

Page 1597: ...ials license3 250 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 250 sessions ASA 5525 X IPsec remote access VPN using IKEv2 use one of the following AnyConnect Premium license Base license 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 or 750 sessions Optional Shared licenses2 Participant or Server For the Serve...

Page 1598: ...Essentials license3 5000 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 5000 sessions ASA 5585 X with SSP 10 IPsec remote access VPN using IKEv2 use one of the following AnyConnect Premium license Base license 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 2500 or 5000 sessions Optional Shared licenses2 ...

Page 1599: ...5 for the Security Plus license 2 A shared license lets the ASA act as a shared license server for multiple client ASAs The shared license pool is large but the maximum number of sessions used by each individual ASA cannot exceed the maximum number listed for permanent licenses 3 The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA This license does not support browser...

Page 1600: ...the IP address of your endpoint from the ASA Make sure that UDP port 1701 is not blocked anywhere along the path of the connection If a Windows 7 endpoint device authenticates using a certificate that specifies a SHA signature type the signature type must match that of the ASA either SHA1 or SHA2 Guidelines and Limitations This section includes the guidelines and limitations for this feature Conte...

Page 1601: ...S PAP CHAP MSCHAPv1 MSCHAPv2 EAP Proxy TACACS PAP CHAP MSCHAPv1 LDAP PAP NT PAP Kerberos PAP SDI SDI Table 1 1 PPP Authentication Type Characteristics Keyword Authentication Type Characteristics chap CHAP In response to the server challenge the client returns the encrypted challenge plus password with a cleartext username This protocol is more secure than the PAP but it does not encrypt data eap p...

Page 1602: ...the vpn tunneling protocol Step 4 dns value none IP_primary IP_secondary Example hostname config group policy DfltGrpPolicy attributes hostname config group policy dns value 209 165 201 1 209 165 201 2 Optional Instructs the adaptive security appliance to send DNS server IP addresses to the client for the group policy Step 5 wins server value none IP_primary IP_secondary Example hostname config gr...

Page 1603: ...hentication and you want to fallback to local authentication add LOCAL to the end of the command Step 11 authentication auth_type Example hostname config tunnel group name ppp attributes hostname config ppp authentication ms chap v1 Specifies the PPP authentication protocol for the tunnel group See Table 1 1 for the types of PPP authencation and their characteristics Step 12 tunnel group tunnel gr...

Page 1604: ...efaultRAGroup general attributes hostname config tunnel general strip group hostname config tunnel general strip realm Optional Configures tunnel group switching The goal of tunnel group switching is to give users a better chance at establishing a VPN connection when they authenticate using a proxy authentication server Tunnel group is synonymous with connection profile Step 17 username name passw...

Page 1605: ...t of the show run crypto isakmp command Step 3 authentication Example hostname config isakmp policy authentication pre share Sets the authentication method the ASA uses to establish the identity of each IPsec peer to use preshared keys Step 4 encryption type Example hostname config isakmp policy encryption 3des aes aes 256 Choose a symmetric encryption method that protects data transmitted between...

Page 1606: ...ocol Step 4 dns value none IP_primary IP_secondary Example hostname config group policy DfltGrpPolicy attributes hostname config group policy dns value 209 165 201 1 209 165 201 2 Optional Instructs the adaptive security appliance to send DNS server IP addresses to the client for the group policy Step 5 wins server value none IP_primary IP_secondary Example hostname config group policy DfltGrpPoli...

Page 1607: ...ck to local authentication add LOCAL to the end of the command Step 11 authentication auth_type Example hostname config tunnel group name ppp attributes hostname config ppp authentication ms chap v1 Specifies the PPP authentication protocol for the tunnel group See Table 1 1 for the types of PPP authencation and their characteristics Step 12 tunnel group tunnel group name ipsec attributes Example ...

Page 1608: ...neral strip group hostname config tunnel general strip realm Optional Configures tunnel group switching The goal of tunnel group switching is to give users a better chance at establishing a VPN connection when they authenticate using a proxy authentication server Tunnel group is synonymous with connection profile Step 17 username name password password mschap Example asa2 config username jdoe pass...

Page 1609: ...mber hostname config ikev1 policy Allows you to configure an IKE policy The number argument specifies the number of the IKE policy you are configuring This number was listed in the output of the show run crypto ikev1 command Step 3 authentication Example hostname config ikev1 policy authentication pre share Sets the authentication method the ASA uses to establish the identity of each IPsec peer to...

Page 1610: ...ng example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system ip local pool sales_addresses 209 165 202 129 209 165 202 158 group policy sales_policy internal group policy sales_policy attributes wins server value 209 165 201 3 209 165 201 4 dns server value 209 165 201 1 209 165 201 2 vpn tunnel protocol l2tp ipsec tunnel group Default...

Page 1611: ...ngle platform The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line which enables remote access from virtually anyplace with POTS An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial Up Networking DUN No addition...

Page 1612: ...1 20 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring L2TP over IPsec Feature History for L2TP over IPsec ...

Page 1613: ...r SVC 1 x unless clientless browser based SSL VPN is specified Configuring VPNs in Single Routed Mode VPNs work only in single routed mode VPN functionality is unavailable in configurations that include either security contexts also referred to as multimode firewall or Active Active stateful failover The exception to this caveat is that you can configure and use one connection for administrative p...

Page 1614: ...ypted through traffic to the inside interface is not blocked The ssh and http commands are of a higher priority than the ACLs In other words to deny SSH Telnet or ICMP traffic to the box from the VPN session use ssh telnet and icmp commands Permitting Intra Interface Traffic Hairpinning The ASA includes a feature that lets a VPN client send IPsec protected traffic to another VPN user by allowing s...

Page 1615: ...ig ip local pool clientpool 192 168 0 10 192 168 0 100 hostname config object network vpn_nat hostname config network object subnet 192 168 0 0 255 255 255 0 hostname config network object nat outside outside interface When the ASA sends encrypted VPN traffic back out this same interface however NAT is optional The VPN to VPN hairpinning works with or without NAT To apply NAT to all outgoing traff...

Page 1616: ... software version on the list of revision numbers it does not need to update its software If the client is not running a software version on the list it should update The following procedure explains how to perform a client update Step 1 In global configuration mode enable client update by entering this command hostname config client update enable hostname config Step 2 In global configuration mod...

Page 1617: ... url tftp 192 168 1 1 rev nums 4 7 hostname config tunnel ipsec Note You can have the browser automatically start an application by including the application name at the end of the URL for example https support updates vpnclient exe Step 3 Define a set of client update parameters for a particular ipsec ra tunnel group In tunnel group ipsec attributes mode specify the tunnel group name and its type...

Page 1618: ...a way to translate the VPN client s assigned IP address on the internal protected network to its public source IP address This feature supports the scenario where the target servers services on the internal network and network security policy require communication with the VPN client s public source IP instead of the assigned IP on the internal corporate network You can enable this feature on one ...

Page 1619: ...up together logically two or more devices on the same private LAN to LAN network private subnet and public subnet into a virtual cluster All devices in the virtual cluster carry session loads Load balancing directs session traffic to the least loaded device in the cluster which distributes the load among all devices It makes efficient use of system resources and provides increased performance and ...

Page 1620: ...er carry session loads Load balancing directs traffic to the least loaded device in the cluster distributing the load among all devices It makes efficient use of system resources and provides increased performance and high availability Failover A failover configuration requires two identical ASAs connected to each other through a dedicated failover link and optionally a stateful failover link The ...

Page 1621: ...the virtual cluster IP address refers You can use the interface and nameif commands to configure different names for these interfaces Subsequent references in this section use the names outside and inside All devices that participate in a cluster must share the same cluster specific values IP address encryption settings encryption key and port Eligible Platforms A load balancing cluster can includ...

Page 1622: ... or a mixture of these subject to the following restrictions Load balancing clusters that consist of same release ASAs or all VPN 3000 concentrators can run load balancing for a mixture of IPsec AnyConnect and clientless SSL VPN sessions Load balancing clusters that consist of both same release ASAs and VPN 3000 concentrators can run load balancing for a mixture of IPsec AnyConnect and clientless ...

Page 1623: ...ease 7 1 1 software is the initial cluster master and then that device fails Another device in the cluster takes over automatically as master and applies its own load balancing algorithm to determine processor loads within the cluster A cluster master running ASA Release 7 1 1 software cannot weight session loads in any way other than what that software provides Therefore it cannot assign a combin...

Page 1624: ... load balancing interface lbpublic outside hostname config load balancing Step 2 Configure the private interface on the ASA by entering the interface command with the lbprivate keyword in vpn load balancing configuration mode This command specifies the name or IP address of the private interface for load balancing for this device hostname config load balancing interface lbprivate inside hostname c...

Page 1625: ...v6 address hostname config load balancing cluster ip address ip_address hostname config load balancing For example to set the cluster IP address to IPv6 address 2001 DB8 1 enter the following command hostname config load balancing cluster ip address 2001 DB8 1 hostname config load balancing Step 3 Configure the cluster port This command specifies the UDP port for the virtual cluster in which this ...

Page 1626: ...llowing command hostname config load balancing cluster key 123456789 hostname config load balancing Step 6 Enable this device s participation in the cluster by entering the participate command hostname config load balancing participate hostname config load balancing Enabling Redirection Using a Fully Qualified Domain Name To enable or disable redirection using a fully qualified domain name in vpn ...

Page 1627: ...s test and the private interface of the cluster as foo hostname config interface GigabitEthernet 0 1 hostname config if ip address 209 165 202 159 255 255 255 0 hostname config nameif test hostname config interface GigabitEthernet 0 2 hostname config if ip address 209 165 201 30 255 255 255 0 hostname config nameif foo hostname config vpn load balancing hostname config load balancing nat 192 168 1...

Page 1628: ...00 user license can we now support 300 simultaneous sessions A With VPN load balancing all devices are active so the maximum number of sessions that your cluster can support is the total of the number of sessions for each of the devices in the cluster in this case 300 Viewing Load Balancing The load balancing cluster master receives a periodic message from each ASA in the cluster with the number o...

Page 1629: ...B RAM CPU Pentium 4 Celeron 1600 MHz Internal ATA Compact Flash 256MB BIOS Flash M50FW080 0xfff00000 1024KB Encryption hardware device Cisco ASA 55x0 on board accelerator revision 0x0 Boot microcode CN1000 MC BOOT 2 00 SSL IKE microcode CNLite MC SSLm PLUS 2 03 IPsec microcode CNlite MC IPSECm MAIN 2 06 Number of accelerators 1 0 Ext Ethernet0 0 address is 001e f75e 8b84 irq 9 1 Ext Ethernet0 1 ad...

