manualshive.com logo in svg

Cisco ASA 5512-X, Configuration Manual, Page: 263 / 422

Share
Download
Cisco ASA 5512-X Configuration Manual Download Page 263

 

11-7

Cisco ASA Series Firewall CLI Configuration Guide

 

Chapter 11      Connection Settings

  Configure Connection Settings

 

Customize Abnormal TCP Packet Handling (TCP Maps, TCP Normalizer) 

The TCP Normalizer identifies abnormal packets that the ASA can act on when they are detected; for 
example, the ASA can allow, drop, or clear the packets. TCP normalization helps protect the ASA from 
attacks. TCP normalization is always enabled, but you can customize how some features behave.

The default configuration includes the following settings:

no check-retransmission 

no checksum-verification 

exceed-mss allow

queue-limit 0 timeout 4

reserved-bits allow

syn-data allow

synack-data drop

invalid-ack drop

seq-past-window drop

tcp-options range 6 7 clear

tcp-options range 9 255 clear

tcp-options selective-ack allow

tcp-options timestamp allow

tcp-options window-scale allow

ttl-evasion-protection 

urgent-flag clear

window-variation allow-connection

To customize the TCP normalizer, first define the settings using a TCP map. Then, you can apply the 
map to selected traffic classes using service policies.

Procedure

Step 1

Create a TCP map to specify the TCP normalization criteria that you want to look for.

hostname(config)# 

tcp-map 

tcp-map-name

Step 2

Configure the TCP map criteria by entering one or more of the following commands. The defaults are 
used for any commands you do not enter. Use the 

no

 form of a command to disable the setting.

check-retransmission

—Prevent inconsistent TCP retransmissions. This command is disabled by 

default.

checksum-verification

—Verify the TCP checksum, dropping packets that fail verification. This 

command is disabled by default.

exceed-mss 

{

allow

 | 

drop

}—Allow or drop packets whose data length exceeds the TCP maximum 

segment size. The default is to allow the packets.

invalid-ack 

{

allow

 | 

drop

}—Allow or drop packets with an invalid ACK. The default is to drop the 

packet, with the exception of WAAS connections, where they are allowed. You might see invalid 
ACKs in the following instances:

In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet 
is not exactly the same as the sequence number of the next TCP packet sending out, it is an 
invalid ACK.

Whenever the ACK number of a received TCP packet is greater than the sequence number of 
the next TCP packet sending out, it is an invalid ACK.

Summary of Contents for ASA 5512-X

Page 1: ...o website at www cisco com go offices Cisco ASA Series Firewall CLI Configuration Guide Software Version 9 3 For the ASA 5506 X ASA 5512 X ASA 5515 X ASA 5525 X ASA 5545 X ASA 5555 X ASA 5585 X ASA Services Module and the Adaptive Security Virtual Appliance Released July 24 2014 Updated February 18 2015 Text Part Number N A Online only ...

Page 2: ...LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR...

Page 3: ...e Security Device Manager ASDM a web based GUI application ASDM includes configuration wizards to guide you through some common configuration scenarios and online help for less common scenarios Throughout this guide the term ASA applies generically to supported models unless specified otherwise Related Documentation For more information see Navigating the Cisco ASA Series Documentation at http www...

Page 4: ...isco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application The RSS feeds are a free service x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonquoted set of characters Do not use quotation marks around...

Page 5: ...P A R T 1 Service Policies and Access Control ...

Page 6: ......

Page 7: ...e or applied globally About Service Policies page 1 1 Guidelines for Service Policies page 1 8 Defaults for Service Policies page 1 9 Configure Service Policies page 1 11 Monitoring Service Policies page 1 19 Examples for Service Policies Modular Policy Framework page 1 19 History for Service Policies page 1 22 About Service Policies The following topics describe how service policies work The Comp...

Page 8: ...The class command defines the traffic matching criteria for the rule b The commands associated with class such as inspect set connection timeout and so forth define the services and constraints to apply to matching traffic Note that inspect commands can point to inspection policy maps which define actions to apply to inspected traffic Keep in mind that inspection policy maps are not the same as se...

Page 9: ...inside class1 rule In ASDM this maps to call out 3 from the Match to the Time fields class map inside class1 match access list inside_mpc_2 Policy map that actually defines the service policy rule set named test inside policy In ASDM this corresponds to the folder at call out 1 policy map test inside policy First rule in test inside policy named sip class inside Inspects SIP traffic The sip class ...

Page 10: ...lication Layer Protocol Inspection Chapter 7 Inspection of Basic Internet Protocols Chapter 8 Inspection for Voice and Video Protocols Chapter 9 Inspection of Database and Directory Protocols Chapter 10 Inspection for Management Application Protocols Chapter 14 ASA and Cisco Cloud Web Security ASA IPS Yes No Chapter 18 ASA IPS Module ASA CX Yes No Chapter 17 ASA CX Module ASA FirePOWER ASA SFR Yes...

Page 11: ... to match it to any subsequent class maps for that feature type 3 If the packet matches a subsequent class map for a different feature type however then the ASA also applies the actions for the subsequent class map if supported See Incompatibility of Certain Feature Actions page 1 7 for more information about unsupported combinations Note Application inspection includes multiple inspection types a...

Page 12: ...y other type of inspection Order in Which Multiple Feature Actions are Applied The order in which different types of actions in a policy map are performed is independent of the order in which the actions appear in the policy map Actions are performed in the following order 1 QoS input policing 2 TCP normalization TCP and UDP connection limits and timeouts TCP sequence number randomization and TCP ...

Page 13: ...ch packet based on the destination port of the traffic For example when UDP traffic for port 69 reaches the ASA then the ASA applies the TFTP inspection when TCP traffic for port 21 arrives then the ASA applies the FTP inspection So in this case only you can configure multiple inspections for the same class map Normally the ASA does not use the port number to determine which inspection to apply th...

Page 14: ... traffic that is not treated as a flow for example ICMP when you do not enable stateful ICMP inspection returning traffic can match a different policy map on the returning interface For example if you configure IPS on the inside and outside interfaces but the inside policy uses virtual sensor 1 while the outside policy uses virtual sensor 2 then a non stateful Ping will match virtual sensor 1 outb...

Page 15: ... an interface policy with FTP inspection then only the interface policy FTP inspection is applied to that interface You can only apply one global policy For example you cannot create a global policy that includes feature set 1 and a separate global policy that includes feature set 2 All features must be included in a single policy When you make service policy changes to the configuration all new c...

Page 16: ... particular feature The default policy includes the following application inspections DNS FTP H323 H225 H323 RAS RSH RTSP ESMTP SQLnet Skinny SCCP SunRPC XDMCP SIP NetBios TFTP IP Options The default policy configuration includes the following commands class map inspection_default match default inspection traffic policy map type inspect dns preset_dns_map parameters message length maximum client a...

Page 17: ...ctions for the same class map Normally the ASA does not use the port number to determine which inspection to apply thus giving you the flexibility to apply inspections to non standard ports for example class map inspection_default match default inspection traffic Another class map that exists in the default configuration is called class default and it matches all traffic This class map appears at ...

Page 18: ... class map for reuse or for more complicated matching For example you could match text within a inspected packets using a regular expression or a group of regular expressions a regular expression class map and target actions based on narrower criteria For example you might want to drop all HTTP requests with a URL including the text example com See Defining Actions in an Inspection Policy Map page...

Page 19: ...an create multiple Layer 3 4 class maps for each Layer 3 4 policy map Create a Layer 3 4 Class Map for Through Traffic page 1 13 Create a Layer 3 4 Class Map for Management Traffic page 1 15 Create a Layer 3 4 Class Map for Through Traffic A Layer 3 4 class map matches traffic based on protocols ports IP addresses and other Layer 3 or 4 attributes Tip We suggest that you only inspect traffic on po...

Page 20: ...atch tcp eq 80 match default inspection traffic Matches default traffic for inspection the default TCP and UDP ports used by all applications that the ASA can inspect hostname config cmap match default inspection traffic This command which is used in the default global policy is a special CLI shortcut that when used in a policy map ensures that the correct inspection is applied to each packet base...

Page 21: ...nel group going to each IP address hostname config cmap match tunnel group group1 hostname config cmap match flow ip destination address Examples The following is an example for the class map command hostname config access list udp permit udp any any hostname config access list tcp permit tcp any any hostname config access list host_foo permit ip any 10 1 1 1 255 255 255 255 hostname config class ...

Page 22: ...ansparent firewall mode you can use an EtherType ACL hostname config cmap match access list udp match port tcp udp eq port_num range port_num port_num Matches TCP or UDP destination ports either a single port or a contiguous range of ports For applications that use multiple non contiguous ports use the match access list command and define an ACE to match each port hostname config cmap match tcp eq...

Page 23: ...name config policy map global policy hostname config pmap description This policy map defines a policy concerning connection to http server hostname config pmap class http server hostname config pmap c set connection conn max 256 The following example shows how multi match works in a policy map hostname config class map inspection_default hostname config cmap match default inspection traffic hostn...

Page 24: ...ervice policy policy_map_name global interface interface_name fail close Where policy_map_name is the name of the policy map global creates a service policy that applies to all interfaces that do not have a specific policy You can only apply one global policy so if you want to alter the global policy you need to either edit the default policy or disable it and apply a new one By default the config...

Page 25: ...Inspection to HTTP Traffic with NAT page 1 21 Applying Inspection and QoS Policing to HTTP Traffic In this example any HTTP connection TCP traffic on port 80 that enters or exits the ASA through the outside interface is classified for HTTP inspection Any HTTP traffic that exits the outside interface is classified for policing Figure 1 1 HTTP Inspection and QoS Policing See the following commands f...

Page 26: ...ffic_policy hostname config pmap class http_traffic hostname config pmap c inspect http hostname config service policy http_traffic_policy global Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers In this example any HTTP connection destined for Server A TCP traffic on port 80 that enters the ASA through the outside interface is classified for HTTP inspection and maximum...

Page 27: ...class map http_serverB hostname config cmap match access list serverB hostname config policy map policy_serverA hostname config pmap class http_serverA hostname config pmap c inspect http hostname config pmap c set connection conn max 100 hostname config policy map policy_serverB hostname config pmap class http_serverB hostname config pmap c inspect http hostname config service policy policy_serve...

Page 28: ...92 168 1 1 Mapped IP 209 165 200 225 Server 209 165 201 1 port 80 insp Security appliance 143416 Feature Name Releases Description Modular Policy Framework 7 0 1 Modular Policy Framework was introduced Management class map for use with RADIUS accounting traffic 7 2 1 The management class map was introduced for use with RADIUS accounting traffic The following commands were introduced class map type...

Page 29: ...age 6 9 for a list of applications that support inspection policy maps An inspection policy map consists of one or more of the following elements The exact options available for an inspection policy map depends on the application Traffic matching command You can define a traffic matching command directly in the inspection policy map to match application traffic to criteria specific to the applicat...

Page 30: ...type and the logical progression of parsing a packet and are not user configurable For example for HTTP traffic parsing a Request Method field precedes parsing the Header Host Length field an action for the Request Method field occurs before the action for the Header Host Length field For example the following match commands can be entered in any order but the match request method get command is m...

Page 31: ...atch request cmd get match filename regex abc policy map type inspect ftp ftp class ftp3 log class ftp2 log class ftp1 log Default Inspection Policy Maps DNS inspection is enabled by default using the preset_dns_map inspection class map The maximum DNS message length is 512 bytes The maximum client DNS message length is automatically set to match the Resource Record DNS Guard is enabled so the ASA...

Page 32: ...licy map configuration mode Step 4 Specify the traffic on which you want to perform actions using one of the following methods class class_map_name Example hostname config pmap class http_traffic hostname config pmap c Specifies the inspection class map that you created in the Identifying Traffic in an Inspection Class Map page 2 5 Not all applications support inspection class maps Specify traffic...

Page 33: ... log hostname config pmap c parameters hostname config pmap p protocol violation action log hostname config pmap p policy map test hostname config pmap class test a Layer 3 4 class map not shown hostname config pmap c inspect http http map1 hostname config pmap c service policy test interface outside Identifying Traffic in an Inspection Class Map This type of class map allows you to match criteria...

Page 34: ... http_traffic hostname config cmap Creates an inspection class map where the application is the application you want to inspect For supported applications see the CLI help for a list of supported applications or see Chapter 6 Getting Started with Application Layer Protocol Inspection The class_map_name argument is the name of the class map up to 40 characters in length The match all keyword is the...

Page 35: ... Feature Name Releases Feature Information Inspection policy maps 7 2 1 The inspection policy map was introduced The following command was introduced class map type inspect Regular expressions and policy maps 7 2 1 Regular expressions and policy maps were introduced to be used under inspection policy maps The following commands were introduced class map type regex regex match regex Match any for i...

Page 36: ...2 8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Special Actions for Application Inspections Inspection Policy Map Feature History for Inspection Policy Maps ...

Page 37: ...is allowed through the ASA There are several different layers of rules that work together to implement your access control policy Extended access rules Layer 3 traffic assigned to interfaces You can apply separate rule sets ACLs in the inbound and outbound directions An extended access rule permits or denies traffic based on the source and destination traffic criteria Extended access rules assigne...

Page 38: ...ss rules are always processed before the general global access rules Global access rules apply only to inbound traffic Inbound and Outbound Rules You can configure access rules based on the direction of traffic Inbound Inbound access rules apply to traffic as it enters an interface Global and management access rules are always inbound Outbound Outbound rules apply to traffic as it exits an interfa...

Page 39: ... the packet against each rule in the order in which the rules are listed in the applied ACL After a match is found no more rules are checked For example if you create an access rule at the beginning that explicitly permits all traffic for an interface no further rules are ever checked Implicit Permits For routed mode the following types of traffic are allowed through by default Unicast IPv4 and IP...

Page 40: ... traffic that you previously allowed with an extended ACL or implicitly allowed from a high security interface to a low security interface However if you explicitly deny all traffic with an EtherType rule then IP and ARP traffic is denied only physical protocol traffic such as auto negotiation is still allowed If you configure a global access rule then the implicit deny comes after the global rule...

Page 41: ...sparent firewall mode can allow any IP traffic through Note Because these special types of traffic are connectionless you need to apply an access rule to both interfaces so returning traffic is allowed through The following table lists common traffic types that you can allow through the transparent firewall Management Access Rules You can configure access rules that control management traffic dest...

Page 42: ...Intermediate System IS IS The following types of traffic are not supported 802 3 formatted frames These frames are not handled by the rule because they use a length field as opposed to a type field EtherType Rules for Returning Traffic Because EtherTypes are connectionless you need to apply the rule to both interfaces if you want traffic to pass in both directions Allowing MPLS If you allow MPLS e...

Page 43: ...on Use the asp rule engine transactional commit access group command In ASDM rule descriptions are based on the access list remarks that come before the rule in the ACL for new rules you create in ASDM any descriptions are also configured as remarks before the related rule However the packet tracer in ASDM matches the remark that is configured after the matching rule in the CLI Normally you cannot...

Page 44: ...inst the interface ACL No per user override vpn filter Traffic is matched first against the interface ACL then against the VPN filter per user override vpn filter Traffic is matched against the VPN filter only The control plane keyword specifies if the rule is for to the box traffic For a global access group specify the global keyword to apply the extended ACL to the inbound direction of all inter...

Page 45: ...single host or to a network ip_address mask Step 2 Create rules for ICMPv6 IPv6 traffic ipv6 icmp permit deny host ipv6_address ipv6 network prefix length any icmp_type interface_name If you do not specify an icmp_type the rule applies to all types For the address you can apply the rule to any address to a single host or to a network ipv6 network prefix length Step 3 Optional Set rate limits on IC...

Page 46: ...yslog event viewer such as the one in ASDM to view messages related to access rules If you use default logging you see syslog message 106023 for explicitly denied flows only Traffic that matches the implicit deny entry that ends the rule list is not logged If the ASA is attacked the number of syslog messages for denied packets can be very large We recommend that you instead enable logging using sy...

Page 47: ...udes typical configuration examples for permitting or denying network access The following example adds a network object for inside server 1 performs static NAT for the server and enables access from the outside for inside server 1 hostname config object network inside server1 hostname config host 10 1 1 1 hostname config nat inside outside static 209 165 201 12 hostname config access list outside...

Page 48: ...fig access list outsideacl extended permit object group myaclog interface inside any History for Access Rules Feature Name Platform Releases Description Interface access rules 7 0 1 Controlling network access through the ASA using ACLs We introduced the following command access group Global access rules 8 3 1 Global access rules were introduced We modified the following command access group Suppor...

Page 49: ... 9 0 1 ICMP traffic can now be permitted denied based on ICMP code We introduced or modified the following commands access list extended service object service Transactional Commit Model on Access Group Rule Engine 9 1 5 When enabled a rule update is applied after the rule compilation is completed without affecting the rule matching performance We introduced the following commands asp rule engine ...

Page 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...

Page 51: ...P A R T 2 Network Address Translation ...

Page 52: ......

Page 53: ...any network RFC 1918 defines the private IP addresses you can use internally that should not be advertised 10 0 0 0 through 10 255 255 255 172 16 0 0 through 172 31 255 255 192 168 0 0 through 192 168 255 255 One of the main functions of NAT is to enable private IP networks to connect to the Internet NAT replaces a private IP address with a public IP address translating the private addresses in th...

Page 54: ...e host before it is translated In a typical NAT scenario where you want to translate the inside network when it accesses the outside the inside network would be the real network Note that you can translate any network connected to the ASA not just an inside network Therefore if you configure NAT to translate outside addresses real can refer to the outside network when it accesses the inside networ...

Page 55: ...jects you might see a failure in the translation of indirect addresses that do not belong to either of the objects Network Object NAT page 4 3 Twice NAT page 4 3 Comparing Network Object NAT and Twice NAT page 4 4 Network Object NAT All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules Network object NAT is a quick and easy way to config...

Page 56: ...NAT configuration instead of the actual IP addresses The network object IP address serves as the real address This method lets you easily add NAT to network objects that might already be used in other parts of your configuration Twice NAT You identify a network object or network object group for both the real and mapped addresses In this case NAT is not a parameter of the network object the networ...

Page 57: ... do not configure a twice NAT rule in this section that might match your VPN traffic instead of matching the invisible rule If VPN does not work due to NAT failure consider adding twice NAT rules to section 3 instead Section 2 Network object NAT If a match in section 1 is not found section 2 rules are applied in the following order as automatically determined by the ASA 1 Static rules 2 Dynamic ru...

Page 58: ...ed interfaces You can also specify any interface for the real address and a specific interface for the mapped address or vice versa For example you might want to specify any interface for the real address and specify the outside interface for the mapped address if you use the same private addresses on multiple interfaces and you want to translate them all to the same global pool when accessing the...

Page 59: ...supported For transparent mode a PAT pool is not supported for IPv6 For static NAT you can specify an IPv6 subnet up to 64 Larger subnets are not supported When using FTP with NAT46 when an IPv4 FTP client connects to an IPv6 FTP server the client must use either the extended passive mode EPSV or extended port mode EPRT PASV and PORT commands are not supported with IPv6 IPv6 NAT Recommendations Yo...

Page 60: ...erver1 host 209 165 200 225 object network Server1_mapped host 10 1 2 67 object service REAL_ftp service tcp destination eq ftp object service MAPPED_ftp service tcp destination eq 2021 object network MyOutNet subnet 209 165 201 0 255 255 255 224 nat inside outside source static MyInsNet MapInsNet destination static Server1_mapped Server1 service MAPPED_ftp REAL_ftp If you change the NAT configura...

Page 61: ...configuration to determine the egress interface but you have the option to always use a route lookup instead See Routing NAT Packets page 5 11 for more information You can improve system performance and reliability by using the transactional commit model for NAT See the basic settings chapter in the general operations configuration guide for more information Use the asp rule engine transactional c...

Page 62: ...oups are particularly useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or subnets Use the object network and object group network commands to create the objects Consider the following guidelines when creating objects for twice NAT A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses The group cannot contain ...

Page 63: ... NAT Guidelines for Service Objects for Real and Mapped Ports You can optionally configure service objects for Source real port Static only or Destination real port Source mapped port Static only or Destination mapped port Use the object service command to create the objects Consider the following guidelines when creating objects for twice NAT NAT only supports TCP or UDP When translating a port b...

Page 64: ...e real host initiates the connection The translation is in place only for the duration of the connection and a given user does not keep the same IP address after the translation times out Users on the destination network therefore cannot initiate a reliable connection to a host that uses dynamic NAT even if the connection is allowed by an access rule Note For the duration of the translation a remo...

Page 65: ...Use PAT or a PAT fall back method if this event occurs often because PAT provides over 64 000 translations using ports of a single address You have to use a large number of routable addresses in the mapped pool and routable addresses may not be available in large quantities The advantage of dynamic NAT is that some protocols cannot use PAT PAT does not work with the following IP protocols that do ...

Page 66: ...ss of a single host For example 10 1 1 1 or 2001 DB8 0DB8 800 200C 417A subnet IPv4_address IPv4_mask IPv6_address IPv6_prefix The address of a network For IPv4 subnets include the mask after a space for example 10 0 0 0 255 0 0 0 For IPv6 include the address and prefix as a single unit no spaces such as 2001 DB8 0 CD30 60 range start_address end_address A range of addresses You can specify IPv4 o...

Page 67: ...nterface address hostname config object network nat range1 hostname config network object range 10 10 10 10 10 10 10 20 hostname config network object object network pat ip1 hostname config network object host 10 10 10 21 hostname config network object object group network nat pat grp hostname config network object network object object nat range1 hostname config network object network object obje...

Page 68: ...onal Create service objects for the destination real ports and the destination mapped ports For dynamic NAT you can only perform port translation on the destination A service object can contain both a source and destination port but only the destination port is used in this case If you specify the source port it will be ignored Step 3 Configure dynamic NAT nat real_ifc mapped_ifc line after auto l...

Page 69: ...ule The dns keyword translates DNS replies Be sure DNS inspection is enabled it is enabled by default You cannot configure the dns keyword if you configure a destination address See DNS and NAT page 5 21 for more information Unidirectional Optional Specify unidirectional so the destination addresses cannot initiate traffic to the source addresses Inactive Optional To make this rule inactive withou...

Page 70: ...config nat inside outside source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2 Dynamic PAT The following topics describe dynamic PAT About Dynamic PAT page 4 18 Configure Dynamic Network Object PAT page 4 20 Configure Dynamic Twice PAT page 4 22 Configure Per Session PAT or Multi Session PAT page 4 25 About Dynamic PAT Dynamic PAT translates multiple real addresses to a single ...

Page 71: ...stream that is different from the control path See Default Inspections and NAT Limitations page 6 6 for more information about NAT and PAT support Dynamic PAT might also create a large number of connections appearing to come from a single IP address and servers might interpret the traffic as a DoS attack You can configure a PAT pool of addresses and use a round robin assignment of PAT addresses to...

Page 72: ...Because NAT pools are created for every mapped protocol IP address port range round robin results in a large number of concurrent NAT pools which use memory Extended PAT results in an even larger number of concurrent NAT pools Configure Dynamic Network Object PAT This section describes how to configure network object NAT for dynamic PAT Procedure Step 1 Optional Create a host or range network obje...

Page 73: ... the mapped_ifc You must use this keyword when you want to use the interface IP address you cannot enter it inline or as an object For a PAT pool you can specify one or more of the following options Round robin The round robin keyword enables round robin address allocation for a PAT pool Without round robin by default all ports for a PAT address will be allocated before the next PAT address is use...

Page 74: ...wing example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network hostname config object network IPv4_POOL hostname config network object range 203 0 113 1 203 0 113 254 hostname config object network IPv6_INSIDE hostname config network object subnet 2001 DB8 96 hostname config network object nat inside outside dynamic pat pool IPv4_POOL Configure ...

Page 75: ...to section 3 instead after the network object NAT rules then use the after auto keyword You can insert a rule anywhere in the applicable section using the line argument Source addresses Real Specify a network object group or the any keyword Use the any keyword if you want to translate all traffic from the real interface to the mapped interface Mapped Configure one of the following Network object S...

Page 76: ...me object or group for both the real and mapped addresses Destination port Optional Specify the service keyword along with the mapped and real service objects For identity port translation simply use the same service object for both the real and mapped ports DNS Optional for a source only rule The dns keyword translates DNS replies Be sure DNS inspection is enabled it is enabled by default You can...

Page 77: ...sion PAT or Multi Session PAT By default all TCP PAT traffic and all UDP DNS traffic uses per session PAT To use multi session PAT for traffic you can configure per session PAT rules a permit rule uses per session PAT and a deny rule uses multi session PAT Per session PAT improves the scalability of PAT and for clustering allows each member unit to own PAT connections multi session PAT connections...

Page 78: ...lly created rules Be sure to create your rules in the order you want them applied xlate per session permit deny tcp udp source_ip operator src_port destination_ip operator dest_port Example hostname config xlate per session deny tcp any4 209 165 201 3 eq 1720 For the source and destination IP addresses you can configure the following host ip_address Specifies an IPv4 or IPv6 host address ip_addres...

Page 79: ...or port for each subsequent translation so bidirectional initiation is not supported The following figure shows a typical static NAT scenario The translation is always active so both real and remote hosts can initiate connections Figure 4 5 Static NAT Note You can disable bidirectionality if desired Static NAT with Port Translation Static NAT with port translation lets you specify a real and mappe...

Page 80: ...equire application inspection for secondary channels for example FTP and VoIP the ASA automatically translates the secondary ports Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP HTTP and SMTP These servers are actually different devices on the real network but for each server you can specify ...

Page 81: ... ASA outside interface to an inside host then you can map the inside host IP address port 23 to the ASA interface address port 23 Note that although Telnet to the ASA is not allowed to the lowest security interface static NAT with interface port translation redirects the Telnet session instead of denying it One to Many Static NAT Typically you configure static NAT with a one to one mapping However...

Page 82: ...e you have a load balancer at 10 1 2 27 Depending on the URL requested it redirects traffic to the correct web server For details on how to configure this example see Inside Load Balancer with Multiple Mapped Addresses Static NAT One to Many page 5 4 Figure 4 9 One to Many Static NAT Example 10 1 2 27 10 1 2 27 10 1 2 27 209 165 201 3 Inside Outside 209 165 201 4 209 165 201 5 Security Appliance 2...

Page 83: ...irectional subsequent mappings allow traffic to be initiated to the real host but all traffic from the real host uses only the first mapped address for the source The following figure shows a typical few to many static NAT scenario Figure 4 10 Few to Many Static NAT For a many to few or many to one configuration where you have more real addresses than mapped addresses you run out of mapped address...

Page 84: ...et Step 2 Create or edit the network object for which you want to configure NAT object network obj_name Example hostname config object network my host obj1 Step 3 Skip when editing an object that has the right address Define the real IPv4 or IPv6 addresses that you want to translate host IPv4_address IPv6_address The IPv4 or IPv6 address of a single host For example 10 1 1 1 or 2001 DB8 0DB8 800 2...

Page 85: ... Static NAT with port translation only routed mode only The IP address of the mapped interface is used as the mapped address If you specify ipv6 then the IPv6 address of the interface is used For this option you must configure a specific interface for the mapped_ifc You must use this keyword when you want to use the interface IP address you cannot enter it inline or as an object Be sure to also co...

Page 86: ...nfig network object nat inside outside static 2001 DB8 BBBB 96 Configure Static Twice NAT or Static NAT with Port Translation This section describes how to configure a static NAT rule using twice NAT Procedure Step 1 Create host or range network objects object network command or network object groups object group network command for the source real addresses the source mapped addresses the destina...

Page 87: ...n using the line argument Source addresses Real Specify a network object or group Do not use the any keyword which would be used for identity NAT Mapped Specify a different network object or group For static interface NAT with port translation only you can specify the interface keyword routed mode only If you specify ipv6 then the IPv6 address of the interface is used If you specify interface be s...

Page 88: ... outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004 The traffic is untranslated to the internal FTP server at 192 168 10 100 6500 through 65004 Note that you specify the source port range in the service object and not the destination port because you want to translate the source address and port as identified in th...

Page 89: ...exempt the client traffic from NAT The following figure shows a typical identity NAT scenario Figure 4 12 Identity NAT The following topics explain how to configure identity NAT Configure Identity Network Object NAT page 4 37 Configure Identity Twice NAT page 4 39 Configure Identity Network Object NAT This section describes how to configure an identity NAT rule using network object NAT Procedure S...

Page 90: ... sure to include the parentheses In routed mode if you do not specify the real and mapped interfaces all interfaces are used You can also specify the keyword any for one or both of the interfaces for example any outside Mapped IP addresses Be sure to configure the same IP address for both the mapped and real address Use one of the following mapped_inline_host_ip An inline IP address The netmask pr...

Page 91: ...bject for the source real addresses and instead use the keywords any any in the nat command If you want to configure destination static interface NAT with port translation only you can skip adding an object for the destination mapped addresses and instead specify the interface keyword in the nat command If you do create objects consider the following guidelines The mapped object or group can conta...

Page 92: ...e the same object or group for both the real and mapped addresses Ports Optional Specify the service keyword along with the real and mapped service objects For source port translation the objects must specify the source service The order of the service objects in the command for source port translation is service real_obj mapped_obj For destination port translation the objects must specify the des...

Page 93: ...es are shown twice first with the basic address configuration then later in the configuration the object with the NAT rule The complete object with the address and NAT rule is not shown as a unit show xlate Shows current NAT session information History for NAT Feature Name Platform Releases Description Network Object NAT 8 3 1 Configures NAT for a network object IP address es We introduced or modi...

Page 94: ... 2 from 8 3 1 8 3 2 and 8 4 1 all identity NAT configurations will now include the no proxy arp and route lookup keywords to maintain existing functionality The unidirectional keyword is removed We modified the following command nat static no proxy arp route lookup PAT pool and round robin address assignment 8 4 2 8 5 1 You can now specify a pool of PAT addresses instead of a single address You ca...

Page 95: ...ee unequal sized tiers either 1024 to 65535 or 1 to 65535 We modifed the following commands nat dynamic pat pool mapped_object flat include reserve and nat source dynamic pat pool mapped_object flat include reserve This feature is not available in 8 5 1 or 8 6 1 Extended PAT for a PAT pool 8 4 3 Each PAT IP address allows up to 65535 ports If 65535 ports do not provide enough translations you can ...

Page 96: ...t recommend using this feature unless you know you need it contact Cisco TAC to confirm feature compatibility with your network See the following limitations Only supports Cisco IPsec and AnyConnect Client Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy can be applied Does not support load balancing because of routing issues Does not suppor...

Page 97: ...dress Without the per session feature the maximum connection rate for one address for an IP protocol is approximately 2000 per second With the per session feature the connection rate for one address for an IP protocol is 65535 average lifetime By default all TCP traffic and UDP DNS traffic use a per session PAT xlate For traffic that requires multi session PAT such as H 323 SIP or Skinny you can d...

Page 98: ...4 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Network Address Translation NAT History for NAT ...

Page 99: ...g are some configuration examples for network object NAT Providing Access to an Inside Web Server Static NAT page 5 1 NAT for Inside Hosts Dynamic NAT and NAT for an Outside Web Server Static NAT page 5 2 Inside Load Balancer with Multiple Mapped Addresses Static NAT One to Many page 5 4 Single Address for FTP HTTP and SMTP Static NAT with Port Translation page 5 5 Providing Access to an Inside We...

Page 100: ...he object hostname config network object nat inside outside static 209 165 201 10 NAT for Inside Hosts Dynamic NAT and NAT for an Outside Web Server Static NAT The following example configures dynamic NAT for inside users on a private network when they access the outside Also when inside users connect to an outside web server that web server address is translated to an address that appears to be o...

Page 101: ...object network myInsNet hostname config network object subnet 10 1 2 0 255 255 255 0 Step 3 Enable dynamic NAT for the inside network using the dynamic NAT pool object hostname config network object nat inside outside dynamic myNatPool Step 4 Create a network object for the outside web server hostname config object network myWebServ hostname config network object host 209 165 201 12 Step 5 Configu...

Page 102: ...ne to Many for an Inside Load Balancer Procedure Step 1 Create a network object for the addresses to which you want to map the load balancer hostname config object network myPublicIPs hostname config network object range 209 165 201 3 209 265 201 8 Step 2 Create a network object for the load balancer hostname config object network myLBHost hostname config network object host 10 1 2 27 Step 3 Confi...