Page 1630: ... configuration mode For example if the ASA license allows 750 IPsec sessions and you want to limit the number of IPsec sessions to 500 enter the following command hostname config vpn sessiondb max other vpn limit 500 hostname config To remove the session limit use the no version of this command hostname config no vpn sessiondb max other vpn limit 500 hostname config For a complete description of t...

Page 1631: ...onfiguring the pool of cryptographic cores in either single or multiple context mode Note Multiple context mode only applies to IKEv2 and IKEv1 site to site but does not apply to AnyConnect clientless SSL VPN the legacy Cisco VPN client the Apple native VPN client the Microsoft native VPN client or the cTCP for IKEv1 IPsec Limitations Cryptographic core rebalancing is available on the following pl...

Page 1632: ...570 Bytes Rx 8085 Group Policy GroupPolicy_SSLACCLIENT Tunnel Group SSLACCLIENT Login Time 15 17 12 UTC Mon Oct 22 2012 Duration 0h 00m 09s Inactivity 0h 00m 00s NAC Result Unknown VLAN Mapping N A VLAN none Example 1 2 Output from show vpn sessiondb anyconnect filter a ipversion v4 v6 command hostname config show vpn sessiondb anyconnect filter a ipversion v6 Session Type AnyConnect Username user...

Page 1633: ...siondb webvpn filter ipversion v4 v6 command hostname sh vpn sessiondb webvpn filter ipversion v4 Session Type WebVPN Username user1 Index 63 Public IP 171 16 17 6 Protocol Clientless License AnyConnect Premium Encryption Clientless 1 RC4 Hashing Clientless 1 SHA1 Bytes Tx 62454 Bytes Rx 13082 Group Policy SSLv6 Tunnel Group SSL_IPv6 Login Time 18 07 48 UTC Mon Oct 22 2012 Duration 0h 00m 16s Inac...

Page 1634: ...ameters Viewing Active VPN Sessions Command Purpose show vpn sessiondb l2l filter ipversion v4 v6 This command shows active lan to lan VPN sessions filtered by the connection s public IPv4 or IPv6 address The public address is the address assigned to the endpoint by the enterprise ...

Page 1635: ... of users treated as a single entity Users get their attributes from group policies A connection profile identifies the group policy for a specific connection If you do not assign a particular group policy to a user the default group policy for the connection applies Note You configure connection profiles using tunnel group commands In this chapter the terms connection profile and tunnel group are...

Page 1636: ... DAP record so the security appliance moves down to the AAA attribute in the username and if necessary the group policy to find a value to apply The ASA clientless SSL VPN configuration supports only one http proxy and one https proxy command each We recommend that you use ASDM to configure DAP Connection Profiles A connection profile consists of a set of records that determines tunnel connection ...

Page 1637: ...dress pools that the ASA assigns to clients Override account disabled This parameter lets you override the account disabled indicator received from a AAA server Password management This parameter lets you warn a user that the current password is due to expire in a specified number of days the default is 14 days then offer the user the opportunity to change the password Strip group and strip realm ...

Page 1638: ...alives prevents hung connections when the IKE peer loses connectivity There are various forms of IKE keepalives For this feature to work both the ASA and its remote peer must support a common form This feature works with the following peers Cisco AnyConnect VPN Client Cisco VPN Client Release 3 0 and above Cisco VPN 3000 Client Release 2 x Cisco VPN 3002 Hardware Client Cisco VPN 3000 Series Conce...

Page 1639: ...u configure general connection profile attributes common to all VPN connections For step by step information about configuring connection profiles see Configuring Connection Profiles for Clientless SSL VPN Sessions page 70 20 Note In earlier releases connection profiles were known as tunnel groups You configure a connection profile with tunnel group commands This chapter often uses these terms int...

Page 1640: ...s any of the three tunnel group types If you do not explicitly configure an attribute in a connection profile that attribute gets its value from the default connection profile The default connection profile type is remote access The subsequent parameters depend upon your choice of tunnel type To see the current configured and default configuration of all your connection profiles including the defa...

Page 1641: ...oup DefaultRAGroup ipsec attributes no pre shared key peer id validate req no chain no trust point isakmp keepalive threshold 1500 retry 2 no radius sdi xauth isakmp ikev1 user authentication xauth tunnel group DefaultRAGroup ppp attributes no authentication pap authentication chap authentication ms chap v1 no authentication ms chap v2 no authentication eap proxy Configuring IPsec Tunnel Group Gen...

Page 1642: ...nection Profile PPP Attributes page 70 16 Specifying a Name and Type for the Remote Access Connection Profile Create the connection profile specifying its name and type by entering the tunnel group command For an remote access tunnel the type is remote access hostname config tunnel group tunnel_group_name type remote access hostname config For example to create an remote access connection profile ...

Page 1643: ...eral accounting server group groupname hostname config tunnel general The name of the accounting server group can be up to 16 characters long For example the following command specifies the use of the accounting server group named comptroller hostname config tunnel general accounting server group comptroller hostname config tunnel general Step 5 Specify the name of the default group policy hostnam...

Page 1644: ... and the group if present authentication If you strip the group the ASA uses the username and the realm if present for authentication Enter the strip realm command to remove the realm qualifier and use the strip group command to remove the group qualilfier from the username during authentication If you remove both qualifiers authentication is based on the username alone Otherwise authentication is...

Page 1645: ... to 0 disables this command The ASA does not notify the user of the pending expiration but the user can change the password after it expires See Configuring Microsoft Active Directory Settings for Password Management page 70 28 for more information Note The ASA Version 7 1 and later generally supports password management for the AnyConnect VPN Client the Cisco IPsec VPN Client the SSL VPN full tun...

Page 1646: ... require authorization hostname config tunnel general authorization required hostname config tunnel general Configuring Double Authentication Double authentication is an optional feature that requires a user to enter an additional authentication credential such as a second username and password on the login screen Specify the following commands to configure double authentication Step 1 Specify the...

Page 1647: ...an both exist at the same time but you must configure them in separate commands hostname config tunnel general secondary pre fill username from certificate clientless ssl client hide For example to specify the use of pre fill username for both the primary and secondary authentication for a connection enter the following commands hostname config tunnel general tunnel group test1 general attributes ...

Page 1648: ... prompt changes to indicate that you are now in tunnel group ipsec attributes mode hostname config tunnel group TG1 type remote access hostname config tunnel group TG1 ipsec attributes hostname config tunnel ipsec Step 2 Specify the preshared key to support IKEv1 connections based on preshared keys For example the following command specifies the preshared key xyzx to support IKEv1 connections for ...

Page 1649: ...rid XAUTH You use isakmp ikev1 user authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for ASA authentication and a different legacy method for remote VPN user authentication such as RADIUS TACACS or SecurID Hybrid XAUTH breaks phase 1 of IKE down into the following two steps together called hybrid authentication a The ASA authenticates to the...

Page 1650: ...hentication using specific protocols for the PPP connection The protocol value can be any of the following pap Enables the use of Password Authentication Protocol for the PPP connection chap Enables the use of Challenge Handshake Authentication Protocol for the PPP connection ms chap v1 or ms chap v2 Enables the use of Microsoft Challenge Handshake Authentication Protocol version 1 or version 2 fo...

Page 1651: ...unnel group DefaultL2LGroup ipsec attributes no ikev1 pre shared key peer id validate req no chain no ikev1 trust point isakmp keepalive threshold 10 retry 2 LAN to LAN connection profiles have fewer parameters than remote access connection profiles and most of these are the same for both groups For your convenience in configuring the connection they are listed separately here Any parameters that ...

Page 1652: ...hat the name of the default group policy is MyPolicy hostname config tunnel general default group policy MyPolicy hostname config tunnel general Configuring LAN to LAN IPsec IKEv1 Attributes To configure the IPsec IKEv1 attributes perform the following steps Step 1 To configure the tunnel group IPsec IKEv1 attributes enter tunnel group ipsec attributes configuration mode by entering the tunnel gro...

Page 1653: ...ifies the number of seconds 10 through 3600 that the peer is allowed to idle before beginning keepalive monitoring The retry parameter is the interval 2 through 10 seconds between retries after a keepalive response has not been received IKE keepalives are enabled by default To disable IKE keepalives enter the no form of the isakmp command hostname config isakmp keepalive threshold number retry num...

Page 1654: ...General Tunnel Group Attributes for Clientless SSL VPN Sessions page 70 20 Configuring Tunnel Group Attributes for Clientless SSL VPN Sessions page 70 23 Configuring General Tunnel Group Attributes for Clientless SSL VPN Sessions To configure or change the connection profile general attributes specify the parameters in the following steps Step 1 To configure the general attributes enter tunnel gro...

Page 1655: ...thorization database to connect hostname config tunnel general authorization server group groupname hostname config tunnel general Use the aaa server command to configure authorization servers The maximum length of the group tag is 16 characters For example the following command specifies the use of the authorization server group FinGroup hostname config tunnel general authorization server group F...

Page 1656: ...el general dhcp server server1 server10 hostname config tunnel general address pool interface name address_pool1 address_pool6 hostname config tunnel general Note The interface name must be enclosed in parentheses You configure address pools with the ip local pool command in global configuration mode See Chapter 71 Configuring IP Addresses for VPNs for information about configuring address pools S...

Page 1657: ... keyword you must also specify the number of days See Configuring Microsoft Active Directory Settings for Password Management page 70 28 for more information Step 10 Specifying this command with the number of days set to 0 disables this command The ASA does not notify the user of the pending expiration but the user can change the password after it expires Optionally configure the ability to overri...

Page 1658: ...pecify the use of the customization named 123 hostname config webvpn hostname config webvpn customization 123 hostname config webvpn custom password prompt Enter password hostname config webvpn exit hostname config tunnel group test type webvpn hostname config tunnel group test webvpn attributes hostname config tunnel webvpn customization value 123 hostname config tunnel webvpn Step 3 The ASA quer...

Page 1659: ... QA enter the following commands hostname config tunnel webvpn group alias QA enable hostname config tunnel webvpn group alias Devtest enable hostname config tunnel webvpn Note The webvpn tunnel group list must be enabled for the dropdown group list to appear Step 5 To specify incoming URLs or IP addresses for the group use the group url command Specifying a group URL or IP address eliminates the ...