Page 103: ...ing the FTP port to itself hostname config object network FTP_SERVER hostname config network object host 10 1 2 27 hostname config network object nat inside outside static 209 165 201 3 service tcp ftp ftp Step 2 Create a network object for the HTTP server and configure static NAT with port translation mapping the HTTP port to itself hostname config object network HTTP_SERVER hostname config netwo...

Page 104: ...ding on the Destination Dynamic Twice PAT The following figure shows a host on the 10 1 2 0 24 network accessing two different servers When the host accesses the server at 209 165 201 11 the real address is translated to 209 165 202 129 port When the host accesses the server at 209 165 200 225 the real address is translated to 209 165 202 130 port Figure 5 5 Twice NAT with Different Destination Ad...

Page 105: ...on addresses Step 5 Add a network object for the DMZ network 2 hostname config object network DMZnetwork2 hostname config network object subnet 209 165 200 224 255 255 255 224 Step 6 Add a network object for the PAT address hostname config object network PATaddress2 hostname config network object host 209 165 202 130 Step 7 Configure the second twice NAT rule hostname config nat inside dmz source ...

Page 106: ...Obj hostname config network object service tcp destination eq telnet Step 5 Configure the first twice NAT rule hostname config nat inside outside source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not want to translate the destination address or port you need to configure identity NAT for them by specifying the s...

Page 107: ...host The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209 165 201 0 27 network A translation does not exist for the 209 165 200 224 27 network so the translated host cannot connect to that network nor can a host on that network connect to the translated host Figure 5 7 Twice Static NAT with Destination Address Translation NAT in R...

Page 108: ...ir networks NAT in transparent mode has the following requirements and limitations Because the transparent firewall does not have any interface IP addresses you cannot use interface PAT ARP inspection is not supported Moreover if for some reason a host on one side of the ASA sends an ARP request to a host on the other side of the ASA and the initiating host real address is mapped to a different ad...

Page 109: ...ctly to the host 4 For host 192 168 1 2 the same process occurs except for returning traffic the ASA looks up the route in its routing table and sends the packet to the downstream router at 10 1 1 3 based on the ASA static route for 192 168 1 0 24 See Transparent Mode Routing Requirements for Remote Networks page 5 14 for more information about required routes Routing NAT Packets The ASA needs to ...

Page 110: ...l this method can be used For PAT you can even use the IP address of the mapped interface Note If you configure the mapped interface to be any interface and you specify a mapped address on the same network as one of the mapped interfaces then if an ARP request for that mapped address comes in on a different interface then you need to manually configure an ARP entry for that network on the ingress ...

Page 111: ...f you have a twice NAT rule although the NAT rule must match both the source and destination addresses the proxy ARP decision is made only on the source address If the ASA ARP response is received before the actual host ARP response then traffic will be mistakenly sent to the ASA see the following figure Figure 5 10 Proxy ARP Problems with Identity NAT In rare cases you need proxy ARP for identity...

Page 112: ... the source and destination interfaces as part of the NAT rule Routed mode The ASA determines the egress interface in one of the following ways You configure the interface in the NAT rule The ASA uses the NAT rule to determine the egress interface However you have the option to always use a route lookup instead In certain scenarios a route lookup override is required for example see NAT and VPN Ma...

Page 113: ...e VPN tunnel then Internet bound VPN traffic must also go through the ASA When the VPN traffic enters the ASA the ASA decrypts the packet the resulting packet includes the VPN client local address 10 3 3 10 as the source For both inside and VPN client local networks you need a public IP address provided by NAT to access the Internet The below example uses interface PAT rules To allow the VPN traff...

Page 114: ...raffic Because forward and reverse flows do not match the ASA drops the packet when it is received To avoid this failure you need to exempt the inside to VPN client traffic from the interface PAT rule by using an identity NAT rule between those networks Identity NAT simply translates an address to the same address VPN Client 209 165 201 10 Internet Src 209 165 201 10 10 3 3 10 203 0 113 1 6070 10 ...

Page 115: ... a site to site tunnel connecting the Boulder and San Jose offices For traffic that you want to go to the Internet for example from 10 1 1 6 in Boulder to www example com you need a public IP address provided by NAT to access the Internet The below example uses interface PAT rules However for traffic that you want to go over the VPN tunnel for example from 10 1 1 6 in Boulder to 10 2 2 78 in San J...

Page 116: ...nable hairpin for VPN client traffic same security traffic permit intra interface Identify local VPN network perform object interface PAT when going to Internet 10 1 1 6 ASA1 ASA2 10 2 2 78 Internet Src 10 1 1 6 10 1 1 6 203 0 113 1 6070 Src 10 1 1 6 10 1 1 6 Dst 10 2 2 78 10 2 2 78 San Jose Inside Boulder Inside 1 IM to 10 2 2 78 Src 10 1 1 6 A HTTP to www example com Src 10 1 1 6 3 IM received C...

Page 117: ...c sanjose_inside sanjose_inside See the following sample NAT configuration for ASA2 San Jose Identify inside San Jose network perform object interface PAT when going to Internet object network sanjose_inside subnet 10 2 2 0 255 255 255 0 nat inside outside dynamic interface Identify inside Boulder network for use in twice NAT rule object network boulder_inside subnet 10 1 1 0 255 255 255 0 Identif...

Page 118: ... 5 14 for more information about the route lookup option Figure 5 17 VPN Management Access See the following sample NAT configuration for the above network Enable hairpin for non split tunneled VPN client traffic same security traffic permit intra interface Enable management access on inside ifc management access inside Identify local VPN network perform object interface PAT when going to Internet...

Page 119: ...ress in DNS queries and replies that match a NAT rule for example the A record for IPv4 the AAAA record for IPv6 or the PTR record for reverse DNS queries For DNS replies traversing from a mapped interface to any other interface the record is rewritten from the mapped value to the real value Inversely for DNS replies traversing from any interface to a mapped interface the record is rewritten from ...

Page 120: ...is on the inside interface You configure the ASA to statically translate the ftp cisco com real address 10 1 3 14 to a mapped address 209 165 201 10 that is visible on the outside network In this case you want to enable DNS reply modification on this static rule so that inside users who have access to ftp cisco com using the real address receive the real address from the DNS server and not the map...

Page 121: ...er on Separate Networks The following figure shows a user on the inside network requesting the IP address for ftp cisco com which is on the DMZ network from an outside DNS server The DNS server replies with the mapped address 209 165 201 10 according to the static rule between outside and DMZ even though the user is not on the DMZ network The ASA translates the address inside the DNS reply to 10 1...

Page 122: ...Network The following figure shows an FTP server and DNS server on the outside The ASA has a static translation for the outside server In this case when an inside user requests the address for ftp cisco com from the DNS server the DNS server responds with the real address 209 165 20 10 Because you want inside users to use the mapped address for ftp cisco com 10 1 2 56 you need to configure DNS rep...

Page 123: ...side server In this case when an inside IPv6 user requests the address for ftp cisco com from the DNS server the DNS server responds with the real address 209 165 200 225 Because you want inside users to use the mapped address for ftp cisco com 2001 DB8 D1A5 C8E1 you need to configure DNS reply modification for the static translation This example also includes a static NAT translation for the DNS ...

Page 124: ... object network DNS_SERVER hostname config network object host 209 165 201 15 hostname config network object nat outside inside static 2001 DB8 D1A5 C90F 128 net to net Step 3 Configure an IPv4 PAT pool for translating the inside IPv6 network hostname config object network IPv4_POOL hostname config network object range 203 0 113 1 203 0 113 254 ftp cisco com 209 165 200 225 IPv4 Internet IPv6 Net ...

Page 125: ...re shows an FTP server and DNS server on the outside The ASA has a static translation for the outside server In this case when an inside user performs a reverse DNS lookup for 10 1 2 56 the ASA modifies the reverse DNS query with the real address and the DNS server responds with the server name ftp cisco com Figure 5 22 PTR Modification DNS Server on Host Network ftp cisco com 209 165 201 10 DNS S...

Page 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...

Page 127: ...P A R T 3 Application Inspection ...

Page 128: ......

Page 129: ...otocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path see the general operations configuration guide for more information about the fast path As a result inspection engines can affect overall throughput Several common inspection engines are enabled on the ASA by default but you might need to enable others depending on your network The following ...

Page 130: ... any required operations for the packet the ASA forwards the packet to the destination system 6 The destination system responds to the initial request 7 The ASA receives the reply packet looks up the connection in the connection database and forwards the packet because it belongs to an established session The default configuration of the ASA includes a set of application inspection entries that as...

Page 131: ...plication Traffic matching criteria You match application traffic to criteria specific to the application such as a URL string for which you then enable actions For some traffic matching criteria you use regular expressions to match text inside a packet Be sure to create and test the regular expressions before you configure the policy map either singly or grouped together in a regular expression c...

Page 132: ...on then it will never match any further match criteria If the first action is to log the packet then a second action such as resetting the connection can occur If a packet matches multiple match or class commands that are the same then they are matched in the order they appear in the policy map For example for a packet with the header length of 1001 it will match the first command below and be log...

Page 133: ... over the state link IPv6 Guidelines Supports IPv6 for the following inspections DNS FTP HTTP ICMP SCCP Skinny SIP SMTP IPsec pass through IPv6 Supports NAT64 for the following inspections DNS FTP HTTP ICMP Additional Guidelines and Limitations Some inspection engines do not support PAT NAT outside NAT or NAT between same security interfaces For more information about NAT support see Default Inspe...

Page 134: ...on to the traffic on all interfaces a global policy Default application inspection traffic includes traffic to the default ports for each protocol You can only apply one global policy so if you want to alter the global policy for example to apply inspection to non standard ports or to add inspections that are not enabled by default you need to either edit the default policy or disable it and apply...

Page 135: ...raffic directed to an ASA interface is never inspected ICMP ERROR ILS LDAP TCP 389 No extended PAT No NAT64 Instant Messaging IM Varies by client No extended PAT No NAT64 RFC 3860 IP Options No NAT64 RFC 791 RFC 2113 IPsec Pass Through UDP 500 No PAT No NAT64 IPv6 No NAT64 RFC 2460 MGCP UDP 2427 2727 No extended PAT No NAT64 Clustering No static PAT RFC 2705bis 05 MMP TCP 5443 No extended PAT No N...

Page 136: ...es SKINNY SCCP TCP 2000 No NAT on same security interfaces No extended PAT No per session PAT No NAT64 NAT46 or NAT66 Clustering No static PAT Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances SMTP and ESMTP TCP 25 No NAT64 RFC 821 1123 SNMP UDP 161 162 No NAT or PAT RFC 1155 1157 1212 1213 1215 v 2 RFC 1902 1908 v 3 RFC 2570 2580 SQL Net TCP 1521 No extended ...

Page 137: ...efault Inspection Policy Maps Some inspection types use hidden default policy maps For example if you enable ESMTP inspection without specifying a map _default_esmtp_map is used The default inspection is described in the sections that explain each inspection type You can view these default maps using the show running config all policy map command DNS inspection is the only one that uses an explici...

Page 138: ...y the inspection to the traffic The table later in this procedure shows which protocols allow inspection policy maps with pointers to the instructions on configuring them Step 3 Add or edit a Layer 3 4 policy map that sets the actions to take with the class map traffic hostname config policy map name hostname config pmap The default policy map is called global_policy This policy map includes the d...

Page 139: ...ap name in this command ftp strict map_name See FTP Inspection page 7 8 Use the strict keyword to increase the security of protected networks by preventing web browsers from sending embedded commands in FTP requests See Strict FTP page 7 9 for more information If you added an FTP inspection policy map according to Configure an FTP Inspection Policy Map page 7 10 identify the map name in this comma...

Page 140: ...dded an IPv6 inspection policy map according to Configure an IPv6 Inspection Policy Map page 7 34 identify the map name in this command mgcp map_name See MGCP Inspection page 8 12 If you added an MGCP inspection policy map according to Configuring an MGCP Inspection Policy Map for Additional Inspection Control page 8 14 identify the map name in this command netbios map_name See NetBIOS Inspection ...

Page 141: ...e 8 23 If you added a SIP inspection policy map according to Configure SIP Inspection Policy Map page 8 25 identify the map name in this command Specify a TLS proxy to enable inspection of encrypted traffic skinny map_name tls proxy proxy_name See Skinny SCCP Inspection page 8 31 If you added a Skinny inspection policy map according to Configure a Skinny SCCP Inspection Policy Map for Additional I...

Page 142: ...SA performance can be impacted If you want to match non standard ports then create a new class map for the non standard ports See Default Inspections and NAT Limitations page 6 6 for the standard ports for each inspection engine You can combine multiple class maps in the same policy if desired so you can create one class map to match certain traffic and another to match different traffic However i...

Page 143: ...mation when matching a regular expression to packets In general matching against long input strings or trying to match a large number of regular expressions will reduce system performance Note As an optimization the ASA searches on the deobfuscated URL Deobfuscation compresses multiple forward slashes into a single slash For strings that commonly use double slashes like http be sure to search for ...

Page 144: ... uppercase letter a c Character range class Matches any character in the range a z matches any lowercase letter You can mix characters and ranges abcq z matches a b c q r s t u v w x y z and so does a cq z The dash character is literal only if it is the last or the first character within the brackets abc or abc Quotation marks Preserves trailing or leading spaces in the string For example test pre...

Page 145: ...e regular_expression argument can be up to 100 characters in length Examples The following example creates two regular expressions for use in an inspection policy map hostname config regex url_example example com hostname config regex url_example2 example2 com Create a Regular Expression Class Map A regular expression class map identifies one or more regular expression It is simply a collection of...

Page 146: ...atch any URLs hostname config cmap match regex url_example hostname config cmap match regex url_example2 History for Application Inspection Feature Name Releases Description Inspection policy maps 7 2 1 The inspection policy map was introduced The following command was introduced class map type inspect Regular expressions and policy maps 7 2 1 Regular expressions and policy maps were introduced to...

Page 147: ...ion page 7 1 FTP Inspection page 7 8 HTTP Inspection page 7 14 ICMP Inspection page 7 21 ICMP Error Inspection page 7 21 Instant Messaging Inspection page 7 21 IP Options Inspection page 7 26 IPsec Pass Through Inspection page 7 30 IPv6 Inspection page 7 33 NetBIOS Inspection page 7 37 PPTP Inspection page 7 39 SMTP and Extended SMTP Inspection page 7 39 TFTP Inspection page 7 45 DNS Inspection Th...

Page 148: ...is enabled so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query Translation of the DNS record based on the NAT configuration is enabled Protocol enforcement is enabled which enables DNS message format check including domain ...

Page 149: ...lass maps To specify traffic that should not match the class map use the match not command For example if the match not command specifies the string example com then any traffic that includes example com does not match the class map For the traffic that you identify in this class map you specify actions to take on the traffic in the inspection policy map If you want to perform different actions fo...

Page 150: ...e question keyword specifies the question portion of a DNS message The resource record keyword specifies one of these sections of the resource record answer authority or additional For example match resource record answer match not domain name regex regex_name class class_name Matches the DNS message domain name list against the specified regular expression or regular expression class d Enter exit...

Page 151: ... Set one or more parameters You can set the following options use the no form of the command to disable the option dns guard Enables DNS Guard The ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query id mismatch count number durati...

Page 152: ...olicy The default ASA configuration includes DNS inspection on the default port applied globally on all interfaces A common method for customizing the inspection configuration is to customize the default global policy You can alternatively create a new service policy as desired for example an interface specific policy Procedure Step 1 If necessary create an L3 L4 class map to identify the traffic ...

Page 153: ... the Botnet Traffic Filter Include this keyword only if you use Botnet Traffic Filtering We suggest that you enable DNS snooping only on interfaces where external DNS requests are going Enabling DNS snooping on all UDP DNS traffic including that going to an internal DNS server creates unnecessary load on the ASA Example hostname config class no inspect dns hostname config class inspect dns dns map...

Page 154: ... and the idle timer for each app_id runs independently Because the app_id expires independently a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build up However when you enter the show conn command you see the idle timer of a DNS connection being reset by a new DNS session This is due to the nature of the shared DNS co...

Page 155: ...appear in an error string Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs If the strict option is enabled each FTP command and response sequence is tracked for the following anomalous activity Truncated command Number of commas in the PORT and PASV reply command is checked to see if it is five If it is not five then the PORT comman...

Page 156: ...sed on user values is also supported so that it is possible for FTP sites to post files for download but restrict access to certain users You can block FTP connections based on file type server name and other attributes System message logs are generated if an FTP connection is denied after inspection If you want FTP inspection to allow FTP servers to reveal their system type to FTP clients and lim...

Page 157: ...ch not command then any traffic that does not match the criterion in the match not command has the action applied match not filename regex regex_name class class_name Matches the filename in the FTP transfer against the specified regular expression or regular expression class match not filetype regex regex_name class class_name Matches the file type in the FTP transfer against the specified regula...

Page 158: ...eset log The reset keyword drops the packet closes the connection and sends a TCP reset to the server or client Add the log keyword to send a system log message You can specify multiple class or match commands in the policy map For information about the order of class and match commands see Defining Actions in an Inspection Policy Map page 2 4 Step 5 To configure parameters that affect the inspect...

Page 159: ...includes default ports for all inspection types match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 1 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hos...

Page 160: ...global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Verifying and Monitoring FTP Inspection FTP application inspection generates the foll...

Page 161: ...cation firewall and is available when you configure an HTTP inspection policy map can help prevent attackers from using HTTP messages for circumventing network security policy HTTP application inspection can block tunneled applications and non ASCII characters in HTTP requests and responses preventing malicious content from reaching the web server Size limiting of various elements in HTTP request ...

Page 162: ...irectly in the policy map a Create the class map by entering the following command hostname config class map type inspect http match all match any class_map_name hostname config cmap Where the class_map_name is the name of the class map The match all keyword is the default and specifies that traffic must match all criteria to match the class map The match any keyword specifies that the traffic mat...

Page 163: ...ct copy delete edit get getattribute getattributenames getproperties head index lock mkcol mkdir move notify options poll post propfind proppatch put revadd revlabel revlog revnum save search setattribute startrev stoprev subscribe trace unedit unlock unsubscribe match not request uri regex regex_name class class_name length gt bytes Matches text found in the HTTP request message URI against the s...

Page 164: ...hostname config pmap c Specify traffic directly in the policy map using one of the match commands described for HTTP class maps If you use a match not command then any traffic that does not match the criterion in the match not command has the action applied b Specify the action you want to perform on the matching traffic by entering the following command hostname config pmap c drop connection log ...

Page 165: ...ss map type regex match any url_to_log hostname config cmap match regex url1 hostname config cmap match regex url2 hostname config cmap exit hostname config class map type regex match any methods_to_log hostname config cmap match regex get hostname config cmap match regex put hostname config cmap exit hostname config class map type inspect http http_url_policy hostname config cmap match request ur...

Page 166: ... are specifying the class you created earlier in this procedure Step 4 Configure HTTP inspection inspect http http_policy_map Where http_policy_map is the optional HTTP inspection policy map You need a map only if you want non default inspection processing For information on creating the HTTP inspection policy map see Configure an HTTP Inspection Policy Map page 7 16 Example hostname config class ...

Page 167: ...sages ICMP error messages generated by the intermediate nodes between the inside host and the ASA reach the outside host without consuming any additional NAT resource This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the ASA When the ASA does not translate the intermediate hops all the intermediate hops appear with the mapped...

Page 168: ...le if the match not command specifies the string example com then any traffic that includes example com does not match the class map For the traffic that you identify in this class map you specify actions to take on the traffic in the inspection policy map If you want to perform different actions for each match command you should identify the traffic directly in the policy map a Create the class m...

Page 169: ...col d Enter exit to leave class map configuration mode Step 2 Create an IM inspection policy map hostname config policy map type inspect im policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 3 Optional To add a description to the policy map enter the following command hostname config pmap description string...

Page 170: ... hostname config cmap match filename regex exe_files hostname config class map type inspect im match all yahoo_im_policy hostname config cmap match login name regex class yahoo_src_login_name_regex hostname config cmap match peer login name regex class yahoo_dst_login_name_regex hostname config class map type inspect im match all yahoo_im_policy2 hostname config cmap match version regex yahoo_vers...

Page 171: ...bal_policy as the policy name Step 3 Identify the L3 L4 class map you are using for IM inspection class name Example hostname config pmap class inspection_default To edit the default policy or to use the special inspection_default class map in a new policy specify inspection_default for the name Otherwise you are specifying the class you created earlier in this procedure Step 4 Configure IM inspec...

Page 172: ...P Options provide for control functions that are required in some situations but unnecessary for most common communications In particular IP Options include provisions for time stamps security and special routing Use of IP Options is optional and the field can contain zero one or more options For a list of IP options with references to the relevant RFCs see the IANA page http www iana org assignme...

Page 173: ...boundary Router Alert RTRALT or IP Option 20 This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router This inspection is valuable when implementing RSVP and similar protocols that require relatively complex processing from the routers along the packet s delivery path Dropping RSVP packets containing the Router Alert option can ...

Page 174: ... form of the command to disable the option In all cases the allow action allows packets that contain the option without modification the clear action allows the packets but removes the option from the header Any packet that contains an option that you do not include in the map is dropped For a description of the options see Supported IP Options for Inspection page 7 27 eool action allow clear Allo...

Page 175: ...d earlier in this procedure Step 4 Configure IP options inspection inspect ip options ip_options_policy_map Where ip_options_policy_map is the optional IP options inspection policy map You need a map only if you want non default inspection processing For information on creating the IP options inspection policy map see Configure an IP Options Inspection Policy Map page 7 28 Example hostname config ...

Page 176: ...ginning of the session and negotiation of cryptographic keys to be used during the session IPsec can be used to protect data flows between a pair of hosts for example computer users or servers between a pair of security gateways such as routers or firewalls or between a security gateway and a host IPsec Pass Through application inspection provides convenient traversal of ESP IP protocol 50 and AH ...

Page 177: ... a To enter parameters configuration mode enter the following command hostname config pmap parameters hostname config pmap p b Set one or more parameters You can set the following options use the no form of the command to disable the option esp per client max number timeout time Allows ESP tunnels and sets the maximum connections allowed per client and the idle timeout in hh mm ss format To allow ...

Page 178: ...e policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 1 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to edit the gl...

Page 179: ... policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface IPv6 Inspection IPv6 inspection lets you selectively log or drop IPv6 traffic based on the extension header In addition IPv6 inspection can check conformance to RFC 2460 for type and order of extension headers in IPv6 packets Defaults for IPv6 Inspection page 7 33 Configure IP...

Page 180: ...ription string Step 3 Optional Drop or log traffic based on the headers in IPv6 messages a Identify the traffic based on the IPv6 header hostname config pmap match header type Where type is one of the following ah Matches the IPv6 Authentication extension header count gt number Specifies the maximum number of IPv6 extension headers from 0 to 255 destination option Matches the IPv6 destination opti...

Page 181: ...type 0 headers It also enforces header order and type policy map type inspect ipv6 ipv6 pm parameters verify header type verify header order match header hop by hop drop log match header destination option drop log match header routing address count gt 0 drop log match header routing type eq 0 drop log policy map global_policy class class default inspect ipv6 ipv6 pm service policy global_policy g...

Page 182: ...ou are specifying the class you created earlier in this procedure Step 4 Configure IPv6 inspection inspect ipv6 ipv6_policy_map Where ipv6_policy_map is the optional IPv6 inspection policy map You need a map only if you want non default inspection processing For information on creating the inspection policy map see Configure an IPv6 Inspection Policy Map page 7 34 Example hostname config class no ...

Page 183: ...ction Procedure Step 1 Create a NetBIOS inspection policy map hostname config policy map type inspect netbios policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 Enter parameters confi...

Page 184: ...es match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 1 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the ...

Page 185: ...s between the two hosts When enabled PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic Specifically the ASA inspects the PPTP version announcements and the outgoing call request response sequence Only PPTP Version 1 as defined in RFC 2637 is inspected Further inspection on the TCP control channel is di...

Page 186: ...P inspection engine changes the characters in the server SMTP banner to asterisks except for the 2 0 0 characters Carriage return CR and linefeed LF characters are ignored With SMTP inspection enabled a Telnet session used for interactive SMTP may hang if the following rules are not observed SMTP commands must be at least four characters in length must be terminated with carriage return and line f...

Page 187: ...ed Connections with more than 100 recipients are dropped and logged Messages with body length greater than 998 bytes are logged Connections with header line length greater than 998 are dropped and logged Messages with MIME filenames greater than 255 characters are dropped and logged EHLO reply parameters matching others are masked Following is the policy map configuration policy map type inspect e...

Page 188: ...rs policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following match commands If you use a match not command then any traffic that does not match the...

Page 189: ...ffic by entering the following command hostname config pmap c drop connection log mask log reset log log rate limit message_rate Not all options are available for each match command See the CLI help or the command reference for the exact options available The drop connection keyword drops the packet and closes the connection The mask keyword masks out the matching portion of the packet This action...

Page 190: ..._map hostname config pmap match sender address regex class senders_black_list hostname config pmap c drop connection log hostname config policy map outside_policy hostname config pmap class inspection_default hostname config pmap c inspect esmtp advanced_esmtp_map hostname config service policy outside_policy interface outside Configure the ESMTP Inspection Service Policy The default ASA configura...

Page 191: ...p see Configure the ESMTP Inspection Service Policy page 7 44 Example hostname config class no inspect esmtp hostname config class inspect esmtp esmtp map Note If you are editing the default global policy or any in use policy to use a different inspection policy map you must remove the ESMTP inspection with the no inspect esmtp command and then re add it with the new inspection policy map name Ste...

Page 192: ...nnel and a PAT translation if necessary are allocated on a reception of a valid read RRQ or write WRQ request This secondary channel is subsequently used by TFTP for file transfer or error notification Only the TFTP server can initiate traffic over the secondary channel and at most one incomplete secondary channel can exist between the TFTP client and server An error notification from the server c...

Page 193: ... CTIQBE Inspection CTIQBE protocol inspection supports NAT PAT and bidirectional NAT This enables Cisco IP SoftPhone and other Cisco TAPI JTAPI applications to work successfully with Cisco CallManager for call setup across the ASA TAPI and JTAPI are used by many Cisco VoIP applications CTIQBE is used by Cisco TSP to communicate with Cisco CallManager For information on enabling CTIQBE inspection s...

Page 194: ...information about the media connections allocated by the CTIQBE inspection engine The following is sample output from the show ctiqbe command under the following conditions There is only one active CTIQBE session setup across the ASA It is established between an internal CTI device for example a Cisco IP SoftPhone at local address 10 0 0 99 and an external Cisco CallManager at 172 29 1 77 where TC...

Page 195: ...mp E outside back connection F outside FIN f inside FIN G group g MGCP H H 323 h H 225 0 I inbound data i incomplete J GTP j GTP data k Skinny media M SMTP data m SIP media O outbound data P inside back connection q SQL Net data R outside acknowledged FIN R UDP RPC r inside acknowledged FIN S awaiting inside SYN s awaiting outside SYN T SIP t SIP transient U up H 323 Inspection The following secti...

Page 196: ...the H 323 endpoints exchange port numbers that are used for subsequent UDP data streams H 323 inspection inspects the H 245 messages to identify these ports and dynamically creates connections for the media exchange RTP uses the negotiated port number while RTCP uses the next higher port number The H 323 control channel handles H 225 and H 245 and H 323 RAS H 323 inspection uses the following port...

Page 197: ...een two H 323 endpoints When the two H 323 endpoints set up a telepresentation session so that the endpoints can send and receive a data presentation such as spreadsheet data the ASA ensure successful H 239 negotiation between the endpoints H 239 is a standard that provides the ability for H 300 series endpoints to open an additional video channel in a single call In a call an endpoint such as a v...

Page 198: ...ge 8 6 Step 2 Configure the H 323 Inspection Service Policy page 8 9 Configure H 323 Inspection Policy Map You can create an H 323 inspection policy map to customize H 323 inspection actions if the default inspection behavior is not sufficient for your network When defining traffic matching criteria you can either create a class map or include the match statements directly in the policy map The fo...

Page 199: ...ing party regex regex_name class class_name Matches the calling party against the specified regular expression or regular expression class match not media type audio data video Matches the media type Step 2 Create an H 323 inspection policy map hostname config policy map type inspect h323 policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters po...

Page 200: ...ion limit in hh mm ss format To have no timeout specify 00 00 00 Range is from 0 0 0 to 1193 0 0 call party number Enforces sending call party number during call setup h245 tunnel block action drop connection log Enforces H 245 tunnel blocking Specify whether you want to drop the connection or simply log it rtp conformance enforce payloadtype Checks RTP packets flowing on the pinholes for protocol...

Page 201: ...parameter Example hostname config class map h323_class_map hostname config cmap match access list h323 In the default global policy the inspection_default class map is a special class map that includes default ports for all inspection types match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For informatio...

Page 202: ...terface interface_name Example hostname config service policy global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Configuring H 323 and H...

Page 203: ...his could happen if at the time of the show h225 command the call has already ended but the H 225 session has not yet been deleted Alternately it could mean that the two endpoints still have a TCP connection opened between them because they set maintainConnection to TRUE so the session is kept open until they set it to FALSE again or until the session times out based on the H 225 timeout value in ...

Page 204: ...gatekeeper 172 30 254 214 and its client 10 130 56 14 MGCP Inspection The following sections describe MGCP application inspection MGCP Inspection Overview page 8 12 Configure MGCP Inspection page 8 14 Configuring MGCP Timeout Values page 8 16 Verifying and Monitoring MGCP Inspection page 8 17 MGCP Inspection Overview MGCP is a master slave protocol used to control media gateways from external call...

Page 205: ...ts Also the call agent can instruct the endpoints to detect certain events and generate signals The endpoints automatically communicate changes in service state to the call agent Gateways usually listen to UDP port 2427 to receive commands from the call agent The port on which the call agent receives commands from the gateway Call agents usually listen to UDP port 2727 to receive commands from the...

Page 206: ...on mode hostname config pmap parameters hostname config pmap p Step 4 Set one or more parameters You can set the following options use the no form of the command to disable the option call agent ip_address group_id Configures the call agent groups that can manage one or more gateways The call agent group information is used to open connections for the call agents in the group other than the one a ...

Page 207: ...so you can simply edit the default global inspection policy to add MGCP inspection You can alternatively create a new service policy as desired for example an interface specific policy Procedure Step 1 If necessary create an L3 L4 class map to identify the traffic for which you want to apply the inspection class map name match parameter Example hostname config class map mgcp_class_map hostname con...

Page 208: ...olicy such as the default global policy called global_policy you are done Otherwise activate the policy map on one or more interfaces service policy policymap_name global interface interface_name Example hostname config service policy global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed ...

Page 209: ...n use 1 most used 200 maximum allowed CRCX idle 0 00 10 Gateway IP host pc 2 Transaction ID 2052 Endpoint name aaln 1 Call ID 9876543210abcdef Connection ID Media IP 192 168 5 7 Media port 6058 The following is sample output from the show mgcp sessions command hostname show mgcp sessions 1 in use 1 most used Gateway IP host pc 2 connection ID 6789af54c9 active 0 00 11 The following is sample outpu...

Page 210: ...er ports RTSP inspection does not support PAT or dual NAT Also the ASA cannot recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages RealPlayer Configuration Requirements When using RealPlayer it is important to properly configure transport mode For the ASA add an access list command from the server to the client or vice versa For RealPlayer change transport mode by clicking O...

Page 211: ...raffic matching options use regular expressions for matching purposes If you intend to use one of those techniques first create the regular expression or regular expression class map Procedure Step 1 Optional Create an RTSP inspection class map by performing the following steps A class map groups multiple traffic matches You can alternatively identify match commands directly in the policy map The ...

Page 212: ... configuration mode Step 3 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 4 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following methods If you created an RTSP class map specify it by entering the following command hostname conf...

Page 213: ...ass hostname config cmap match default inspection traffic hostname config policy map rtsp traffic policy hostname config pmap class rtsp traffic class hostname config pmap c inspect rtsp rtsp filter map hostname config service policy rtsp traffic policy global Configure the RTSP Inspection Service Policy The default ASA configuration includes RTSP inspection on the default port applied globally on...