Page 1660: ...ation Step 7 To specify the DNS server group to use for a connection profile for clientless SSL VPN sessions use the dns group command The group you specify must be one you already configured in global configuration mode using the dns server group and name server commands By default the connection profile uses the DNS server group DefaultDNS However this group must be configured before the securit...

Page 1661: ...for these users at the connection profile level with the override svc download command This command causes users logging through a connection profile to be immediately presented with the clientless SSL VPN home page regardless of the vpn tunnel protocol or anyconnect ask command settings In the following example the you enter tunnel group webvpn attributes configuration mode for the connection pro...

Page 1662: ...p url https 192 168 3 3 hostname config tunnel webvpn If a port number is required for a successful login include the port number preceded by a colon The ASA maps this URL to the sales connection profile and applies the salesgui customization profile to the login screen that the user sees upon logging in to https 192 168 3 3 Configuring Microsoft Active Directory Settings for Password Management N...

Page 1663: ... an Account Disabled AAA Indicator page 70 31 Using Active Directory to Enforce Password Complexity page 70 33 This section assumes that you are using an LDAP directory server for authentication Using Active Directory to Force the User to Change Password at Next Logon To force a user to change the user password at the next logon specify the password management command in tunnel group general attri...

Page 1664: ... Settings Account Policies Password Policy Select Minimum password length Using Active Directory to Specify Maximum Password Age To enhance security you can specify that passwords expire after a certain number of days To specify a maximum password age for a user password specify the password management command in tunnel group general attributes configuration mode on the ASA and perform the followi...

Page 1665: ...red in tunnel group general attributes mode replaces it Using Active Directory to Override an Account Disabled AAA Indicator To override an account disabled indication from a AAA server use the override account disable command in tunnel group general attributes configuration mode on the ASA and perform the following steps under Active Directory Note Allowing override account disabled is a potentia...

Page 1666: ...nforce a minimum length for passwords specify the password management command in tunnel group general attributes configuration mode on the ASA and perform the following steps under Active Directory Step 1 Select Start Programs Administrative Tools Domain Security Policy Step 2 Select Windows Settings Security Settings Account Policies Password Policy Step 3 Double click Minimum Password Length The...

Page 1667: ... lowercase letters numbers and special characters enter the password management command in tunnel group general attributes configuration mode on the ASA and perform the following steps under Active Directory Step 1 Select Start Programs Administrative Tools Domain Security Policy Select Windows Settings Security Settings Account Policies Password Policy Step 2 Double click Password must meet compl...

Page 1668: ...n describes procedures to ensure that the AnyConnect VPN client using RSA SecureID Software tokens can properly respond to user prompts delivered to the client through a RADIUS server proxying to an SDI server s This section contains the following topics AnyConnect Client and RADIUS SDI Server Interaction Configuring the Security Appliance to Support RADIUS SDI Messages Note If you have configured...

Page 1669: ... command from tunnel group webvpn configuration mode Users authenticating to the SDI server must connect over this connection profile For example hostname config tunnel group sales webvpn attributes hostname tunnel group webvpn proxy auth sdi Step 2 Configure the RADIUS reply message text on the ASA to match in whole or in part the message text sent by the RADIUS server with the proxy auth_map sdi...

Page 1670: ...ludes a default group policy In addition to the default group policy which you can modify but not delete you can create one or more group policies specific to your environment You can configure internal and external group policies Internal groups are configured on the ASA s internal database External groups are configured on an external authentication server such as RADIUS Group policies include t...

Page 1671: ... Note The default group policy is always internal Despite the fact that the command syntax is hostname config group policy DfltGrpPolicy internal external you cannot change its type to external To change any of the attributes of the default group policy use the group policy attributes command to enter attributes mode then specify the commands to change whatever attributes that you want to modify h...

Page 1672: ...xy pac url none msie proxy lockdown enable vlan none nac settings none address pools none ipv6 address pools none smartcard removal disconnect enable scep forwarding url none client firewall none client access rule none webvpn url list none filter none homepage none html content filter none port forward name Application Access port forward disable http proxy disable sso server none anyconnect ssl ...

Page 1673: ...owing topics Default Group Policy page 70 37 Configuring Group Policies page 70 42 A group policy is a set of user oriented attribute value pairs for IPsec connections that are stored either internally locally on the device or externally on a RADIUS server The connection profile uses a group policy that sets terms for user connections after the tunnel is established Group policies let you apply wh...

Page 1674: ...s internal Despite the fact that the command syntax is hostname config group policy DfltGrpPolicy internal external you cannot change its type to external To change any of the attributes of the default group policy use the group policy attributes command to enter attributes mode then specify the commands to change whatever attributes that you want to modify hostname config group policy DfltGrpPoli...

Page 1675: ... none address pools none ipv6 address pools none smartcard removal disconnect enable scep forwarding url none client firewall none client access rule none webvpn url list none filter none homepage none html content filter none port forward name Application Access port forward disable http proxy disable sso server none anyconnect ssl dtls enable anyconnect mtu 1406 anyconnect firewall rule client i...

Page 1676: ...ive VPN client or cTCP for IKEv1 IPsec Configuring an External Group Policy External group policies take their attribute values from the external server that you specify For an external group policy you must identify the AAA server group that the ASA can query for attributes and specify the password to use when retrieving attributes from the external AAA server group If you are using an external a...

Page 1677: ...ss attribute 25 the ASA uses that attribute to authenticate the Group Name On the RADIUS server the attribute must be formatted as OU groupname where groupname is identical to the Group Name configured on the ASA for example OU Finance Creating an Internal Group Policy To configure an internal group policy enter configuration mode use the group policy command specify a name and the internal type f...

Page 1678: ... aware that using the no version of the command deletes all banners for the group policy A group policy can inherit this value from another group policy To prevent inheriting a value enter the none keyword instead of specifying a value for the banner string as follows hostname config group policy banner value banner_string none The following example shows how to create a banner for the group polic...

Page 1679: ...p to 6 address pools for group policy Step 3 Optional no address pools value pool name1 pool name2 pool name6 Example hostname config group policy no address pools value ipv4 pool1 ipv4 pool2 ipv4 pool3 hostname config group policy Use the no address pools value pool name command to remove the address pools from the goup policy configuration and returns the address pool setting to inherit the addr...

Page 1680: ...d ipv6 pool to the FirstGroup group policy You can assign up to six ipv6 address pools to a group policy This example shows ipv6 pool1 ipv6 pool2 and ipv6 pool3 being assigned to the FirstGroup group policy Step 3 Optional no ipv6 address pools value pool name1 pool name2 pool name6 Example hostname config group policy no ipv6 address pools value ipv6 pool1 ipv6 pool2 ipv6 pool3 hostname config gr...

Page 1681: ...ject tunneled data packets coming through the ASA based on criteria such as source address destination address and protocol You can specify an IPv4 or IPv6 unified access control list for your group policy or allow it to inherit the ACLs specified in the Default Group Policy To configure a new unfied ACL to use with your group see Adding ACLs and ACEs page 26 2 Choose one of the following options ...

Page 1682: ... A vpn filter command is applied to post decrypted traffic after it exits a tunnel and pre encrypted traffic before it enters a tunnel An ACL that is used for a vpn filter should NOT also be used for an interface access group When a vpn filter command is applied to a group policy that governs Remote Access VPN client connections the ACL should be configured with the client assigned IP addresses in...

Page 1683: ...s list vpnfilt l2l permit 10 0 0 0 255 255 255 0 eq 23 192 168 1 0 255 255 255 0 Note The ACE access list vpnfilt l2l permit 10 0 0 0 255 255 255 0 192 168 1 0 255 255 255 0 eq 23 allows the local network to initiate a connection to the remote network on any TCP port if it uses a source port of 23 The ACE access list vpnfilt l2l permit 10 0 0 0 255 255 255 0 eq 23 192 168 1 0 255 255 255 0 allows ...

Page 1684: ...ns 4 hostname config group policy Note While the maximum limit for the number of simultaneous logins is very large allowing several simultaneous logins could compromise security and affect performance Command Purpose Step 1 group policy value attributes Example hostname en hostname config t hostname config group policy FirstGroup attributes hostname config group policy Enter group policy configura...

Page 1685: ... users by checking if the group configured in the VPN client is the same as the connection profile to which the user is assigned If it is not the ASA prevents the user from connecting If you do not configure group lock the ASA authenticates users without regard to the assigned group Group locking is disabled by default To remove the group lock attribute from the running configuration enter the no ...

Page 1686: ...v2 Use the global WebVPN default idle timeout value seconds from the command hostname config webvpn default idle timeout The range for this value in the WebVPN default idle timeout command is 60 86400 seconds the default Global WebVPN Idle timeout in seconds default is 1800 seconds 30 min Note A non zero idle timeout value is required by ASA for all AnyConnect connections For a WebVPN user the def...

Page 1687: ...P addresses of all WINS servers when you enter this command The following example shows how to configure WINS servers with the IP addresses 10 10 10 15 and 10 10 10 30 for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy wins server value 10 10 10 15 10 10 10 30 hostname config group policy Step 2 Specify the primary and secondary DN...

Page 1688: ...network interface in clear text form With split tunneling enabled packets not bound for destinations on the other side of the tunnel do not have to be encrypted sent across the tunnel decrypted and then routed to a final destination The split tunnel policy command applies this split tunneling policy to a specific network Differences in Client Split Tunneling Behavior for Traffic within the Subnet ...

Page 1689: ... s Internet service provider Note Split tunneling is primarily a traffic management feature not a security feature For optimum security we recommend that you do not enable split tunneling The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group ...

Page 1690: ...ig show runn group policy FirstGroup attributes hostname config group policy split tunnel network list value FirstList Run the show runn group policy attributes command to verify your configuration This example shows that the administrator has set both an IPv4 and IPv6 network policy and used the network list unified ACL FirstList for both policies hostname config group policy show runn group poli...

Page 1691: ...nts inheriting a split DNS list from a default or specified group policy The syntax of the command is as follows hostname config group policy split dns value domain name1 domain name2 domain nameN none hostname config group policy no split dns domain name domain name2 domain nameN Enter a single space to separate each entry in the list of domains There is no limit on the number of entries but the ...