Page 214: ...y map You need a map only if you want non default inspection processing For information on creating the RTSP inspection policy map see Configure RTSP Inspection Policy Map page 8 19 Example hostname config class no inspect rtsp hostname config class inspect rtsp rtsp map Note If you are editing the default global policy or any in use policy to use a different RTSP inspection policy map you must re...

Page 215: ...handling sessions particularly two party audio conferences or calls SIP works with SDP for call signaling SDP specifies the ports for the media stream Using SIP the ASA can support any SIP VoIP gateways and VoIP proxy servers SIP and SDP are defined in the following RFCs SIP Session Initiation Protocol RFC 3261 SDP Session Description Protocol RFC 2327 To support SIP calls through the ASA signalin...

Page 216: ...stration subscription For example two users can be online at any time but not chat for hours Therefore the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value This value must be configured at least five minutes longer than the subscription duration The subscription duration is defined in the Contact Expires value and is typically 30 minutes Because MESS...

Page 217: ...saging IM extensions Enabled Non SIP traffic on SIP port Permitted Hide server s and endpoint s IP addresses Disabled Mask software version and non SIP URIs Disabled Ensure that the number of hops to destination is greater than 0 Enabled RTP conformance Not enforced SIP conformance Do not perform state checking and header validation Also note that inspection of encrypted traffic is not enabled You...

Page 218: ...ass map by entering the following command hostname config class map type inspect sip match all match any class_map_name hostname config cmap Where the class_map_name is the name of the class map The match all keyword is the default and specifies that traffic must match all criteria to match the class map The match any keyword specifies that the traffic matches the class map if it matches at least ...

Page 219: ...e config pmap description string Step 4 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following methods If you created a SIP class map specify it by entering the following command hostname config pmap class class_map_name hostname config pmap c Specify traffic directly in the policy map using one of the ...

Page 220: ...les state transition checking You must also choose the action to take for non conforming traffic drop packet drop connection reset or log and whether to enable or disable logging strict header validation action drop drop connection reset log log Enables strict verification of the header fields in the SIP messages according to RFC 3261 You must also choose the action to take for non conforming traf...

Page 221: ...e the default global policy You can alternatively create a new service policy as desired for example an interface specific policy Procedure Step 1 If necessary create an L3 L4 class map to identify the traffic for which you want to apply the inspection class map name match parameter Example hostname config class map sip_class_map hostname config cmap match access list sip In the default global pol...

Page 222: ...tep 5 If you are editing an existing service policy such as the default global policy called global_policy you are done Otherwise activate the policy map on one or more interfaces service policy policymap_name global interface interface_name Example hostname config service policy global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to on...

Page 223: ...econd The second session is in the state Active in which call setup is complete and the endpoints are exchanging media This session has been idle for 6 seconds Skinny SCCP Inspection The following sections describe SCCP application inspection SCCP Inspection Overview page 8 31 Supporting Cisco IP Phones page 8 32 Limitations for SCCP Inspection page 8 32 Default SCCP Inspection page 8 32 Configure...

Page 224: ...ntry maps to the same IP address When using PAT it maps to the same IP address and port When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager no ACL or static entry is required to allow the Cisco IP Phones to initiate the connection Limitations for SCCP Inspection SCCP inspection is tested and supported for Cisco Unified Communications Manage...

Page 225: ... SCCP Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter create an SCCP inspection policy map You can then apply the inspection policy map when you enable SCCP inspection Procedure Step 1 Create an SCCP inspection policy map hostname config policy map type inspect skinny policy_map_name hostname config pmap Where the policy_map_name is th...

Page 226: ...gth value allowed Enter the command twice to set both a minimum and maximum value The default minimum is 4 there is no default maximum timeout media signaling time Sets the timeouts for media and signaling connections in hh mm ss format To have no timeout specify 0 for the number The default media timeout is 5 minutes the default signaling timeout is one hour Example The following example shows ho...

Page 227: ...global_policy as the policy name Step 3 Identify the L3 L4 class map you are using for SCCP inspection class name Example hostname config pmap class inspection_default To edit the default policy or to use the special inspection_default class map in a new policy specify inspection_default for the name Otherwise you are specifying the class you created earlier in this procedure Step 4 Configure SCCP...

Page 228: ...g conditions There are two active Skinny sessions set up across the ASA The first one is established between an internal Cisco IP Phone at local address 10 0 0 11 and an external Cisco CallManager at 172 18 1 33 TCP port 2000 is the CallManager The second one is established between another internal Cisco IP Phone at local address 10 0 0 22 and the same Cisco CallManager hostname show skinny LOCAL ...

Page 229: ... SCCP and TLS Proxy support for IPv6 9 3 1 You can now inspect IPv6 traffic when using SIP SCCP and TLS Proxy using SIP or SCCP We did not modify any commands SIP support for Trust Verification Services NAT66 CUCM 10 5 and model 8831 phones 9 3 2 You can now configure Trust Verification Services servers in SIP inspection You can also use NAT66 SIP inspection has been tested with CUCM 10 5 We added...

Page 230: ...8 38 Cisco ASA Series Firewall CLI Configuration Guide Chapter 8 Inspection for Voice and Video Protocols History for Voice and Video Protocol Inspection ...

Page 231: ...ses xlates are searched first and then DNAT entries to obtain the correct address If both of these searches fail then the address is not changed For sites using NAT 0 no NAT and not expecting DNAT interaction we recommend that the inspection engine be turned off to provide better performance Additional configuration may be necessary when the ILS server is located inside the ASA border This would r...

Page 232: ...abled by default The SQL Net protocol consists of different packet types that the ASA handles to make the data stream appear consistent to the Oracle applications on either side of the ASA The default port assignment for SQL Net is 1521 This is the value used by Oracle for SQL Net but this value does not agree with IANA port assignments for Structured Query Language SQL Use the class map command t...

Page 233: ... Inspection page 9 4 Sun RPC Inspection Overview The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol Sun RPC is used by NFS and NIS Sun RPC services can run on any port When a client attempts to access a Sun RPC service on a server it must learn the port that service is running on It does this by querying the port mapper process usually rpcbind on the ...

Page 234: ...mine the service type which in this example is 100003 use the sunrpcinfo command at the UNIX or Linux command line on the Sun RPC server machine To clear the Sun RPC configuration enter the following command hostname config clear configure sunrpc server This removes the configuration performed using the sunrpc server command The sunrpc server command allows pinholes to be created with a specified ...

Page 235: ... in the LOCAL column shows the IP address of the client or server on the inside interface while the value in the FOREIGN column shows the IP address of the client or server on the outside interface To view information about the Sun RPC services running on a Sun RPC server enter the rpcinfo p command from the Linux or UNIX server command line The following is sample output from the rpcinfo p comman...

Page 236: ...9 6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Inspection of Database and Directory Protocols Sun RPC Inspection ...

Page 237: ...0 11 RSH Inspection page 10 15 SNMP Inspection page 10 15 XDMCP Inspection page 10 17 DCERPC Inspection The following sections describe the DCERPC inspection engine DCERPC Overview page 10 1 Configure DCERPC Inspection page 10 2 DCERPC Overview DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remot...

Page 238: ...Procedure Step 1 Configure a DCERPC Inspection Policy Map page 10 2 Step 2 Configure the DCERPC Inspection Service Policy page 10 3 Configure a DCERPC Inspection Policy Map To specify additional DCERPC inspection parameters create a DCERPC inspection policy map You can then apply the inspection policy map when you enable DCERPC inspection Before You Begin Some traffic matching options use regular ...

Page 239: ...eout pinhole 0 10 00 hostname config class map dcerpc hostname config cmap match port tcp eq 135 hostname config policy map global policy hostname config pmap class dcerpc hostname config pmap c inspect dcerpc dcerpc map hostname config service policy global policy global Configure the DCERPC Inspection Service Policy DCERPC inspection is not enabled in the default inspection policy so you must en...

Page 240: ...e inspection policy map see Configure a DCERPC Inspection Policy Map page 10 2 Example hostname config class no inspect dcerpc hostname config class inspect dcerpc dcerpc map Note If you are editing the default global policy or any in use policy to use a different inspection policy map you must remove the DCERPC inspection with the no inspect dcerpc command and then re add it with the new inspecti...

Page 241: ... to be tunneled through a UMTS GPRS backbone between a GGSN an SGSN and the UTRAN GTP does not include any inherent security or encryption of user data but using GTP with the ASA helps protect your network against these risks The SGSN is logically connected to a GGSN using GTP GTP allows multiprotocol packets to be tunneled through the GPRS backbone between GSNs GTP provides a tunnel control and m...

Page 242: ... are dropped and logged Configure GTP Inspection GTP inspection is not enabled by default You must configure it if you want GTP inspection Procedure Step 1 Configure a GTP Inspection Policy Map page 10 6 Step 2 Configure the GTP Inspection Service Policy page 10 9 Step 3 Optional Configure RADIUS accounting inspection to protect against over billing attacks See RADIUS Accounting Inspection page 10...

Page 243: ...e following command hostname config pmap c drop log log rate limit message_rate Not all options are available for each match command The drop keyword drops the packet The log keyword which you can use alone or with drop sends a system log message The rate limit message_rate argument limits the rate of messages This option is available with message id only You can specify multiple match commands in...

Page 244: ... validity of the combinations configured To find more information about MCC and MNC codes see the ITU E 212 recommendation Identification Plan for Land Mobile Stations Step 6 While still in parameter configuration mode configure GSN pooling if desired hostname config pmap p permit response to object group SGSN_name from object group GSN_pool When the ASA performs GTP inspection by default the ASA ...

Page 245: ...add GTP inspection You can alternatively create a new service policy as desired for example an interface specific policy Procedure Step 1 If necessary create an L3 L4 class map to identify the traffic for which you want to apply the inspection class map name match parameter Example hostname config class map gtp_class_map hostname config cmap match access list gtp In the default global policy the i...

Page 246: ...cy such as the default global policy called global_policy you are done Otherwise activate the policy map on one or more interfaces service policy policymap_name global interface interface_name Example hostname config service policy global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You...

Page 247: ...il 1 in use 1 most used timeout 0 00 00 Version TID MS Addr SGSN Addr Idle APN v1 1234567890123425 10 0 1 1 10 0 0 2 0 00 13 gprs cisco com user_name IMSI 214365870921435 MS address 1 1 1 1 primary pdp Y nsapi 2 sgsn_addr_signal 10 0 0 2 sgsn_addr_data 10 0 0 2 ggsn_addr_signal 10 1 1 1 ggsn_addr_data 10 1 1 1 sgsn control teid 0x000001d1 sgsn data teid 0x000001d3 ggsn control teid 0x6306ffa0 ggsn...

Page 248: ...ribute in the Radius Accounting Request Start message with the Radius Accounting Request Stop message When the Stop message is seen with the matching IP address in the Framed IP attribute the ASA looks for all connections with the source matching the IP address You have the option to configure a secret pre shared key with the RADIUS server so the ASA can validate the message If the shared secret i...

Page 249: ...lding a table of user accounts when receiving Accounting Request Start messages These attributes help when the ASA decides whether to tear down connections If you do not specify additional attributes to validate the decision is based solely on the IP address in the Framed IP Address attribute If you configure additional attributes and the ASA receives a start accounting message that includes an ad...

Page 250: ... match port udp eq radius acct In this example the match is for the radius acct UDP port which is 1646 You can specify a different port a range of ports match port udp range number1 number2 or use match access list acl_name and use an ACL Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the ...

Page 251: ...H protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514 The client and server negotiate the TCP port number where the client listens for the STDERR output stream RSH inspection supports NAT of the negotiated port number if necessary For information on enabling RSH inspection see Configure Application Layer Protocol Inspection page 6 9 SNMP Inspection SNMP application...

Page 252: ...that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to edit the global_policy enter global_policy as the policy name Step 4 Identify the L3 L4 class map you are using for SNMP inspection class name Example hostname config...

Page 253: ...ction engine is dependent upon proper configuration of the established command XDMCP is a protocol that uses UDP port 177 to negotiate X sessions which use TCP when established For successful negotiation and start of an XWindows session the ASA must allow the TCP back connection from the Xhosted computer To permit the back connection use the established command on the ASA Once XDMCP negotiates the...

Page 254: ...10 18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Inspection for Management Application Protocols XDMCP Inspection ...

Page 255: ...P A R T 4 Connection Settings and Quality of Service ...

Page 256: ......

Page 257: ...fic using service policies All traffic class timeouts have default values so you do not have to set them Connection limits and TCP Intercept By default there are no limits on how many connections can go through or to the ASA You can set limits on particular traffic classes using service policy rules to protect servers from denial of service DoS attacks Particularly you can set limits on embryonic ...

Page 258: ...se services on specific traffic classes only and not as a general service The following general procedure covers the gamut of possible connection setting configurations Pick and choose which to implement based on your needs Procedure Step 1 Configure Global Timeouts page 11 3 These settings change the default idle timeouts for various protocols for all traffic that passes through the device If you...

Page 259: ...his duration must be at least 1 minute The default is 2 minutes timeout icmp hh mm ss The idle time for ICMP between 0 0 2 and 1193 0 0 The default is 2 seconds 0 0 2 timeout sunrpc hh mm ss The idle time until a SunRPC slot is freed This duration must be at least 1 minute The default is 10 minutes timeout H323 hh mm ss The idle time after which H 245 TCP and H 323 UDP media connections close betw...

Page 260: ...n multiple static routes exist to a network with different metrics the ASA uses the one with the best metric at the time of connection creation If a better route becomes available then this timeout lets connections be closed so a connection can be reestablished to use the better route The default is 0 the connection never times out To take advantage of this feature change the timeout to a new valu...

Page 261: ... connections and embryonic connections where n is the number of cores For example if your model has 4 cores if you configure 6 concurrent connections and 4 embryonic connections you could have an additional 3 of each type To determine the number of cores for your model enter the show cpu core command Procedure Step 1 Create an L3 L4 class map to identify the servers you are protecting Use an acces...

Page 262: ...ntercept The rate interval keyword sets the size of the history monitoring window between 1 and 1440 minutes The default is 30 minutes During this interval the ASA samples the number of attacks 30 times The burst rate keyword sets the threshold for syslog message generation between 25 and 2147483647 The default is 400 per second When the burst rate is exceeded syslog message 733104 is generated Th...

Page 263: ...sing service policies Procedure Step 1 Create a TCP map to specify the TCP normalization criteria that you want to look for hostname config tcp map tcp map name Step 2 Configure the TCP map criteria by entering one or more of the following commands The defaults are used for any commands you do not enter Use the no form of a command to disable the setting check retransmission Prevent inconsistent T...

Page 264: ...q past window allow drop Set the action for packets that have past window sequence numbers namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window You can allow the packets only if the queue limit command is set to 0 disabled The default is to drop the packets synack data allow drop Allow or drop TCP SYNACK packets that contain data The defaul...

Page 265: ...ap class normalization In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to edit the global_policy enter global_policy as the policy name For information on matching statements for class maps see Identify Traffic Layer 3 4 Class Maps page 1 13 b Apply the TCP map set connection advanced options tcp map name Example hostname config pmap c s...

Page 266: ...based on the security policy The ASA maximizes the firewall performance by checking the state of each packet is this a new connection or an established connection and assigning it to either the session management path a new connection SYN packet the fast path an established connection or the control plane path advanced inspection See the general operations configuration guide for more detailed inf...

Page 267: ...nt path to establish the connection in the fast path Once in the fast path the traffic bypasses the fast path checks Guidelines for TCP State Bypass TCP State Bypass Unsupported Features The following features are not supported when you use TCP state bypass Application inspection Application inspection requires both inbound and outbound traffic to go through the same ASA so application inspection ...

Page 268: ...hostname config class map bypass class hostname config cmap match access list bypass Step 2 Add or edit a policy map that sets the actions to take with the class map traffic and identify the class map policy map name class name Example hostname config policy map global_policy hostname config pmap class bypass class In the default configuration the global_policy policy map is assigned globally to a...

Page 269: ...ion You can disable TCP initial sequence number randomization if necessary for example because data is getting scrambled For example If another in line firewall is also randomizing the initial sequence numbers there is no need for both firewalls to be performing this action even though this action does not affect the traffic If you use eBGP multi hop through the ASA and the eBGP peers are using MD...

Page 270: ...ou can configure different connection settings for specific traffic classes using service policies Use service policies to Customize connection limits and timeouts used to protect against DoS and SYN flooding attacks Implement Dead Connection Detection so that valid but idle connections remain alive Disable TCP sequence number randomization in cases where you do not need it Customize how the TCP N...

Page 271: ...P connections the connection limit is applied to each configured server separately Because the limit is applied to a class one attack host can consume all the connections and leave none for the rest of the hosts that are matched to the class set connection embryonic conn max n The maximum number of simultaneous embryonic connections allowed between 0 and 2000000 The default is 0 which allows unlim...

Page 272: ... interval max_retries Enable Dead Connection Detection DCD Before expiring an idle connection the ASA probes the end hosts to determine if the connection is valid If both hosts respond the connection is preserved otherwise the connection is freed The retry interval sets the time duration in hh mm ss format to wait after each unresponsive DCD probe before sending another probe between 0 0 1 and 24 ...

Page 273: ...d 0 20 0 dcd hostname config pmap c service policy CONNS interface outside You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command The ASA combines the commands into one line in the running configuration For example if you entered the following two commands in class configuration mode hostname config pmap c set connection conn max 600 ho...

Page 274: ...ue We modified the following command timeout floating conn Configurable timeout for PAT xlate 8 4 3 When a PAT xlate times out by default after 30 seconds and the ASA reuses the port for a new translation some upstream routers might reject the new connection because the previous connection might still be open on the upstream device The PAT xlate timeout is now configurable to a value between 30 se...

Page 275: ... we suggest performing QoS on the switch instead of the ASASM Switches have more capability in this area In general QoS is best performed on the routers and switches in the network which tend to have more extensive capabilities than the ASA This chapter describes how to apply QoS policies About QoS page 12 1 Guidelines for QoS page 12 3 Configure QoS page 12 4 Monitor QoS page 12 9 Configuration E...

Page 276: ...te Also called the committed information rate CIR it specifies how much data can be sent or forwarded per unit time on average Burst size Also called the Committed Burst Bc size it specifies in bytes per burst how much traffic can be sent within a given unit of time to not create scheduling concerns Time interval Also called the measurement interval it specifies the time quantum in seconds per bur...

Page 277: ...ract You can configure each of the QoS features alone if desired for the ASA Often though you configure multiple QoS features on the ASA so you can prioritize some traffic for example and prevent other traffic from causing bandwidth problems You can configure Priority queuing for specific traffic Policing for the rest of the traffic You cannot configure priority queuing and policing for the same s...

Page 278: ... 3 Configure a Service Rule for Priority Queuing and Policing page 12 7 Determine the Queue and TX Ring Limits for a Priority Queue Use the following worksheets to determine the priority queue and TX ring limits Queue Limit Worksheet page 12 4 TX Ring Limit Worksheet page 12 5 Queue Limit Worksheet The following worksheet shows how to calculate the priority queue size Because queues are not of inf...

Page 279: ...Maximum packet size Typically the maximum size is 1538 bytes or 1542 bytes for tagged Ethernet If you allow jumbo frames if supported for your platform then the packet size might be larger Delay The delay depends on your application For example to control jitter for VoIP you should use 20 ms Table 12 1 Queue Limit Worksheet 1 __________ Outbound bandwidth Mbps or Kbps Mbps x 125 __________ of byte...

Page 280: ...nal packets cannot get into the queue and are dropped called tail drop To avoid having the queue fill up you can use the queue limit command to increase the queue buffer size The upper limit of the range of values for the queue limit command is determined dynamically at run time To view this limit enter queue limit on the command line The key determinants are the memory needed to support the queue...

Page 281: ...me policy map See How QoS Features Interact page 12 3 for information about valid QoS configurations Before You Begin You cannot use the class default class map for priority traffic ASASM The ASASM only supports policing For policing to the box traffic is not supported For policing traffic to and from a VPN tunnel bypasses interface policing For policing when you match a tunnel group class map onl...

Page 282: ...ple hostname config policy map QoS_policy Step 6 Identify the class map you created for prioritized traffic class priority_map_name Example hostname config pmap class priority_class Step 7 Configure priority queuing for the class priority Example hostname config pmap c priority Step 8 Identify the class map you created for policed traffic class policing_map_name Example hostname config pmap class ...

Page 283: ...he policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Monitor QoS QoS Police Statistics page 12 9 QoS Priority Statistics page 12 10 QoS Priority Queue Statistics page 12 10 QoS Police Sta...

Page 284: ...istics command The results show the statistics for both the best effort BE queue and the low latency queue LLQ The following example shows the use of the show priority queue statistics command for the interface named test hostname show priority queue statistics test Priority Queue Statistics interface test Queue Type BE Packets Dropped 0 Packets Transmit 0 Packets Enqueued 0 Current Q Length 0 Max...

Page 285: ... permit ip 10 10 34 0 255 255 255 0 192 168 10 0 255 255 255 0 hostname config access list non tunneled extended permit tcp any any hostname config tunnel group tunnel grp1 type IPsec_L2L hostname config class map browse hostname config cmap description This class map matches all non tunneled tcp traffic hostname config cmap match access list non tunneled hostname config cmap class map TG1 voice h...

Page 286: ...um burst size of 10 500 bytes per second For the TC1 BestEffort class the maximum rate is 200 000 bits second with a maximum burst of 37 500 bytes second Traffic in the TC1 voice class has no policed maximum speed or burst rate because it belongs to a priority class hostname config access list tcp_traffic permit tcp any any hostname config class map tcp_traffic hostname config cmap match access li...

Page 287: ... police show priority queue statistics show service policy police show service policy priority show running config priority queue clear configure priority queue Shaping and hierarchical priority queuing 7 2 4 8 0 4 We introduced QoS shaping and hierarchical priority queuing We introduced the following commands shape show service policy shape Ten Gigabit Ethernet support for a standard priority que...

Page 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...

Page 289: ...asic Connectivity Pinging Addresses page 13 1 Trace Routes to Hosts page 13 8 Tracing Packets to Test Policy Configuration page 13 10 Test Basic Connectivity Pinging Addresses Ping is a simple command that let s you determine if a particular address is alive and responsive The following topics explain more about the command and what types of testing you can accomplish with it What You Can Test Usi...

Page 290: ...P traffic With ICMP ping you can ping IPv4 or IPv6 addresses or host names However some networks prohibit ICMP If this is true of your network you can instead use TCP ping to test network connectivity With TCP ping the ping sends TCP SYN packets and considers the ping a success if it receives a SYN ACK in response With TCP ping you can ping IPv4 addresses or host names but you cannot ping IPv6 add...

Page 291: ...s list command to remove the rule from the ACL If the entire ACL is simply for testing purposes use the no access group command to remove the ACL from the interface Step 3 Enable ICMP inspection ICMP inspection is needed when pinging through the ASA as opposed to pinging an interface Inspection allows returning traffic that is the Echo Reply packet to return to the host that initiated the ping and...

Page 292: ... pinging repeat and timeout have the same meaning as above source host port indicates the source host and port for the ping Use port 0 to get a random port Interactive ping ping By entering ping without parameters you are prompted for interface destination and other parameters including extended parameters not available as keywords Use this method if you have need for extensive control over the pi...

Page 293: ...id 1 seq 768 209 165 201 1 209 165 201 2 Outbound ICMP echo request len 32 id 1 seq 1024 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 1024 209 165 201 1 209 165 201 2 The output shows the ICMP packet length 32 bytes the ICMP packet identifier 1 and the ICMP sequence number the ICMP sequence number starts at 0 and is incremented each time that a request is sent When you are f...

Page 294: ...ter is down see the following figure In this case no debugging messages or syslog messages appear because the packet never reaches the ASA Figure 13 2 Ping Failure at the ASA Interface If the ping reply does not return to the router then a switch loop or redundant IP addresses might exist see the following figure Routed ASA 10 1 1 56 10 1 3 6 209 265 200 230 10 1 2 90 10 1 4 67 10 1 0 34 209 165 2...

Page 295: ...echo reply from the known good device problems with the interface hardware receiving function may exist If a different interface with known good receiving capability can receive an echo after pinging the same known good device the hardware receiving problem of the first interface is confirmed Step 5 Ping from the host or router through the source interface to another host or router on another inte...

Page 296: ...e config class map CONNS hostname config cmap match any For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 1 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic and identify the class map policy map name class name Example hostname config policy map global_policy hostname config pmap class CONNS In the default configuration...

Page 297: ...policy hostname config cmap match any hostname config cmap exit hostname config policy map global_policy hostname config pmap class global policy hostname config pmap c set connection decrement ttl hostname config pmap c exit hostname config icmp unreachable rate limit 50 burst size 6 Determine Packet Routes Use Traceroute to help you to determine the route that packets will take to their destinat...

Page 298: ...bes The minimum default is one but you can set it to a higher value to suppress the display of known hops The maximum default is 30 The traceroute terminates when the packet reaches the destination or when the maximum value is reached port port_value The UDP port to use The default is 33434 use icmp Send ICMP packets instead of UDP packets for probes Example hostname traceroute 209 165 200 225 Typ...

Page 299: ...the trace security group name name tag tag The source security group based on the IP SGT lookup for Trustsec You can specify a security group name or a tag number fqdn fqdn string The fully qualified domain name of the source host IPv4 only Step 3 Next type in the protocol characteristics ICMP Enter the ICMP type 1 255 ICMP code 0 255 and optionally the ICMP identifier You must use numbers for eac...

Page 300: ...tion found next hop 10 86 116 1 using egress ifc outside Phase 2 Type ACCESS LIST Subtype Result DROP Config Implicit Rule Additional Information Result input interface outside input status up input line status up output interface NP Identity Ifc output status up output line status up Action drop Drop reason acl drop Flow is denied by configured rule Monitoring Performance and System Resources You...

Page 301: ... zero Shows processes that are actually using CPU filtering out those using 0 show process cpu usage sorted Provides a breakdown of the process related load to CPU that is consumed by any configured contexts Monitoring Connections To view current connections with information about source destination protocol and so forth use the show conn all detail command ...

Page 302: ...13 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Troubleshooting Connections and Resources Monitoring Connections ...

Page 303: ...P A R T 5 Advanced Network Protection ...

Page 304: ......

Page 305: ...ng about the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware The ASA can optionally authenticate and identify users with Identity Firewall and AAA rules The ASA encrypts and includes the user credentials including usernames and user groups in the traffic it redirects to Cloud Web Security The Cloud Web Security service then use...

Page 306: ...uide Default username and group For traffic that does not have an associated user name or group you can configure an optional default username and group name These defaults are applied to all users that match a service policy rule for Cloud Web Security Authentication Keys Each ASA must use an authentication key that you obtain from Cloud Web Security The authentication key lets Cloud Web Security...

Page 307: ...ASA modifies the name to use only one backslash to conform to typical ScanCenter notation when including the group in the redirected HTTP request The default group name is sent in the following format domain group name On the ASA you need to configure the optional domain name to be followed by 2 backslashes however the ASA modifies the name to use only one backslash to conform to typical ScanCente...

Page 308: ...p plus group key after the exempt rule to apply policy per ASA 4 Traffic from users in America Management will match the exempt rule while all other traffic will match the rule for the ASA from which it originated Many combinations of keys groups and policy rules are possible Failover from Primary to Backup Proxy Server When you subscribe to the Cisco Cloud Web Security service you are assigned a ...

Page 309: ...e Cloud Web Security servers Clientless SSL VPN is not supported with Cloud Web Security be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security When an interface to the Cloud Web Security proxy servers goes down output from the show scansafe server command shows both servers up for approximately 15 25 minutes This condition may occur because the polling...

Page 310: ...y Whitelisted Traffic page 14 8 Step 3 Configure a Service Policy to Send Traffic to Cloud Web Security page 14 9 Step 4 Optional Configure the User Identity Monitor page 14 13 Step 5 Configure the Cloud Web Security Policy page 14 14 Configure Communications with the Cloud Web Security Proxy Server You must identify the Cloud Web Security proxy servers so that user web requests can be redirected ...

Page 311: ... server before determining the server is unreachable retry count value Example hostname cfg scansafe retry count 2 Polls are performed every 30 seconds Valid values are from 2 to 100 and the default is 5 Step 4 Configure the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes license hex_key Example hostname cfg scansa...

Page 312: ...is called whitelisting traffic You configure the whitelist in a ScanSafe inspection class map You can use usernames and group names derived from both identity firewall and AAA rules You cannot whitelist based on IP address or on destination URL When you configure your Cloud Web Security service policy rule you refer to the class map in your policy Although you can achieve the same results of exemp...

Page 313: ...fig policy map type inspect scansafe cws_inspect_pmap2 hostname config pmap parameters hostname config pmap p https hostname config pmap p default group2 default_group2 hostname config pmap p class whitelist1 hostname config pmap c whitelist Configure a Service Policy to Send Traffic to Cloud Web Security Your service policy consists of multiple service policy rules applied globally or applied to ...

Page 314: ...t tcp 443 The following procedure describes an ACL match a Create ACLs access list extended command to identify the traffic you want to send to Cloud Web Security You must create separate ACLs for HTTP and HTTPS traffic Because Cloud Web Security works on HTTP HTTPS traffic only any other traffic defined in the ACL is ignored A permit ACE sends matching traffic to Cloud Web Security A deny ACE exe...

Page 315: ...ssigned globally to all interfaces If you want to edit the global_policy enter global_policy as the policy name You can only apply one policy to each interface or globally policy map name Example hostname config policy map global_policy b Identify one of the traffic class maps you created for Cloud Web Security inspection class name Example hostname config pmap class cws_class1 c Configure ScanSaf...

Page 316: ...map type inspect scansafe match any whitelist1 hostname config cmap match user user1 group cisco hostname config cmap match user user2 hostname config cmap match group group1 hostname config cmap match user user3 group group3 hostname config policy map type inspect scansafe cws_inspect_pmap1 hostname config pmap parameters hostname config pmap p http hostname config pmap p default group default_gr...

Page 317: ...ure to be considered active For example although you can configure your Cloud Web Security service policy rule to use an ACL with users and groups thus activating any relevant groups it is not required You could use an ACL based entirely on IP addresses Because Cloud Web Security can base its ScanCenter policy on user identity you might need to download groups that are not part of an active ACL to...

Page 318: ...d Web Security activity such as the number of connections redirected to the proxy server the number of current connections being redirected and the number of white listed connections hostname show scansafe statistics Current HTTP sessions 0 Current HTTPS sessions 0 Total HTTP Sessions 0 Total HTTPS Sessions 0 Total Fail HTTP sessions 0 Total Fail HTTPS sessions 0 Total Bytes In 0 Bytes Total Bytes...

Page 319: ... the ASA hostname config scansafe general options hostname cfg scansafe server primary ip 192 168 115 225 hostname cfg scansafe retry count 5 hostname cfg scansafe license 366C1D3F5CE67D33D3E9ACEC265261E5 Step 2 Configure identity firewall settings Because groups are a key feature of ScanCenter policies you should consider enabling the identity firewall if you are not already using it However iden...

Page 320: ...config policy map type inspect scansafe http pmap hostname config pmap parameters hostname config pmap p default group httptraffic hostname config pmap p http hostname config pmap p class whiteListCmap hostname config pmap p whitelist hostname config policy map type inspect scansafe https pmap hostname config pmap parameters hostname config pmap p default group httpstraffic hostname config pmap p ...

Page 321: ... login dn cn administrator cn Users dc asascanlab dc local hostname config aaa server host ldap login password Password1 Step 2 Configure the Active Directory Agent Using RADIUS The following example shows how to configure the Active Directory Agent on your ASA using RADIUS hostname config aaa server adagent protocol radius hostname config aaa server group ad agent mode hostname config aaa server ...

Page 322: ...dentity action mac address mismatch remove user ip hostname config user identity ad agent active user database full download There are two download modes with Identify Firewall Full download and On demand Full download Whenever a user logs into the network the IDFW tells the ASA the User identity immediately recommended on the ASA 5512 X and above On demand Whenever a user logs into the network th...