Page 1692: ...imize latency When a user has established a VPN session all network traffic is sent through the VPN tunnel However when AnyConnect users are using web security the HTTP traffic originating at the endpoint needs to be excluded from the tunnel and sent directly to the Cloud Web Security scanning proxy To set up the split tunnel exclusions for traffic meant for the Cloud Web Security scanning proxy u...

Page 1693: ...ess than 100 characters long The following example shows how to configure the IP address 192 168 10 1 as a browser proxy server using port 880 for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy msie proxy server value 192 168 21 1 880 hostname config group policy Step 2 Configure the browser proxy actions methods for a client devic...

Page 1694: ...ialog box hostname config group policy msie proxy except list value server port none hostname config group policy To remove the attribute from the configuration use the no form of the command hostname config group policy no msie proxy except list hostname config group policy value server port Specifies the IP address or name of an MSIE server and port that is applied for this client device The por...

Page 1695: ...p 3 To enable compression of HTTP data over an AnyConnect SSL connection for the group policy enter the anyconnect ssl compression command By default compression is set to none disabled To enable compression use the deflate keyword For example hostname config group webvpn anyconnect compression deflate hostname config group webvpn Step 4 To enable dead peer detection DPD on the ASA and to set the ...

Page 1696: ...ssion until the re key takes place from 1 through 10080 1 week The following example configures the AnyConnect client to renegotiate with SSL during re key and configures the re key to occur 30 minutes after the session begins hostname config group webvpn anyconnect ssl rekey method ssl hostname config group webvpn anyconnect ssl rekey time 30 hostname config group webvpn Step 7 The Client Protoco...

Page 1697: ...f the device FQDN after roaming so that it can determine which ASA address to use for re establishing the tunnel The client uses the ASA FQDN present in its profile during the initial connection During subsequent session reconnects it always uses the device FQDN pushed by ASA and configured by the administrator in the group policy when available If the FQDN is not configured the ASA derives the de...

Page 1698: ...l user authentication for hardware clients The following example shows how to enable password storage for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy password storage enable hostname config group policy Step 2 Specify whether to enable IP compression which is disabled by default Note IP compression is not supported for IPsec IKE...

Page 1699: ...m of this command hostname config group policy no re xauth hostname config group policy Note Reauthentication fails if there is no user at the other end of the connection Step 4 Specify whether to enable perfect forward secrecy In IPsec negotiations perfect forward secrecy ensures that each new cryptographic key is unrelated to any previous key A group policy can inherit a value for perfect forwar...

Page 1700: ...e of a value for the IPsec over UDP port from another group policy hostname config group policy ipsec udp port port The following example shows how to set an IPsec UDP port to port 4025 for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy ipsec udp port 4025 Configuring Attributes for VPN Hardware Clients This section describes how t...

Page 1701: ... disable keyword To remove the user authentication attribute from the running configuration enter the no form of this command This option allows inheritance of a value for user authentication from another group policy If you require user authentication on the primary ASA be sure to configure it on any backup servers as well The following example shows how to enable user authentication for the grou...

Page 1702: ...ntication Refer to the Configuring Device Pass Through section on page 74 8 for more information Configuring LEAP Bypass When LEAP Bypass is enabled LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate ag...

Page 1703: ... nem command with the enable keyword in group policy configuration mode hostname config group policy nem enable disable hostname config group policy no nem To disable NEM enter the disable keyword To remove the NEM attribute from the running configuration enter the no form of this command This option allows inheritance of a value from another group policy The following example shows how to set NEM...

Page 1704: ...amed FirstGroup hostname config group policy FirstGroup attributes hostname config group policy backup servers 10 10 10 1 192 168 10 14 Configuring Network Admission Control Parameters The group policy NAC commands in this section all have default values Unless you have a good reason for changing them accept the default values for these parameters The ASA uses Extensible Authentication Protocol EA...

Page 1705: ...ation in a Network Admission Control session use the nac reval period command in group policy configuration mode hostname config group policy nac reval period seconds hostname config group policy To inherit the value of the Revalidation Timer from the default group policy access the alternative group policy from which to inherit it then use the no form of this command hostname config group policy ...

Page 1706: ... of the filter attribute is none Enter the vpn nac exempt command once for each operating system and ACL to be matched to exempt remote hosts from posture validation To add an entry to the list of remote computer types that are exempt from posture validation use the vpn nac exempt command in group policy configuration mode hostname config group policy vpn nac exempt os os name filter acl name none...

Page 1707: ...The following example removes the same entry from the exemption list regardless of whether it is disabled hostname config group policy no vpn nac exempt os Windows 98 filter acl 1 hostname config group policy The following example disables inheritance and specifies that all hosts will be subject to posture validation hostname config group policy no vpn nac exempt none hostname config group policy ...

Page 1708: ...ng added or modified Note Only VPN clients running Microsoft Windows can use these firewall features They are currently not available to hardware clients or other non Windows software clients In the first scenario a remote user has a personal firewall installed on the PC The VPN client enforces firewall policy defined on the local firewall and it monitors that firewall to make sure it is running I...

Page 1709: ...iption Step 1 webvpn Example hostname config group policy ac client group attributes hostname config group policy webvpn hostname config group webvpn Enter webvpn group policy configuration mode Step 2 anyconnect firewall rule client interface private public value RuleName Example hostname config group webvpn anyconnect fireall rule client iterface private value ClientFWRule Specifies an acces con...

Page 1710: ... instructs the ASA to open the connection and provide the Integrity client with connection details 5 On the remote PC the VPN client passes connection details to the Integrity client and signals that policy enforcement should begin immediately and the Integrity client can enter the private network 6 After the VPN connection is established the Integrity server continues to monitor the state of the ...

Page 1711: ...l close Configures the ASA so that connections to VPN clients close when the connection between the ASA and the Zone Labs Integrity server fails Step 6 zonelabs integrity fail open Example hostname config zonelabs integrity fail open Returns the configured VPN client connection fail state to the default and ensures that the client connections remain open Step 7 zonelabs integrity ssl certificate p...

Page 1712: ... vendor id num product id num policy AYT CPP acl in ACL acl out ACL description string Zone Labs Firewalls hostname config group policy client firewall opt req zonelabs integrity Note When the firewall type is zonelabs integrity do not include arguments The Zone Labs Integrity Server determines the policies hostname config group policy client firewall opt req zonelabs zonealarm policy AYT CPP acl ...

Page 1713: ...Are You There If there is no response the ASA tears down the tunnel cisco integrated Specifies Cisco Integrated firewall type cisco security agent Specifies Cisco Intrusion Prevention Security Agent firewall type CPP Specifies Policy Pushed as source of the VPN client firewall policy custom Specifies Custom firewall type description string Describes the firewall networkice blackice Specifies Netwo...

Page 1714: ...ments This deletes all configured rules including a null rule if you created one by issuing the client access rule command with the none keyword By default there are no access rules When there are no client access rules users inherit any rules that exist in the default group policy To prevent users from inheriting client access rules enter the client access rule command with the none keyword The r...

Page 1715: ...fic supported internal resources that you configure at a central site The ASA recognizes connections that need to be proxied and the HTTP server interacts with the authentication subsystem to authenticate users By default clientless SSL VPN is disabled You can customize a configuration of clientless SSL VPN for specific internal group policies Note The webvpn mode that you enter from global config...

Page 1716: ...tion mode for the group policy named FirstGroup hostname config group policy FirstGroup attributes hostname config group policy webvpn hostname config group webvpn Applying Customization Customizations determine the appearance of the windows that the user sees upon login You configure the customization parameters as part of configuring clientless SSL VPN To apply a previously defined web page cust...

Page 1717: ...res Contact your IT administrator for more information The first command in the following example creates an internal group policy named group2 The subsequent commands modify the attributes including the webvpn deny message associated with that policy hostname config group policy group2 internal hostname config group policy group2 attributes hostname config group webvpn hostname config group webvp...

Page 1718: ...g none hostname config group webvpn no homepage hostname config group webvpn Configuring Auto Signon The auto signon command is a single sign on method for users of clientless SSL VPN sessions It passes the login credentials username and password to internal servers for authentication using NTLM authentication basic authentication or both Multiple auto signon commands can be entered and are proces...

Page 1719: ... SSL VPN sessions for this group policy or username by using the filter command in webvpn mode Clientless SSL VPN access lists do not apply until you enter the filter command to specify them To remove the access list including a null value created by issuing the filter none command enter the no form of this command The no option allows inheritance of a value from another group policy To prevent in...

Page 1720: ...specifies that this should be the first URL list displayed on the homepage hostname config group policy FirstGroup attributes hostname config group policy webvpn hostname config group webvpn url list value FirstGroupURLs 1 hostname config group webvpn Enabling ActiveX Relay for a Group Policy ActiveX Relay lets a user who has established a Clientless SSL VPN session use the browser to launch Micro...

Page 1721: ...rides the previous setting The following example shows how to set a port forwarding list called ports1 for the internal group policy named FirstGroup hostname config group policy FirstGroup internal attributes hostname config group policy webvpn hostname config group webvpn port forward value ports1 hostname config group webvpn Configuring the Port Forwarding Display Name Configure the display nam...

Page 1722: ...on is enabled for the group or user This is the default value none Specifies compression is disabled for the group or user For clientless SSL VPN sessions the compression command configured from global configuration mode overrides the http comp command configured in group policy and username webvpn modes In the following example compression is disabled for the group policy sales hostname config gr...

Page 1723: ...ion To display the configuration for all usernames including default values inherited from the group policy enter the all keyword with the show running config username command as follows hostname show running config all username hostname This displays the encrypted password and the privilege level for all users or if you supply a username for that specific user If you omit the all keyword only exp...

Page 1724: ... shows how to configure a user named anyuser with an encrypted password of pw_12345678 and a privilege level of 12 hostname config username anyuser password pw_12345678 encrypted privilege 12 hostname config Configuring User Attributes After configuring the user s password if any and privilege level you set the other attributes These can be in any order To remove any attribute value pair enter the...

Page 1725: ...m of this command This option allows inheritance of a time range value from another group policy To prevent inheriting a value enter the vpn access hours none command The default is unrestricted access hostname config username vpn access hours value time range none hostname config username vpn access hours value none hostname config The following example shows how to associate the user named anyus...