Page 323: ...e was introduced Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic It can also redirect and report about web traffic based on user identity We introduced or modified the following commands class map type inspect scansafe default user group http s parameters inspect scansafe license match user group policy map type inspect scansafe retry count s...

Page 324: ...14 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 ASA and Cisco Cloud Web Security History for Cisco Cloud Web Security ...

Page 325: ...ped already by the ASA Thus threat detection and IPS can work together to provide a more comprehensive threat defense Threat detection consists of the following elements Different levels of statistics gathering for various threats Threat detection statistics can help you manage threats to your ASA for example if you enable scanning threat detection then viewing statistics can help you analyze the ...

Page 326: ...ckers and automatically shunning them for example Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected When the ASA detects a threat it immediately sends a system log message 733100 The ASA tracks two types of rates the average event rate over an interval and the burst event rate over a shorter burst interval The burst rate interval is 1 30th of the a...

Page 327: ...e part of a scanning attack the ASA checks the average and burst rate limits If either rate is exceeded for traffic sent from a host then that host is considered to be an attacker If either rate is exceeded for traffic received by a host then that host is considered to be a target The following table lists the default rate limits for scanning threat detection Caution The scanning threat detection ...

Page 328: ... the last 3600 seconds 320 drops sec over the last 120 second period Scanning attack detected 5 drops sec over the last 600 seconds 10 drops sec over the last 20 second period 4 drops sec over the last 3600 seconds 8 drops sec over the last 120 second period Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected combined 100 drops sec over the last 600 s...

Page 329: ...tep 2 Optional Change the default settings for one or more type of event threat detection rate acl drop bad packet drop conn limit drop dos drop fw drop icmp drop inspect drop interface drop scanning threat syn attack rate interval rate_interval average rate av_rate burst rate burst_rate Example hostname config threat detection rate dos drop rate interval 600 average rate 60 burst rate 100 For a d...

Page 330: ...s enabled by default Step 3 Optional Configure statistics for hosts host keyword TCP and UDP ports port keyword or non TCP UDP IP protocols protocol keyword threat detection statistics host port protocol number of rate 1 2 3 Example hostname config threat detection statistics host number of rate 2 hostname config threat detection statistics port number of rate 2 hostname config threat detection st...

Page 331: ...onally shun them Procedure Step 1 Enable scanning threat detection threat detection scanning threat shun except ip address ip_address mask object group network_object_group_id Example hostname config threat detection scanning threat shun except ip address 10 1 1 0 255 255 255 0 By default the system log message 733101 is generated when a host is identified as an attacker Enter this command multipl...

Page 332: ...The other arguments let you limit the display to specific categories For a description of each event type see Basic Threat Detection Statistics page 15 2 The output shows the average rate in events sec over two fixed time periods the last 10 minutes and the last 1 hour It also shows the current burst rate in events sec over the last completed burst interval which is 1 30th of the average rate inte...

Page 333: ... unfinished burst interval presently occurring is not included in the average rate For example if the average rate interval is 20 minutes then the burst interval is 20 seconds If the last burst interval was from 3 00 00 to 3 00 20 and you use the show command at 3 00 25 then the last 5 seconds are not included in the output The only exception to this rule is if the number of events in the unfinish...

Page 334: ...u can ignore this IP address in the display show threat detection statistics min display rate min_display_rate top port protocol rate 1 rate 2 rate 3 To view statistics for ports and protocols use the port protocol keyword The port protocol keyword shows statistics for both ports and protocols both must be enabled for the display and shows the combined statistics of TCP UDP port and IP protocol ty...

Page 335: ...ost The host IP address tot ses The total number of sessions for this host since it was added to the database act ses The total number of active sessions that the host is currently involved in fw drop The number of firewall drops Firewall drops is a combined rate that includes all firewall related packet drops tracked in basic threat detection including ACL denials bad packets exceeded connection ...

Page 336: ...seconds whichever is larger For the example specified in the Average eps description the current rate is the rate from 3 19 30 to 3 20 00 Trigger The number of times the dropped packet rate limits were exceeded For valid traffic identified in the sent and received bytes and packets rows this value is always 0 because there are no rate limits to trigger for valid traffic Total events The total numb...

Page 337: ... 10 8 3 6 209 165 200 225 Examples for Threat Detection The following example configures basic threat detection statistics and changes the DoS attack rate settings All advanced threat detection statistics are enabled with the host statistics number of rate intervals lowered to 2 The TCP Intercept rate interval is also customized Scanning threat detection is enabled with automatic shunning for all ...

Page 338: ...owing commands were modified or introduced threat detection statistics tcp intercept show threat detection statistics top tcp intercept clear threat detection statistics Customize host statistics rate intervals 8 1 2 You can now customize the number of rate intervals for which statistics are collected The default number of rates was changed from 3 to 1 The following command was modified threat det...

Page 339: ...P A R T 6 ASA Modules ...

Page 340: ......

Page 341: ...n Prevention System NGIPS Application Visibility and Control AVC URL filtering and Advanced Malware Protection AMP You can use the module in single or multiple context mode and in routed or transparent mode The module is also known as ASA SFR Although the module has a basic command line interface CLI for initial configuration and troubleshooting you configure the security policy on the device usin...

Page 342: ... port on a switch In this mode traffic is sent directly to the ASA FirePOWER module without ASA processing The traffic is black holed in that nothing is returned from the module nor does the ASA send the traffic out any interface You must operate the ASA in single context transparent mode to configure traffic forwarding Be sure to configure consistent policies on the ASA and the ASA FirePOWER Both...

Page 343: ...r monitoring purposes only The module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode for example traffic might be marked would have dropped in events You can use this information for traffic analysis and to help you decide if inline mode is desirable Note You cannot configure both inline tap monitor only mode and normal inli...

Page 344: ...nts You can use this information for traffic analysis and to help you decide if inline mode is desirable Traffic in this setup is never forwarded neither the module nor the ASA sends the traffic on to its ultimate destination You must operate the ASA in single context and transparent modes to use this configuration The following figure shows an interface configured for traffic forwarding That inte...

Page 345: ...e ASA backplane using the session command All other models software module ASA session over the backplane If you have CLI access to the ASA then you can session to the module and access the module CLI ASA FirePOWER Management 0 0 interface using SSH Management 1 1 for the 5506 X You can connect to the default IP address or you can use ASDM to change the management IP address and then connect using...

Page 346: ...A FirePOWER Module The ASA FirePOWER module and FireSIGHT Management Center require additional licenses which need to be installed in the module itself rather than in the context of the ASA The ASA itself requires no additional licenses See the Licensing chapter of the FireSIGHT System User Guide or the online help in FireSIGHT Management Center for more information Guidelines for ASA FirePOWER Fa...

Page 347: ...module and then configuration of the ASA to send traffic to the ASA FirePOWER module To configure the ASA FirePOWER module perform the following steps Step 1 Connect the ASA FirePOWER Management Interface page 16 8 Cable the ASA FirePOWER management interfaces and optionally the console interface Step 2 If necessary Install or Reimage the Software Module page 16 11 Skip this step if you purchased ...

Page 348: ...connect with SSH to the ASA FirePOWER Management 1 0 interface using the default IP address If you cannot use the default IP address you can either use the console port or use ASDM to change the management IP address so you can use SSH See Change the ASA FirePOWER Management IP Address page 16 14 If you have an inside router If you have an inside router you can route between the management network...

Page 349: ...POWER module as a software module and the ASA FirePOWER management interface shares the Management 0 0 interface with the ASA Management 1 1 on 5506 X For initial setup you can connect with SSH to the ASA FirePOWER default IP address If you cannot use the default IP address you can either session to the ASA FirePOWER over the backplane or use ASDM to change the management IP address so you can use...

Page 350: ...rface you can still configure the ASA FirePOWER IP address for that interface Because the ASA FirePOWER module is essentially a separate device from the ASA you can configure the ASA FirePOWER management address to be on the same network as the inside interface Note You must remove the ASA configured name for Management 0 0 or 1 1 if it is configured on the ASA then the ASA FirePOWER address must ...

Page 351: ...e service policy redirecting traffic to an IPS or CX module you must remove that policy For example if the policy is a global one you could use no service policy ips_policy global If the service policy includes other rules you want to maintain simply remove the redirection command from the relevant policy map or the entire traffic class if redirection is the only action for the class You can remov...

Page 352: ...L X Cisco ASA SFR Boot Image 5 3 1 asasfr login admin Password Admin123 If the module boot has not completed the session command will fail with a message about not being able to connect over ttyS1 Wait and try again Step 6 Use the setup command to configure the system so that you can install the system software package asasfr boot setup Welcome to SFR Setup hit Ctrl C to abort Default values are i...

Page 353: ...ation as prompted You must first read and accept the end user license agreement EULA Then change the admin password then configure the management address and DNS settings as prompted You can configure both IPv4 and IPv6 management addresses For example System initialization in progress Please stand by You must change the password for admin to continue Enter new password new password Confirm new pa...

Page 354: ... is a good solution when you have a single device or very few devices If you have a large number of devices FireSIGHT Management Center is a better solution Step 12 Skip for 5506 X when using ASDM Log into the FireSIGHT Management Center using an HTTPS connection in a browser using the hostname or address entered above For example https DC example com Use the Device Management Devices Device Manag...

Page 355: ...gs later use the various configure network commands to change the individual settings For more information on the configure network commands use the command for help and see the FireSIGHT System User Guide or the online help in FireSIGHT Management Center Procedure Step 1 Do one of the following All models Use SSH to connect to the ASA FirePOWER management IP address Software modules only Open a s...

Page 356: ...o the Defense Center Step 4 Optional for 5506 X Now you must identify the FireSIGHT Management Center that will manage this device as explained in Add ASA FirePOWER to the FireSIGHT Management Center page 16 16 Add ASA FirePOWER to the FireSIGHT Management Center FireSIGHT Management Center also known as Defense Center is a separate server that manages multiple FirePOWER devices for the same or di...

Page 357: ...g_key is the unique alphanumeric registration key required to register a device to the FireSIGHT Management Center nat_id is an optional alphanumeric string used during the registration process between the FireSIGHT Management Center and the device It is required if the hostname is set to DONTRESOLVE Step 4 Log into the FireSIGHT Management Center using an HTTPS connection in a browser using the h...

Page 358: ... dashboards for a wide variety of module statistics such as web categories users sources and destinations for the traffic passing through the module Home ASA FirePOWER Status Also available when you manage the module with FireSIGHT Management Center the status page includes module information such as the model serial number and software version and module status such as the application name and st...

Page 359: ...ral issue with these Java versions and you will also need to import the certificate from the ASA to configure it through ASDM Redirect Traffic to the ASA FirePOWER Module For inline and inline tap monitor only modes you configure a service policy to redirect traffic to the module If you want passive monitor only mode you configure a traffic redirection interface which bypasses ASA policies The fol...

Page 360: ...e Specify monitor only to send a read only copy of traffic to the module i e inline tap mode If you do not include the keyword the traffic is sent in inline mode Be sure to configure consistent policies on the ASA and the ASA FirePOWER See ASA FirePOWER Inline Tap Monitor Only Mode page 16 3 for more information Example hostname config pmap c sfr fail close Step 5 If you created multiple class map...

Page 361: ...orwarding interfaces cannot be used for ASA traffic you cannot name them or configure them for ASA features including failover or management only You cannot configure both a traffic forwarding interface and a service policy for ASA FirePOWER traffic Procedure Step 1 Enter interface configuration mode for the physical interface you want to use for traffic forwarding interface physical_interface Exa...

Page 362: ...f there are no other users with the required permissions you can reset the admin password from the ASA using the session do command Tip The password reset option on the ASA hw module and sw module commands does not work with ASA FirePOWER To reset the module password for the user admin to the default Sourcefire use the following command Use 1 for a hardware module sfr for a software module In mult...

Page 363: ...t mode perform this procedure in the system execution space Procedure Step 1 Uninstall the software module image and associated configuration hostname sw module module sfr uninstall Module sfr will be uninstalled This will completely remove the disk image associated with the sw module including any configuration that existed within it Uninstall module sfr confirm Step 2 Reload the ASA You must rel...

Page 364: ...exit to the ASA prompt You must use a direct serial connection to return the console to the ASA prompt Use the session sfr command instead of the console command when facing this situation Reimage the 5585 X ASA FirePOWER Hardware Module If you need to reimage the ASA FirePOWER hardware module in an ASA 5585 X appliance for any reason you need to install both the Boot Image and a System Software p...

Page 365: ...pboot images filename img the IMAGE value is images filename img For example ADDRESS 10 5 190 199 SERVER 10 5 11 170 GATEWAY 10 5 1 1 IMAGE asasfr boot 5 3 1 26 54 img Step 5 Enter sync to save the settings Step 6 Enter tftp to initiate the download and boot process You will see marks to indicate progress When the boot completes after several minutes you will see a login prompt Step 7 Log in as ad...

Page 366: ...ent Center using an HTTPS connection in a browser using the hostname or address entered above For example https DC example com Use the Device Management Devices Device Management page to add the device For more information see the Managing Devices chapter in the FireSIGHT System User Guide or the online help in FireSIGHT Management Center Upgrade the System Software Use FireSIGHT Management Center...

Page 367: ...y Services Proce ASA5585 SSP SFR10 JAF1510BLSA Mod MAC Address Range Hw Version Fw Version Sw Version 0 5475 d05b 1100 to 5475 d05b 110b 1 0 2 0 7 0 100 10 0 8 1 5475 d05b 2450 to 5475 d05b 245b 1 0 2 0 13 0 5 3 1 44 Mod SSM Application Name Status SSM Application Version 1 FirePOWER Up 5 3 1 44 Mod Status Data Plane Status Compatibility 0 Up Sys Not Applicable 1 Up Up The following example shows ...

Page 368: ...ctions To show connections through the ASA FirePOWER module enter one of the following commands show asp table classify domain sfr Shows the NP rules created to send traffic to the ASA FirePOWER module show asp drop Shows dropped packets The drop types are explained below show conn Shows if a connection is being forwarded to a module by displaying the X inspected by service module flag The show as...

Page 369: ...rminate and reset the flow The actions bit 1 is set sfr fail close The flow was terminated because the card is down and the configured policy was fail close Examples for the ASA FirePOWER Module The following example diverts all HTTP traffic to the ASA FirePOWER module and blocks all HTTP traffic if the module fails for any reason hostname config access list ASASFR permit tcp any any eq 80 hostnam...

Page 370: ...ug sfr hw module module 1 reload hw module module 1 reset hw module module 1 shutdown session do setup host ip session do get config session do password reset session sfr sfr show asp table classify domain sfr show capture show conn show module sfr show service policy sw module sfr ASA 5506 X support for the ASA FirePOWER software module including support for configuring the module in ASDM ASA 9 3...

Page 371: ...Module The ASA CX module lets you enforce security based on the full context of a situation This context includes the identity of the user who the application or website that the user is trying to access what the origin of the access attempt where the time of the attempted access when and the properties of the device used for the access how With the ASA CX module you can extract the full context o...

Page 372: ...would have done to traffic without impacting the network You can configure this mode using a monitor only service policy or a traffic forwarding interface For guidelines and limitations for monitor only mode see Guidelines for ASA CX page 17 6 The following sections explain these modes in more detail ASA CX Normal Inline Mode In normal inline mode traffic goes through the firewall checks before be...

Page 373: ...mode Figure 17 2 ASA CX Monitor Only Mode Traffic Forwarding Interface in Monitor Only Mode You can alternatively configure ASA interfaces to be traffic forwarding interfaces where all traffic received is forwarded directly to the ASA CX module without any ASA processing For testing and demonstration purposes traffic forwarding removes the extra complication of ASA processing Traffic forwarding is...

Page 374: ...n use ASDM to change the management IP address and then connect using SSH The ASA CX management interface is a separate external Gigabit Ethernet interface Note You cannot access the ASA CX hardware module CLI over the ASA backplane using the session command ASA 5512 X through ASA 5555 X ASA session over the backplane If you have CLI access to the ASA then you can session to the module and access ...

Page 375: ...ry Agent CDA If you want to use active authentication you must configure the ASA to act as an authentication proxy The ASA CX module redirects authentication requests to the ASA interface IP address proxy port The default port is 885 but you can configure a different port To enable active authentication you enable the authentication proxy as part of the service policy that redirects traffic to ASA...

Page 376: ... more information Guidelines for ASA CX Context Mode Guidelines Starting with ASA CX 9 1 3 multiple context mode is supported However the ASA CX module itself configured in PRSM is a single context mode device the context specific traffic coming from the ASA is checked against the common ASA CX policy Therefore you cannot use the same IP addresses in multiple contexts each context must include uni...

Page 377: ...le some events such as ones with long URLs spanning packet boundaries may be impacted by the lack of buffering Be sure to configure both the ASA policy and the ASA CX to have matching modes both in monitor only mode or both in normal inline mode Additional guidelines for traffic forwarding interfaces The ASA must be in transparent mode You can configure up to 4 interfaces as traffic forwarding int...

Page 378: ...ace Step 2 ASA 5512 X through ASA 5555 X Install or Reimage the Software Module page 17 11 Step 3 ASA 5585 X Change the ASA CX Management IP Address page 17 14 if necessary This might be required for initial SSH access Step 4 Configure Basic ASA CX Settings page 17 14 You do this on the ASA CX module Step 5 Configure the Security Policy on the ASA CX Module page 17 16 Step 6 Optional Configure the...

Page 379: ... console port or use ASDM to change the management IP address so you can use SSH If you have an inside router If you have an inside router you can route between the management network which can include both the ASA Management 0 0 and ASA CX Management 1 0 interfaces and the ASA inside network for Internet access Be sure to also add a route on the ASA to reach the Management network through the ins...

Page 380: ...k as the inside interface ASA 5512 X through ASA 5555 X Software Module These models run the ASA CX module as a software module and the ASA CX management interface shares the Management 0 0 interface with the ASA For initial setup you can connect with SSH to the ASA CX default IP address 192 168 1 2 24 If you cannot use the default IP address you can either session to the ASA CX over the backplane...

Page 381: ...network as the inside interface Note You must remove the ASA configured name for Management 0 0 if it is configured on the ASA then the ASA CX address must be on the same network as the ASA and that excludes any networks already configured on other ASA interfaces If the name is not configured then the ASA CX address can be on any network for example the ASA inside network ASA 5512 X through ASA 55...

Page 382: ...I or ASDM When reimaging the module use the same shutdown and uninstall commands to remove the old image For example sw module module cxsc uninstall Obtain both the ASA CX Boot Image and System Software packages from Cisco com http software cisco com download type html mdfid 284325223 flowid 34503 Procedure Step 1 Download the boot image to the device Do not transfer the system software it is down...

Page 383: ... Password Admin123 Tip If the module boot has not competed the session command will fail with a message about not being able to connect over ttyS1 Wait and try again Step 6 Partition the SSD asacx boot partition Partition Successfully Completed Step 7 Perform the basic network setup using the setup command according to Configure Basic ASA CX Settings page 17 14 do not exit the ASA CX CLI and then ...

Page 384: ...ettings page 17 14 To change the management IP address through the ASA do one of the following In multiple context mode perform this procedure in the system execution space In the CLI use the following command to set the ASA CX management IP address mask and gateway session 1 do setup host ip ip_address mask gateway_ip For example session 1 do setup host ip 10 1 1 2 24 10 1 1 1 Single context mode...

Page 385: ...IPv6 address on management interface y n N Y Enter an IPv6 address 2001 DB8 0 CD30 1234 64 Enter the gateway 2001 DB8 0 CD30 1 Enter the primary DNS server IP address 10 89 47 11 Do you want to configure Secondary DNS Server y n N N Do you want to configure Local Domain Name y n N Y Enter the local domain name example com Do you want to configure Search domains y n N Y Enter the comma separated li...

Page 386: ...sing PRSM to configure your ASA CX security policy see the ASA CX PRSM user guide or online help To open PRSM use a web browser to open the following URL https management_address Where management_address is the DNS name or IP address of the ASA CX management interface or the PRSM server For example https asacx example com Configure the Authentication Proxy Port If you use active authentication in ...

Page 387: ...s procedure be sure to also configure a directory realm for authentication on the ASA CX module See the ASA CX user guide for more information If you have an active service policy redirecting traffic to an IPS module that you replaced with the ASA CX you must remove that policy before you configure the ASA CX service policy Be sure to configure both the ASA policy and the ASA CX to have matching m...

Page 388: ... modes on the same ASA Example hostname config pmap c cxsc fail close auth proxy Step 5 If you created multiple class maps for ASA CX traffic you can specify another class for the policy and apply the cxsc redirect action See Feature Matching Within a Service Policy page 1 5 for detailed information about how the order of classes matters within a policy map Traffic cannot match more than one class...

Page 389: ...igabitethernet 0 5 Step 2 Remove any name configured for the interface If this interface was used in any ASA configuration that configuration is removed You cannot configure traffic forwarding on a named interface no nameif Step 3 Enable traffic forwarding traffic forward cxsc monitor only Step 4 Enable the interface no shutdown Repeat for any additional interfaces Examples The following example m...

Page 390: ... cxsc password reset Reload or Reset the Module To reload or to reset and then reload the module enter one of the following commands at the ASA CLI In multiple context mode perform this procedure in the system execution space Hardware module ASA 5585 X hw module module 1 reload reset Software module ASA 5512 X through ASA 5555 X sw module module cxsc reload reset Shut Down the Module Shutting down...

Page 391: ...n might be useful if the control plane is down and you cannot establish a Telnet session In multiple context mode session from the system execution space In either a Telnet or a Console session you are prompted for a username and password Use the admin username and password default is Admin123 Telnet session session cxsc When in the ASA CX CLI to exit back to the ASA CLI use the exit command or pr...

Page 392: ...ule The following is sample output from the show module command for an ASA with an ASA CX SSP installed hostname show module Mod Card Type Model Serial No 0 ASA 5585 X Security Services Processor 10 wi ASA5585 SSP 10 JAF1507AMKE 1 ASA 5585 X CX Security Services Processor 10 ASA5585 SSP CX10 JAF1510BLSA Mod MAC Address Range Hw Version Fw Version Sw Version 0 5475 d05b 1100 to 5475 d05b 110b 1 0 2...

Page 393: ...or the authentication proxy for the ASA CX module In the following is sample output which shows one rule the destination port 2000 is the auth proxy port configured by the cxsc auth proxy port 2000 command and the destination ip id 192 168 0 100 is the ASA interface IP address hostname show asp table classify domain cxsc auth proxy Input Table in id 0x7ffed86cc470 priority 121 domain cxsc auth pro...

Page 394: ...roxy feature follow these steps to troubleshoot your configuration and connections Note If you have a connection between hosts on two ASA interfaces and the ASA CX service policy is only configured for one of the interfaces then all traffic between these hosts is sent to the ASA CX module including traffic originating on the non ASA CX interface the feature is bidirectional However the ASA only pe...

Page 395: ...ASACX permit tcp any any eq port 80 hostname config class map my cx class hostname config cmap match access list ASACX hostname config cmap policy map my cx policy hostname config pmap class my cx class hostname config pmap c cxsc fail close auth proxy hostname config pmap c service policy my cx policy global The following example diverts all IP traffic destined for the 10 1 1 0 network and the 10...

Page 396: ...ule module password reset hw module module reload hw module module reset hw module module shutdown session do setup host ip session do get config session do password reset show asp table classify domain cxsc show asp table classify domain cxsc auth proxy show capture show conn show module show service policy ASA 5512 X through ASA 5555 X support for the ASA CX SSP ASA 9 1 1 ASA CX 9 1 1 We introdu...

Page 397: ...n PRSM is a single context mode device the context specific traffic coming from the ASA is checked against the common ASA CX policy We did not modify any commands Filtering packets captured on the ASA CX backplane ASA 9 1 3 ASA CX 9 2 1 You can now filter packets captured on the ASA CX backplane using the match or access list keyword with the capture interface asa_dataplane command Control traffic...

Page 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...

Page 399: ...e 18 5 Guidelines and Limitations page 18 5 Default Settings page 18 6 Configuring the ASA IPS module page 18 6 Managing the ASA IPS module page 18 17 Monitoring the ASA IPS module page 18 21 Configuration Examples for the ASA IPS module page 18 22 Feature History for the ASA IPS module page 18 23 Information About the ASA IPS Module The ASA IPS module runs advanced IPS software that provides proa...

Page 400: ...ffic enters the ASA 2 Incoming VPN traffic is decrypted 3 Firewall policies are applied 4 Traffic is sent to the ASA IPS module 5 The ASA IPS module applies its security policy to the traffic and takes appropriate actions 6 Valid traffic is sent back to the ASA the ASA IPS module might block some traffic according to its security policy and that traffic is not passed on 7 Outgoing VPN traffic is e...

Page 401: ...an shun it Figure 18 2 shows the ASA IPS module in promiscuous mode In this example the ASA IPS module sends a shun message to the ASA for traffic it identified as a threat Figure 18 2 ASA IPS module Traffic Flow in the ASA Promiscuous Mode Using Virtual Sensors The ASA IPS module running IPS software Version 6 0 and later can run multiple virtual sensors which means you can configure multiple sec...

Page 402: ... ASA page 18 10 Connecting to the IPS management interface using ASDM or SSH After you launch ASDM from the ASA your management station connects to the module management interface to configure the IPS application For SSH you can access the module CLI directly on the module management interface Telnet access requires additional configuration in the module application The module management interface...

Page 403: ...s http www cisco com en US docs security asa compatibility asamatrx html Additional Guidelines ASDM 7 3 2 and later is not compatible with IPS 7 3 2 or earlier To manage IPS connect to its IP address directly in your browser The total throughput for the ASA plus the IPS module is lower than ASA throughput alone ASA 5512 X through ASA 5555 X See http www cisco com en US prod collateral vpndevc ps60...

Page 404: ... from the ASA page 18 10 Configuring Basic IPS Module Network Settings page 18 11 ASA 5512 X through ASA 5555 X Booting the Software Module page 18 10 Configuring the Security Policy on the ASA IPS Module page 18 12 Assigning Virtual Sensors to a Security Context page 18 13 Diverting Traffic to the ASA IPS module page 18 15 Task Flow for the ASA IPS Module Configuring the ASA IPS module is a proce...

Page 405: ...ing Traffic to the ASA IPS module page 18 15 Connecting the ASA IPS Management Interface In addition to providing management access to the IPS module the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can download global correlation signature updates and license requests This section describes recommended network configurations Your network may...

Page 406: ...nt 1 0 address to be on the same network as the inside interface ASA 5512 X through ASA 5555 X Software Module These models run the IPS module as a software module and the IPS management interface shares the Management 0 0 interface with the ASA ASA Management 0 0 Internet Management PC Proxy or DNS Server for example Router ASA IPS Management 1 0 Outside IPS Management Inside IPS Default Gateway ...

Page 407: ...ess for that interface Because the IPS module is essentially a separate device from the ASA you can configure the IPS management address to be on the same network as the inside interface Note You must remove the ASA configured name for Management 0 0 if it is configured on the ASA then the IPS address must be on the same network as the ASA and that excludes any networks already configured on other...

Page 408: ...are prompted for the username and password The default username is cisco and the default password is cisco Note The first time you log in to the module you are prompted to change the default password Passwords must be at least eight characters long and cannot be a word in the dictionary Console session software module only session ips console Example hostname session ips console Establishing conso...

Page 409: ... module module ips recover configure image disk0 file_path For example using the filename in the example in Step 1 enter hostname sw module module ips recover configure image disk0 IPS SSP_5512 K9 sys 1 1 a 7 1 4 E4 aip Step 3 To install and load the IPS module software enter the following command hostname sw module module ips recover boot Step 4 To check the progress of the image transfer and mod...

Page 410: ... documentation roadm aps list html Step 3 f you configure virtual sensors you identify one of the sensors as the default If the ASA does not specify a virtual sensor name in its configuration the default sensor is used Step 4 When you are done configuring the ASA IPS module exit the IPS software by entering the following command sensor exit If you sessioned to the ASA IPS module from the ASA you r...

Page 411: ... can specify a sensor that is assigned to the context you cannot specify a sensor that you did not assign to the context If you do not assign any sensors to a context then the default sensor configured on the ASA IPS module is used You can assign the same sensor to multiple contexts Note You do not need to be in multiple context mode to use virtual sensors you can be in single mode and use differe...

Page 412: ...the sensor name that can be used within the context instead of the actual sensor name If you do not specify a mapped name the sensor name is used within the context For security purposes you might not want the context administrator to know which sensors are being used by the context Or you might want to genericize the context configuration For example if you want all contexts to use sensors called...

Page 413: ...l ftp user1 passw0rd 10 1 1 1 configlets test cfg hostname config ctx member gold hostname config ctx context sample hostname config ctx allocate interface gigabitethernet0 1 200 int1 hostname config ctx allocate interface gigabitethernet0 1 212 int2 hostname config ctx allocate interface gigabitethernet0 1 230 gigabitethernet0 1 235 int3 int8 hostname config ctx allocate ips sensor1 ips1 hostname...

Page 414: ... should be sent to the ASA IPS module The inline and promiscuous keywords control the operating mode of the ASA IPS module See Operating Modes page 18 2 for more details The fail close keyword sets the ASA to block all traffic if the ASA IPS module is unavailable The fail open keyword sets the ASA to allow all traffic through uninspected if the ASA IPS module is unavailable If you use virtual sens...

Page 415: ...d information about how the order of classes matters within a policy map Traffic cannot match more than one class map for the same action type so if you want network A to go to sensorA but want all other traffic to go to sensorB then you need to enter the class command for network A before you enter the class command for all traffic otherwise all traffic including network A will match the first cl...

Page 416: ...tware module for example the ASA 5545 X sw module module ips recover configure image disk0 file_path Example hostname hw module module 1 recover configure Image URL tftp 127 0 0 1 myimage tftp 10 1 1 1 ids newimg Port IP Address 127 0 0 2 10 1 2 10 Port Mask 255 255 255 254 255 255 255 0 Gateway IP Address 1 1 2 10 10 1 2 254 VLAN ID 0 100 Specifies the location of the new image For a hardware mod...

Page 417: ...ot Installs and boots the IPS module software Step 3 For a hardware module show module 1 details For a software module show module ips details Example hostname show module 1 details Checks the progress of the image transfer and module restart process The Status field in the output indicates the operational status of the module A module operating normally shows a status of Up While the ASA transfer...

Page 418: ...default of cisco perform the following steps Detailed Steps Command Purpose Step 1 sw module module ips uninstall Example hostname sw module module ips uninstall Module ips will be uninstalled This will completely remove the disk image associated with the sw module including any configuration that existed within it Uninstall module id confirm Permanently uninstalls the software module image and as...

Page 419: ...y Services Card 5 Hardware version 0 1 Command Purpose For a hardware module for example the ASA 5585 X hw module module 1 reload For a software module for example the ASA 5545 X sw module module ips reload Example hostname hw module module 1 reload Reloads the module software For a hardware module hw module module 1 reset For a software module sw module module ips reset Example hostname hw module...

Page 420: ...n Version ips IPS Up 7 1 1 160 E4 Mod Status Data Plane Status Compatibility ips Up Up Mod License Name License Status Time Remaining ips IPS Module Enabled 7 days Configuration Examples for the ASA IPS module The following example diverts all IP traffic to the ASA IPS module in promiscuous mode and blocks all IP traffic if the ASA IPS module card fails for any reason hostname config access list I...

Page 421: ...mented Table 18 2 Feature History for the ASA IPS module Feature Name Platform Releases Feature Information AIP SSM 7 0 1 We introduced support for the AIP SSM for the ASA 5510 5520 and 5540 The following command was introduced ips Virtual sensors ASA 5510 and higher 8 0 2 Virtual sensor support was introduced Virtual sensors let you configure multiple security policies on the ASA IPS module The f...

Page 422: ...You can use the two SSPs as a failover pair if desired Note When using two SSPs in the chassis VPN is not supported note however that VPN has not been disabled We modified the following commands show module show inventory show environment Support for the ASA IPS SSP for the ASA 5512 X through ASA 5555 X 8 6 1 We introduced support for the ASA IPS SSP software module for the ASA 5512 X ASA 5515 X A...

Reviews:

No comments