Page 1726: ...he end of this period of time the ASA terminates the connection You can optionally set the alert interval or leave the default of one minute The range is 1 through 35791394 minutes There is no default timeout To allow an unlimited timeout period and thus prevent inheriting a timeout value enter the vpn session timeout command with the none keyword To remove the attribute from the running configura...

Page 1727: ... address specified in the previous step If you used the no vpn framed ip address command do not specify a network mask To remove the subnet mask enter the no form of this command There is no default behavior or value hostname config username vpn framed ip netmask netmask hostname config username no vpn framed ip netmask hostname config username The following example shows how to set a subnet mask ...

Page 1728: ... tunneling modes for the user named anyuser hostname config username anyuser attributes hostname config username vpn tunnel protocol webvpn hostname config username vpn tunnel protocol IPsec hostname config username Restricting Remote User Access Configure the group lock attribute with the value keyword to restrict remote users to access only through the specified preexisting connection profile Gr...

Page 1729: ...cure remote access VPN tunnel to the ASA using a web browser There is no need for either a software or hardware client Clientless SSL VPN provides easy access to a broad range of web resources and web enabled applications from almost any computer that can reach HTTPS Internet sites Clientless SSL VPN uses SSL and its successor TLS1 to provide a secure connection between remote users and specific s...

Page 1730: ... configuration mode To remove a content filter enter the no form of this command To remove all content filters including a null value created by issuing the html content filter none command enter the no form of this command without arguments The no option allows inheritance of a value from the group policy To prevent inheriting an HTML content filter enter the html content filter none command HTML...

Page 1731: ...e config username webvpn no homepage hostname config username webvpn The following example shows how to specify www example com as the home page for the user named anyuser hostname config username anyuser attributes hostname config username webvpn hostname config username webvpn homepage value www example com hostname config username webvpn Applying Customization Customizations determine the appea...

Page 1732: ...ssful but because certain criteria have not been met or due to some specific group policy you do not have permission to use any of the VPN features Contact your IT administrator for more information The first command in the following example enters username mode and configures the attributes for the user named anyuser The subsequent commands enter username webvpn configuration mode and modify the ...

Page 1733: ...ed by using the url list none command enter the no form of this command The no option allows inheritance of a value from the group policy To prevent inheriting a url list enter the url list none command hostname config username webvpn url list listname displayname url none hostname config username webvpn no url list The keywords and variables used in this command are as follows displayname Specifi...

Page 1734: ...e listname string following the keyword value identifies the list of applications users of clientless SSL VPN can access Enter the port forward command in configuration mode to define the list Using the command a second time overrides the previous setting Before you can enter the port forward command in username webvpn configuration mode to enable application access you must define a list of appli...

Page 1735: ...on method for users of clientless SSL VPN sessions It passes the login credentials username and password to internal servers for authentication using NTLM authentication basic authentication or both Multiple auto signon commands can be entered and are processed according to the input order early commands take precedence You can use the auto signon feature in three modes webvpn configuration webvpn...

Page 1736: ...config username testuser attributes hostname config username webvpn hostname config username webvpn http comp none hostname config username webvpn Specifying the SSO Server Single sign on support available only for clientless SSL VPN sessions lets users access different secure services on different servers without reentering a username and password more than once The sso server value command when ...

Page 1737: ...let the client function as a tunnel endpoint This chapter includes the following sections Configuring an IP Address Assignment Policy page 1 1 Configuring Local IP Address Pools page 1 3 Configuring AAA Addressing page 1 5 Configuring DHCP Addressing page 1 6 Configuring an IP Address Assignment Policy The ASA can use one or more of the following methods for assigning IP addresses to remote access...

Page 1738: ...ample hostname config vpn addr assign aaa Example hostname config vpn addr assign local reuse delay 180 Example hostname config no vpn addr assign dhcp Enables an address assignment method for the ASA to use when assigning IPv4 address to VPN connections The available methods to obtain an IP address are from a AAA server DHCP server or a local address pool All of these methods are enabled by defau...

Page 1739: ...pecify the pools is important If you configure more than one address pool for a connection profile or group policy the ASA uses them in the order in which you added them to the ASA If you assign addresses from a non local subnet we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier Use one of these methods to configure a local IP address pool ...

Page 1740: ...igures an IP address pool named firstpool The starting address is 10 20 30 40 and the ending address is 10 20 30 50 The network mask is 255 255 255 0 The second example deletes the IP address pool named firstpool Command Purpose Step 1 ipv6 vpn addr assign local Example hostname config ipv6 vpn addr assign local Configures IP address pools as the address assignment method enter the ipv6 vpn addr a...

Page 1741: ...stgroup type ipsec ra hostname config tunnel group firstgroup general attributes hostname config general authentication server group RAD2 To configure AAA for IP addressing perform the following steps Step 1 To configure AAA as the address assignment method enter the vpn addr assign command with the aaa argument hostname config vpn addr assign aaa hostname config Step 2 To establish the tunnel gro...

Page 1742: ...nfigured It goes through the pools until it identifies an unassigned address The following configuration includes more steps than are necessary in that previously you might have named and defined the connection profile type as remote access and named and identified the group policy as internal or external These steps appear in the following examples as a reminder that you have no access to subsequ...

Page 1743: ...olicy The example configures an internal group Step 7 hostname config group policy remotegroup attributes Example hostname config group policy remotegroup attributes hostname config group policy Optional Enters group policy attributes configuration mode which lets you configure a subnetwork of IP addresses for the DHCP server to use Enter the group policy command with the attributes keyword The ex...

Page 1744: ...hostname config vpn addr assign dhcp hostname config tunnel group firstgroup type remote access hostname config tunnel group firstgroup general attributes hostname config general dhcp server 172 33 44 19 hostname config general exit hostname config group policy remotegroup internal hostname config group policy remotegroup attributes hostname config group policy dhcp network scope 192 86 0 0 ...

Page 1745: ... creates the first tunnel to protect later ISAKMP negotiation messages Phase 2 creates the tunnel that protects data travelling across the secure connection To set the terms of the ISAKMP negotiations you create an ISAKMP policy It includes the following An authentication method to ensure the identity of the peers An encryption method to protect the data and ensure privacy A Hashed Message Authent...

Page 1746: ...protocol Licensing Requirements for Remote Access IPsec VPNs The following table shows the licensing requirements for this feature Model License Requirement1 ASA 5505 IPsec remote access VPN using IKEv2 use one of the following AnyConnect Premium license Base license and Security Plus license 2 sessions Optional permanent or time based licenses 10 or 25 sessions Shared licenses are not supported 2...

Page 1747: ...cense 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 or 2500 sessions Optional Shared licenses2 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AnyConnect Essentials license3 2500 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 2500 ses...

Page 1748: ...crements of 1000 AnyConnect Essentials license3 250 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 250 sessions ASA 5515 X IPsec remote access VPN using IKEv2 use one of the following AnyConnect Premium license Base license 2 sessions Optional permanent or time based licenses 10 25 50 100 or 250 sessions Optional Shared licenses2 Participa...

Page 1749: ...ense 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 2500 or 5000 sessions Optional Shared licenses2 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AnyConnect Essentials license3 5000 sessions IPsec remote access VPN using IKEv1 and IPsec site to site VPN using IKEv1 or IKEv2 Base license 5000...

Page 1750: ...ned sessions is 10 for the Base license and 25 for the Security Plus license 2 A shared license lets the ASA act as a shared license server for multiple client ASAs The shared license pool is large but the maximum number of sessions used by each individual ASA cannot exceed the maximum number listed for permanent licenses 3 The AnyConnect Essentials license enables AnyConnect VPN client access to ...

Page 1751: ...the Outside Interface page 1 8 Configuring an Address Pool page 1 10 Adding a User page 1 10 Creating an IKEv1 Transform Set or IKEv2 Proposal page 1 10 Defining a Tunnel Group page 1 11 Creating a Dynamic Crypto Map page 1 12 Creating a Crypto Map Entry to Use the Dynamic Crypto Map page 1 13 Saving the Security Appliance Configuration page 1 14 Configuring Interfaces An ASA has at least two inte...

Page 1752: ...ig interface ethernet0 hostname config if Enters interface configuration mode from global configuration mode Step 2 ip address ip_address mask standby ip_address Example hostname config interface ethernet0 hostname config if hostname config if ip address 10 10 4 200 255 255 0 0 Sets the IP address and subnet mask for the interface Step 3 nameif name Example hostname config if nameif outside hostna...

Page 1753: ... config crypto ikev1 policy 1 hash sha hostname config Specifies the hash algorithm for an IKE policy also called the HMAC variant Step 4 crypto ikev1 policy priority group 1 2 5 Example hostname config crypto ikev1 policy 1 group 2 hostname config Specifies the Diffie Hellman group for the IKE policy the crypto protocol that allows the IPsec client and the ASA to establish a shared secret key Ste...

Page 1754: ...ss last address mask mask Example hostname config ip local pool testpool 192 168 0 10 192 168 0 15 hostname config Creates an address pool with a range of IP addresses from which the ASA assigns addresses to the clients The address mask is optional However You must supply the mask value when the IP addresses assigned to VPN clients belong to a non standard network and the data could be routed inco...

Page 1755: ... md5 hmac to use the MD5 HMAC 128 as the hash algorithm esp sha hmac to use the SHA HMAC 160 as the hash algorithm esp none to not use HMAC authentication To configure an IKEv2 proposal crypto ipsec ikev2 ipsec proposal proposal_name Then protocol esp encryption des 3des aes aes 192 aes 256 null integrity md5 sha 1 Example hostname config crypto ipsec ikev2 ipsec proposal secure_proposal hostname ...

Page 1756: ... remote access tunnel group also called connection profile Step 2 tunnel group name general attributes Example hostname config tunnel group testgroup general attributes hostname config tunnel general Enters tunnel group general attributes mode where you can enter an authentication method Step 3 address pool interface name address_pool1 address_pool6 Example hostname config general address pool tes...

Page 1757: ...namic crypto map is dyn1 which you created in the previous section Creating a Dynamic Crypto Map Perform the following task Command Purpose Step 1 For IKEv1 use this command crypto dynamic map dynamic map name seq num set ikev1 transform set transform set name Example hostname config crypto dynamic map dyn1 1 set ikev1 transform set FirstSet hostname config For IKEv2 use this command crypto dynami...

Page 1758: ...n 3des hostname config ikev1 policy hash sha hostname config ikev1 policy group 2 hostname config ikev1 policy lifetime 43200 hostname config crypto ikev1 outside hostname config ip local pool testpool 192 168 0 10 192 168 0 15 hostname config username testuser password 12345678 Command Purpose Step 1 crypto map map name seq num ipsec isakmp dynamic dynamic map name Example hostname config crypto ...

Page 1759: ...icy lifetime 43200 hostname config ikev2 policy prf sha hostname config crypto ikev2 outside hostname config ip local pool testpool 192 168 0 10 192 168 0 15 hostname config username testuser password 12345678 hostname config crypto ipsec ikev2 ipsec proposal FirstSet hostname config ipsec proposal protocol esp encryption 3des aes hostname config tunnel group testgroup type remote access hostname ...

Page 1760: ...1 16 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Remote Access IPsec VPNs Feature History for Remote Access VPNs ...

Page 1761: ... providing access to vulnerable hosts on the intranet Posture validation can include the verification that the applications running on the remote hosts are updated with the latest patches NAC occurs only after user authentication and the setup of the tunnel NAC is especially useful for protecting the enterprise network from hosts that are not subject to automatic network policy enforcement such as...

Page 1762: ...he Security Appliance and the ACS or vice versa to reach its destination The establishment of a tunnel between an IPsec or WebVPN client and the ASA triggers posture validation if a NAC Framework policy is assigned to the group policy The NAC Framework policy can however identify operating systems that are exempt from posture validation and specify an optional ACL to filter such traffic Licensing ...

Page 1763: ...00 in increments of 1000 ASA 5512 X AnyConnect Premium license Base License 2 sessions Optional permanent or time based licenses 10 25 50 100 or 250 sessions Optional Shared licenses3 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 ASA 5515 X AnyConnect Premium license Base License 2 sessions Optional permanent or time based lic...

Page 1764: ... 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 ASA 5585 X with SSP 20 40 and 60 AnyConnect Premium license Base License 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 2500 5000 or 10000 sessions Optional Shared licenses3 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 AS...

Page 1765: ...oes not support Layer 3 non VPN traffic and IPv6 traffic Viewing the NAC Policies on the Security Appliance Before configuring the NAC policies to be assigned to group policies we recommend that you view any that may already be set up on the ASA Because the default configuration does not contain NAC policies entering this command is a useful way to determine whether anyone has added any If you you...

Page 1766: ... Following posture validation the security appliance replaces the default ACL with the one obtained from the Access Control Server for the remote host The ASA retains the default ACL if posture validation fails reval period Number of seconds between each successful posture validation in a NAC Framework session sq period Number of seconds between each successful posture validation in a NAC Framewor...

Page 1767: ...e assignment of NAC policies to group policies Shows which NAC policies are unassigned and the usage count for each NAC policy Step 4 applied session count Cumulative number of VPN sessions to which this ASA applied the NAC policy applied group policy count Cumulative number of group polices to which this ASA applied the NAC policy group policy list List of group policies to which this NAC policy ...

Page 1768: ...to 64 characters nac framework specifies that a NAC Framework configuration will provide a network access policy for remote hosts A Cisco Access Control Server must be present on the network to provide NAC Framework services for the ASA When you specify this type the prompt indicates you are in nac policy nac framework configuration mode This mode lets you configure the NAC Framework policy Note Y...

Page 1769: ...ver host Names the Access Control Server group even if the group contains only one server Step 2 Optional show running config aaa server Example hostname config show running config aaa server aaa server acs group1 protocol radius aaa server acs group1 outside host 192 168 22 44 key secret radius common pw secret hostname config Displays the AAA server configuration Step 3 nac policy nac framework ...

Page 1770: ... ASA also applies the NAC default ACL if clientless authentication is enabled which is the default setting Command Purpose Step 1 nac policy nac framework Switches to nac policy nac framework configuration mode Step 2 sq period seconds Example hostname config group policy sq period 1800 hostname config group policy Changes the status query interval seconds must be in the range 30 to 1800 seconds 5...

Page 1771: ...es that are exempt from NAC posture validation enter the following command in nac policy nac framework configuration mode Command Purpose Step 1 nac policy nac framework Switches to nac policy nac framework configuration mode Step 2 default acl acl name Example hostname config nac policy nac framework default acl acl 2 hostname config nac policy nac framework Specifies which ACL to use as the defa...

Page 1772: ...e for example Windows XP filter applies an ACL to filter the traffic if the computer s operating system matches the os name The filter acl name pair is optional disable performs one of two functions as follows If you enter it after the os name the ASA ignores the exemption and applies NAC posture validation to the remote hosts that are running that operating system If you enter it after the acl na...

Page 1773: ...A is not configured to request a policy for clientless hosts from the Access Control Server it retains the default access policy already in use for the clientless host If the ASA is configured to request a policy for clientless hosts from the Access Control Server it does so and the Access Control Server downloads the access policy to be enforced by the ASA Command Purpose Step 1 group policy Swit...

Page 1774: ...ol Server The default username and password for clientless authentication on the ASA matches the default username and password on the Access Control Server the default username and password are both clientless Prerequisites If you change these values on the Access Control Server you must also do so on the ASA Detailed Steps Enter the following to change the username used for clientless authenticat...

Page 1775: ...onfig Changes the username used for clientless authentication username must match the username configured on the Access Control Server to support clientless hosts Enter 1 to 64 ASCII characters excluding leading and trailing spaces pound signs question marks quotation marks asterisks and angle brackets and Changes the username and password for clientless authentication to sherlock and 221B baker r...

Page 1776: ...xample hostname config eou timeout retransmit 6 hostname config Changes the retransmission retry timer When the ASA sends an EAP over UDP message to the remote host it waits for a response If it fails to receive a response within n seconds it resends the EAP over UDP message By default the retransmission timer is 3 seconds seconds is a value in the range 1 to 60 Changes the retransmission timer to...

Page 1777: ...ansmission retry counter matches the max retry value the ASA terminates the EAP over UDP session with the remote host and starts the hold timer When the hold timer equals n seconds the ASA establishes a new EAP over UDP session with the remote host By default the maximum number of seconds to wait before establishing a new session is 180 seconds seconds is a value in the range 60 to 86400 Changes t...

Page 1778: ...1 18 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring Network Admission Control Changing Global NAC Framework Settings ...

Page 1779: ...on page 1 1 Then configure the ASA 5505 as you would any other ASA beginning with the Getting Started section on page 1 1 of this guide This chapter includes the following sections Specifying the Client Server Role of the Cisco ASA 5505 page 1 1 Specifying the Primary and Secondary Servers page 1 2 Specifying the Mode page 1 3 Configuring Automatic Xauth Authentication page 1 4 Configuring IPsec O...

Page 1780: ...Getting Started section on page 1 1 of this guide Specifying the Primary and Secondary Servers Before establishing a connection with an Easy VPN hardware client you must specify the IP address of an Easy VPN server to which it will connect Any ASA can act as an Easy VPN server including another ASA 5505 configured as a headend a VPN 3000 Series Concentrator an IOS based router or a firewall The AS...

Page 1781: ... the Easy VPN Client inside interface or the inside hosts NEM makes the inside interface and all inside hosts routeable across the enterprise network over the tunnel Hosts on the inside network obtain their IP addresses from an accessible subnet statically or via DHCP pre configured with static IP addresses PAT does not apply to VPN traffic in NEM This mode does not require a VPN configuration for...

Page 1782: ...ssword vpnclient username xauth_username password xauth password You can use up to 64 characters for each For example enter the following command to configure the Easy VPN hardware client to use the XAUTH username testuser and password ppurkm1 hostname config vpnclient username testuser password ppurkm1 hostname config To remove the username and password from the running configuration enter the fo...

Page 1783: ...pto ipsec df bit clear df outside hostname config To remove the attribute from the running configuration use the no form of this command as follows no vpnclient ipsec over tcp For example hostname config no vpnclient ipsec over tcp hostname config Comparing Tunneling Options The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a combination of the follow...

Page 1784: ...ence of an access list for split tunneling The access list ST list distinguishes networks that require tunneling from those that do not Specifying the Tunnel Group or Trustpoint When configuring the Cisco ASA 5505 as an Easy VPN hardware client you can specify a tunnel group or trustpoint configured on the Easy VPN server depending on the Easy VPN server configuration See the section that names th...

Page 1785: ...cify a tunnel group the client attempts to use an RSA certificate For example hostname config no vpnclient vpngroup hostname config Specifying the Trustpoint A trustpoint represents a CA identity and possibly a device identity based on a certificate the CA issues These parameters specify how the ASA obtains its certificate from the CA and define the authentication policies for user certificates is...

Page 1786: ...ch as Cisco IP phones wireless access points and printers are incapable of performing authentication Enter the following command in global configuration mode to exempt such devices from authentication thereby providing network access to them if individual user authentication is enabled no vpnclient mac exempt mac_addr_1 mac_mask_1 mac_addr_2 mac_mask_2 mac_addr_n mac_mask_n no removes the command ...

Page 1787: ...Do not configure a management tunnel on a Cisco ASA 5505 configured as an Easy VPN hardware client if a NAT device is operating between the Easy VPN hardware client and the Internet In that configuration use the vpnclient management clear command Use the vpnclient management tunnel command in global configuration mode if you want to automate the creation of IPsec tunnels to provide management acce...

Page 1788: ...figuring group policies and users see Configuring Connection Profiles Group Policies and Users page 1 1 Use Table 1 2 as a guide for determining which commands to enter to modify the group policy or user attributes Table 1 2 Group Policy and User Attributes Pushed to the Cisco ASA 5505 Configured as an EasyVPN Hardware Client Command Description backup servers Sets up backup servers on the client ...

Page 1789: ... in cleartext form Options include the following split tunnel policy Indicates that you are setting rules for tunneling traffic excludespecified Defines a list of networks to which traffic goes in the clear tunnelall Specifies that no traffic goes in the clear or to any other destination than the Easy VPN server Remote users reach Internet networks through the corporate network and do not have acc...

Page 1790: ... default IUA is disabled To enable the IUA use the user authentication enable command in group policy configuration mode See Configuring User Authentication page 1 67 The security appliance works correctly from behind a NAT device and if the ASA5505 is configured in NAT mode the provisioned IP to which the clients all PAT is injected into the routing table on the central site device Caution Do not...

Page 1791: ...employing the authentication methods of the Point to Point Protocol PPP over an Ethernet network When used by ISPs PPPoE allows authenticated assignment of IP addresses In this type of implementation the PPPoE client and server are interconnected by Layer 2 bridging protocols running over a DSL or other broadband connection PPPoE is composed of two main phases Active Discovery Phase In this phase ...

Page 1792: ...group_name with the same group name you defined in the previous step Enter the appropriate keyword for the type of authentication used by your ISP CHAP Challenge Handshake Authentication Protocol MS CHAP Microsoft Challenge Handshake Authentication Protocol Version 1 PAP Password Authentication Protocol Note When using CHAP or MS CHAP the username may be referred to as the remote system name while...

Page 1793: ...utomatically set to 1492 bytes which is the correct value to allow PPPoE transmission within an Ethernet frame Reenter this command to reset the DHCP lease and request a new lease Note If PPPoE is enabled on two interfaces such as a primary and backup interface and you do not configure dual ISP support see the Monitoring a Static or Default Route section on page 1 6 then the ASA can only send traf...

Page 1794: ...e following summarizes the function of each keyword event Displays protocol event information error Displays error messages packet Displays packet information Use the following command to view the status of PPPoE sessions hostname show vpdn session l2tp pppoe id sess_id packets state window The following example shows a sample of information provided by this command hostname show vpdn Tunnel id 0 ...

Page 1795: ...e command hostname config clear configure vpdn username Entering either of these commands has no affect upon active PPPoE connections Using Related Commands Use the following command to cause the DHCP server to use the WINS and DNS addresses provided by the access concentrator as part of the PPP IPCP negotiations hostname config dhcpd auto_config client_ifx_name This command is only required if th...

Page 1796: ...1 6 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring the PPPoE Client Using Related Commands ...

Page 1797: ...esses on the inside interfaces and IPv6 addresses on the outside interfaces The ASAs have IPv6 inside networks and the outside network is IPv4 IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces The ASAs have IPv6 inside networks and the outside network is IPv6 IPv6 addresses on the inside and outside interfaces Note The ASA supports LAN to LAN IPsec connections wit...

Page 1798: ...mit ip 192 168 0 0 255 255 0 0 150 150 0 0 255 255 0 0 hostname config tunnel group 10 10 4 108 type ipsec l2l hostname config tunnel group 10 10 4 108 ipsec attributes hostname config tunnel ipsec ikev1 pre shared key 44kkaol59636jnfx hostname config crypto map abcmap 1 match address l2l_list hostname config crypto map abcmap 1 set peer 10 10 4 108 hostname config crypto map abcmap 1 set ikev1 tr...

Page 1799: ... using the command syntax in the examples Step 1 To enter Interface configuration mode in global configuration mode enter the interface command with the default name of the interface to configure In the following example the interface is ethernet0 hostname config interface ethernet0 0 hostname config if Step 2 To set the IP address and subnet mask for the interface enter the ip address command In ...

Page 1800: ...rength of the encryption key determination algorithm The ASA uses this algorithm to derive the encryption and hash keys For IKEv2 a separate pseudo random function PRF used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption etc A limit to the time the ASA uses an encryption key before replacing it With IKEv1 policies for each parameter you se...

Page 1801: ...mode hostname config crypto ikev1 enable outside hostname config Step 8 To save your changes enter the write memory command hostname config write memory hostname config Configuring ISAKMP Policies for IKEv2 Connections To configure ISAKMP policies for IKEv2 connections use the crypto ikev2 policy priority command to enter IKEv2 policy configuration mode where you can configure the IKEv2 parameters...

Page 1802: ...ate transform sets in the ASA configuration and then specify a maximum of 11 of them in a crypto map or dynamic crypto map entry Table 1 1 lists valid encryption and authentication methods Tunnel Mode is the usual way to implement IPsec between two ASAs that are connected over an untrusted network such as the public Internet Tunnel mode is the default and requires no configuration To configure a t...

Page 1803: ...e use the crypto ipsec ikev2 ipsec proposal command to enter ipsec proposal configuration mode where you can specify multiple encryption and integrity types for the proposal In this example secure is the name of the proposal hostname config crypto ipsec ikev2 ipsec proposal secure hostname config ipsec proposal Step 2 Then enter a protocol and encryption types ESP is the only supported protocol Fo...

Page 1804: ...he ASA stores tunnel groups internally There are two default tunnel groups in the ASA DefaultRAGroup which is the default IPsec remote access tunnel group and DefaultL2Lgroup which is the default IPsec LAN to LAN tunnel group You can modify them but not delete them The main difference between IKE versions 1 and 2 lies in terms of the authentication method they allow IKEv1 allows only one type of a...

Page 1805: ...preshared key on both ASAs for this LAN to LAN connection The key is an alphanumeric string of 1 128 characters In the following example the IKEv1 preshared key is 44kkaol59636jnfx hostname config tunnel group 10 10 4 108 ipsec attributes hostname config tunnel ipsec pre shared key 44kkaol59636jnfx In the next example the IKEv2 preshared key is configured also as 44kkaol59636jnfx hostname config t...

Page 1806: ...eparate crypto map entry for each crypto access list To create a crypto map and apply it to the outside interface in global configuration mode perform the following steps in either single or multiple context mode Step 1 To assign an access list to a crypto map entry enter the crypto map match address command The syntax is crypto map map name seq num match address aclname In the following example t...

Page 1807: ... to an interface instructs the ASA to evaluate all interface traffic against the crypto map set and to use the specified policy during connection or security association negotiations Binding a crypto map to an interface also initializes the runtime data structures such as the security association database and the security policy database When you later modify a crypto map in any way the ASA automa...

Page 1808: ...1 12 Cisco ASA Series CLI Configuration Guide Chapter 1 Configuring LAN to LAN IPsec VPNs Creating a Crypto Map and Applying It To an Interface ...

Page 1809: ... Configuring Application Access page 1 51 Configuring Port Forwarding page 1 63 Application Access User Notes page 1 70 Configuring File Access page 1 73 Ensuring Clock Accuracy for SharePoint Access page 1 77 Using Clientless SSL VPN with PDAs page 1 77 Using E Mail over Clientless SSL VPN page 1 77 Configuring Portal Access Rules page 1 79 Clientless SSL VPN End User Setup page 1 83 Configuring ...

Page 1810: ...figure at an internal server The ASA recognizes connections that need to be proxied and the HTTP server interacts with the authentication subsystem to authenticate users The network administrator provides access to resources by users of clientless SSL VPN sessions on a group basis Users have no direct access to resources on the internal network Licensing Requirements The following table shows the ...

Page 1811: ...in increments of 1000 ASA 5512 X AnyConnect Premium license Base License 2 sessions Optional permanent or time based licenses 10 25 50 100 or 250 sessions Optional Shared licenses3 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 ASA 5515 X AnyConnect Premium license Base License 2 sessions Optional permanent or time based licens...

Page 1812: ...rements of 500 and 50 000 545 000 in increments of 1000 ASA 5585 X with SSP 20 40 and 60 AnyConnect Premium license Base License 2 sessions Optional permanent or time based licenses 10 25 50 100 250 500 750 1000 2500 5000 or 10000 sessions Optional Shared licenses3 Participant or Server For the Server license 500 50 000 in increments of 500 and 50 000 545 000 in increments of 1000 ASASM AnyConnect...

Page 1813: ... install Java on Mac OS X see http java com en download faq java_mac xml If you have several group policies configured for the clientless portal they are displayed in a drop down on the logon page If the top of the list of group policies is one that requires a certificate then as soon as the user gets to the logon page they must have a matching certificate If not all your group policies use certif...

Page 1814: ...te verification against a list of trusted certificate authority CA certificates for clientless SSL VPN When you connect to a remote server via a web browser using the HTTPS protocol the server will provide a digital certificate signed by a CA to identify itself Web browsers ship with a collection of CA certificates which are used to verify the validity of the server certificate This is a form of p...

Page 1815: ...PN Sessions page 1 7 Configuring Clientless SSL VPN and ASDM Ports page 1 8 Configuring Support for Proxy Servers page 1 8 Configuring SSL TLS Encryption Protocols page 1 11 Using HTTPS for Clientless SSL VPN Sessions To permit clientless SSL VPN sessions on an interface perform the following steps Prerequisites In a web browser users enter the ASA address in the format https address where address...

Page 1816: ...ample hostname config webvpn hostname config webvpn enable outside Enables clientless SSL VPN sessions on the interface called outside Command Purpose Step 1 webvpn Switches to webvpn configuration mode Step 2 port port_number Example hostname config http server enable hostname config http 192 168 3 0 255 255 255 0 outside hostname config webvpn hostname config webvpn port 444 hostname config webv...

Page 1817: ...authentication and basic authentication are supported Step 3 http proxy host port exclude url username username password password Step 4 https proxy host port exclude url username username password password Step 5 http proxy pac url Step 6 Optional exclude Excludes URLs from those that can be sent to the proxy server Step 7 host Provides the hostname or IP address for the external proxy server Ste...

Page 1818: ... character in the ANSI character set x y to match any single character that is not in the range Step 13 If you entered http proxy pac follow it with http and type the URL of the proxy autoconfiguration file If you omit the http portion the CLI ignores the command Step 14 Optional username Accompanies each HTTP proxy request with a username for basic proxy authentication Only the http proxy host co...

Page 1819: ...entials section on page 1 9 Configuring Application Profile Customization Framework Clientless SSL VPN includes an Application Profile Customization Framework option that lets the ASA handle non standard applications and web resources so they display correctly over a clientless SSL VPN connection An APCF profile contains a script that specifies when pre post where header body request response and ...

Page 1820: ...n APCF profile named apcf1 xml located on flash memory Shows how to enable an APCF profile named apcf2 xml located on an https server called myserver port 1440 with the path being apcf Table 1 1 APCF XML Tags Tag Use APCF APCF The mandatory root element that opens any APCF XML file version 1 0 version The mandatory tag that specifies the APCF implementation version Currently the only version is 1 ...

Page 1821: ...sed script rewrite header add header delete header do do Child element of the action tag used to define one of the following actions no rewrite Do not mangle the content received from the remote server no toolbar Do not insert the toolbar no gzip Do not compress the content force cache Preserve the original caching instructions force no cache Make object non cacheable downgrade http version on bac...

Page 1822: ...type for all xyz objects id apcf entities process response header conditions request uri fnmatch xyz request uri fnmatch conditions action rewrite header header Content Type header value text html value rewrite header action process response header apcf entities application APCF delete header delete header Child element of the action tag used to delete the specified HTTP header specified by the ch...

Page 1823: ... talking only to a RADIUS server Prerequisites Native LDAP requires an SSL connection You must enable LDAP over SSL before attempting to do password management for LDAP By default LDAP uses port 636 If you are using an LDAP directory server for authentication password management is supported with the Sun Java System Directory Server formerly named the Sun ONE Directory Server and the Microsoft Act...

Page 1824: ...ribes the four SSO authentication methods supported by clientless SSL VPN HTTP Basic and NTLMv1 NT LAN Manager authentication the Computer Associates eTrust SiteMinder SSO server formerly Netegrity SiteMinder and Version 1 1 of Security Assertion Markup Language SAML the POST type SSO server authentication This section includes Configuring SSO with HTTP Basic or NTLM Authentication page 1 17 Confi...

Page 1825: ...dual user of clientless SSL VPN Command Purpose Step 1 Example hostname config webvpn hostname config webvpn auto signon allow ip 10 1 1 1 255 255 255 0 auth type ntlm Configures auto signon for all users of clientless SSL VPN to servers with IP addresses ranging from 10 1 1 0 to 10 1 1 255 using NTLM authentication Step 2 Example hostname config webvpn hostname config webvpn auto signon allow uri...

Page 1826: ...onfiguring the authentication request timeout Configuring the number of authentication request retries Restrictions If you want to configure SSO for a user or group for clientless SSL VPN access you must first configure a AAA server such as a RADIUS or LDAP server You can then set up SSO support for clientless SSL VPN Detailed Steps This section presents specific steps for configuring the ASA to s...

Page 1827: ... SSO authentication attempt times out The default number of seconds is 5 and the possible range is 1 to 30 Changes the number of seconds before a request times out to 8 Step 7 max retry attempts Example hostname config webvpn sso siteminder max retry attempts 4 hostname config webvpn sso siteminder Configures the number of times the ASA retries a failed SSO authentication attempt before the authen...

Page 1828: ...owser Post Profile This section describes configuring the ASA to support Security Assertion Markup Language SAML Version 1 1 POST profile Single Sign On SSO for authorized users After a session is initiated the ASA authenticates the user against a configured AAA method Next the ASA the asserting party generates an assertion to the relying party the consumer URL service provided by the SAML server ...

Page 1829: ...sample type SAML V1 1 post hostname config webvpn sso saml Creates an SSO server Creates an SSO server named Sample of type SAML V1 1 POST Step 3 sso saml Switches to webvpn sso saml configuration mode Step 4 assertion consumer url Example hostname config webvpn sso saml assertion consumer url http www example com webvpn hostname config webvpn sso saml Specifies the authentication URL of the SSO s...

Page 1830: ...webvpn sso saml max retry attempts 4 hostname config webvpn sso saml Configures the number of times the ASA retries a failed SSO authentication attempt before the authentication times out Sets the number of retries to 4 The default is 3 retry attempts and the possible range is 1 to 5 attempts Step 9 webvpn Switches to webvpn configuration mode Step 10 group policy webvpn username webvpn If assigni...

Page 1831: ...set for successful request and not set for unauthorized logons In this case ASA cannot distinguish successful from failed authentication Detailed Steps The ASA again serves as a proxy for users of clientless SSL VPN to an authenticating web server but in this case it uses HTTP Form protocol and the POST method for requests You must configure the ASA to send and receive form data Figure 1 4 illustr...

Page 1832: ...nd some are optional If the web server requires data for a hidden parameter it rejects any authentication POST request that omits that data Because a header analyzer does not tell you if a hidden parameter is mandatory or not we recommend that you include all hidden parameters until you determine which are mandatory To configure SSO with the HTTP Form protocol you must perform the following Config...

Page 1833: ...nfig aaa server host action uri l appdir authc forms MCOlogin fcc TYP hostname config aaa server host action uri 554433 REALMOID 06 000a1311 a828 1185 hostname config aaa server host action uri ab41 8333b16a0008 GUID SMAUTHREASON hostname config aaa server host action uri 0 METHOD GET SMAGENTNAME SM 5FZmjnk hostname config aaa server host action uri 3DRNwNjk2KcqVCFbIrNT9 2bJ0H0KPshFtg6r hostname c...

Page 1834: ... from a POST request This hidden parameter includes four form entries and their values separated by The four entries and their values are SMENC with a value of ISO 8859 1 SMLOCALE with a value of US EN target with a value of https 3A 2F 2Fwww example com 2Femc o 2Fappdir 2FAreaRoot do 3FEMCOPageCode 3DENG smauthreason with a value of 0 Step 7 Optional auth cookie name Example hostname config aaa s...

Page 1835: ...me config aaa server host hidden parameter de 3DENG smauthreason 0 hostname config aaa server host Specifies hidden parameters for exchange with the authenticating web server Shows an example hidden parameter excerpted from a POST request This hidden parameter includes four form entries and their values separated by The four entries and their values are SMENC with a value of ISO 8859 1 SMLOCALE wi...

Page 1836: ... GET SMAGENTNAME SM 5FZmjnk3DRNwNjk2KcqVCFbIr NT9 2bJ0H0KPshFtg6rB1UV2PxkHqLw 3d 3d TARGET https 3A 2F 2Fwww example com 2Femco 2Fmye mco 2FHTTP 1 1 Host www example com BODY SMENC ISO 8859 1 SMLOCALE US EN USERID Anyuser USER_PASSWORD XXXXXX target https 3A 2F 2Fwww example com 2Femco 2Fmyemco 2F smauthreason 0 Step 4 Examine the POST request and copy the protocol host and the complete URL to con...

Page 1837: ...lly log in to the web server examine the server response with the HTTP header analyzer to locate the name of the session cookie set by the server in your browser This is the auth cookie name parameter In the following server response header the name of the session cookie is SMSESSION You just need the name not the value 1 Action URI parameter 2 Hidden parameters 3 Username and password parameters ...

Page 1838: ...P bHIHtWLDKTa8ngDB lbYTjIxrbDx8WPWwaG3CxVa3adOxHFR8yjD55GevK3ZF4ujgU1lhO6fta0dSS OSepWvnsCb7IFxCw MGiw0o88uHa2t4l SillqfJvcpuXfiIAO06D gtDF40Ow5YKHEl2KhDEvv yQ zxwfEz2cl7Ef5iMr8LgGcDK7qvMcvrgUqx68JQOK2 RSwtHQ15bCZmsDU5vQVCvSQWC8OMHNGwpS25 3XwRLvd h6S tM0k98QMv i3N8oOdj1V7flBqecH7 kVrU01F6oFzr0zM1kMyLr5HhlVDh7B0k9wp0 dUFZiAzaf43jupD5f6CEkuLeudYW1xgNzsR8eqtPK6t1gFJyOn0s7QdNQ7q9knsPJsekRAH9hrLBhW BLT...

Page 1839: ... on on some web pages The former POST plug in approach was created so that administrators could specify a POST bookmark with sign on macros and receive a kick off page to load prior to posting the POST request This POST plug in approach eliminated those requests that required the presence of cookies or other header items Now an an administrator determines the pre load page and URL which specifies ...

Page 1840: ...ASA an empty string is substituted and the behavior converts back as if no auto sign in is available Note Accessing Virtual Desktop Infrastructure VDI In a VDI model administrators publish enterprise applications or desktops pre loaded with enterprise applications and end users remotely access these applications These virtualized resources appear just as any other resources such as email so that u...

Page 1841: ...s value can be a clientless macro Encoding With encoding you can view or specify the character encoding for clientless SSL VPN portal pages Character encoding also called character coding and a character set is the pairing of raw data such as 0s and 1s with characters to represent the data The language determines the character encoding method to use Some languages use a single method while others ...

Page 1842: ... 40 characters and equal to one of the valid character sets identified in http www iana org assignments character sets You can use either the name or the alias of a character set listed on that page The string is case insensitive The command interpreter converts upper case to lower case when you save the ASA configuration Step 2 Enter the name or IP address of a CIFS server for which the encoding ...

Page 1843: ...onfiguration by letting you apply policies to many users You can use an internal authentication server on the ASA or an external RADIUS or LDAP server to assign users to group policies See Chapter 1 Configuring Connection Profiles Group Policies and Users for a thorough explanation of ways to simplify configuration with group policies Configuring Connection Profile Attributes for Clientless SSL VP...

Page 1844: ...p Policy or Use Success Group Policy if criteria match no Removes an attribute value pair override svc download Overrides downloading the group policy or username attributes configured for downloading the AnyConnect VPN client to the remote user pre fill username Configures username to certificate binding on this tunnel group proxy auth Identifies this tunnel group as a specific proxy authenticati...

Page 1845: ...Configures compression http proxy Configures the ASA to use an external proxy server to handle HTTP requests Note Proxy NTLM authentication is not supported in http proxy Only proxy without authentication and basic authentication are supported keep alive ignore Sets the maximum object size to ignore for updating the session timer port forward Applies a list of clientless SSL VPN TCP ports to forwa...

Page 1846: ...mmended plug in When the user in a clientless SSL VPN session clicks the associated menu option on the portal page the portal page displays a window to the interface and displays a help pane The user can select the protocol displayed in the drop down menu and enter the URL in the Address field to establish a connection The plug ins support single sign on SSO Refer to the Configuring SSO with the H...

Page 1847: ... clientless features such as bookmarks customization and dynamic access policies are not synchronized between the failover ASA pairs In the event of a failover these features do not work Preparing the Security Appliance for a Plug in Before installing a plug in prepare the ASA as follows Prerequisites Make sure clientless SSL VPN webvpn is enabled on an ASA interface Restrictions Do not specify an...

Page 1848: ...P for the rest via GroupPolicy etc Use this plug in if you want to use a single plug in for Windows Mac OS X and Linux operating systems See This Document for a list of all supported operating systems Customers can download this plugin from these locations HOBSoft Cisco com Proper Java RDP RDP Accesses Microsoft Terminal Services hosted by Windows Vista and Windows 2003 R2 Supports Remote Desktop ...

Page 1849: ... Shell Telnet plug in lets the remote user establish a Secure Shell v1 or v2 or Telnet connection to a remote computer Note Because keyboard interactive authentication is not supported by JavaSSH it cannot be supported with SSH plugin Keyboard interactive is a generic authentication method used to implement different authentication mechanisms The web site containing the source of the redistributed... </