Cisco ASA 5500 Series Configuration Guide using ASDM
Software Version 6.4 and 6.6 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, and ASA 5585-X
Released: January 31, 2011
Updated: October 31, 2012
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive
San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco ASA 5500 Series Configuration Guide using ASDM
Copyright © 2011-2012 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
About This Guide lxix |
|
|
Document Objectives |
lxix |
|
Audience |
lxix |
|
Related Documentation |
lxx |
|
Conventions |
lxx |
|
|
|
Obtaining Documentation and Submitting a Service Request |
lxxi |
|
|
|
|
|
|
Getting Started with the ASA |
|
P A R T 1 |
|
||
|
|
Introduction to the Cisco ASA 5500 Series 1-1 |
|
C H A P T E R 1 |
|
||
|
|
ASDM Client Operating System and Browser Requirements |
1-1 |
|
|
Hardware and Software Compatibility 1-2 |
|
|
|
VPN Specifications 1-2 |
|
|
|
New Features 1-3 |
|
New Features in Version 8.6(1)/6.6(1) |
1-3 |
New Features in Version 8.4(4.1)/6.4(9) |
1-5 |
New Features in Version 8.4(3)/6.4(7) |
1-9 |
New Features in Version 8.4(2)/6.4(5) |
1-11 |
New Features in Version 8.2(5)/6.4(3) |
1-16 |
New Features in Version 8.4(1)/6.4(1) |
1-16 |
Firewall Functional Overview |
1-22 |
|
|
|
Security Policy Overview |
1-23 |
|
|
|
Permitting or Denying Traffic with Access Rules |
1-23 |
|||
Applying NAT 1-23 |
|
|
|
|
Protecting from IP Fragments |
1-24 |
|
||
Using AAA for Through Traffic |
1-24 |
|
||
Applying HTTP, HTTPS, or FTP Filtering 1-24 |
|
|||
Applying Application Inspection |
|
1-24 |
|
|
Sending Traffic to the IPS Module |
1-24 |
|
||
Sending Traffic to the Content Security and Control Module 1-24 |
||||
Applying QoS Policies |
1-24 |
|
|
|
Applying Connection Limits and TCP Normalization |
1-25 |
|||
Enabling Threat Detection 1-25 |
|
|
||
Enabling the Botnet Traffic Filter |
1-25 |
|
Cisco ASA 5500 Series Configuration Guide using ASDM
iii
Contents
|
|
Configuring Cisco Unified Communications 1-25 |
|
|||||||
|
|
Firewall Mode Overview 1-25 |
|
|
|
|
|
|||
|
|
Stateful Inspection Overview |
1-26 |
|
|
|
|
|||
|
|
VPN Functional Overview |
1-27 |
|
|
|
|
|
|
|
|
|
Security Context Overview |
1-27 |
|
|
|
|
|
|
|
|
|
Getting Started 2-1 |
|
|
|
|
|
|
|
|
C H A P T E R |
2 |
|
|
|
|
|
|
|
||
|
|
Accessing the Appliance Command-Line Interface |
2-1 |
|
|
|||||
|
|
Configuring ASDM Access for Appliances |
2-2 |
|
|
|
||||
|
|
Accessing ASDM Using the Factory Default Configuration |
2-2 |
|||||||
|
|
Accessing ASDM Using a Non-Default Configuration (ASA 5505) 2-3 |
||||||||
|
|
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher) 2-5 |
||||||||
|
|
Starting ASDM |
2-6 |
|
|
|
|
|
|
|
|
|
Connecting to ASDM for the First Time |
2-7 |
|
|
|
||||
|
|
Starting ASDM from the ASDM-IDM Launcher |
2-8 |
|
|
|||||
|
|
Starting ASDM from the Java Web Start Application |
2-8 |
|
||||||
|
|
Using ASDM in Demo Mode |
2-9 |
|
|
|
|
|
||
|
|
Factory Default Configurations |
2-10 |
|
|
|
|
|
||
|
|
Restoring the Factory Default Configuration |
2-11 |
|
|
|||||
|
|
ASA 5505 Default Configuration |
2-13 |
|
|
|
|
|||
|
|
ASA 5505 Routed Mode Default Configuration |
2-14 |
|
||||||
|
|
ASA 5505 Transparent Mode Sample Configuration |
2-15 |
|||||||
|
|
ASA 5510 and Higher Default Configuration |
2-17 |
|
|
|||||
|
|
Getting Started with the Configuration |
2-17 |
|
|
|
||||
|
|
Using the Command Line Interface Tool in ASDM |
2-18 |
|
|
|||||
|
|
Using the Command Line Interface Tool |
2-18 |
|
|
|
||||
|
|
Handling Command Errors |
2-19 |
|
|
|
|
|
||
|
|
Using Interactive Commands |
2-19 |
|
|
|
|
|||
|
|
Avoiding Conflicts with Other Administrators |
2-19 |
|
|
|||||
|
|
Showing Commands Ignored by ASDM on the Device |
2-19 |
|||||||
|
|
Using the ASDM User Interface |
|
|
|
|
|
|
||
C H A P T E R |
3 |
3-1 |
|
|
|
|
|
|||
|
|
Information About the ASDM User Interface |
3-1 |
|
|
|
||||
|
|
Navigating in the ASDM User Interface |
3-3 |
|
|
|
||||
|
|
Menus 3-4 |
|
|
|
|
|
|
|
|
|
|
File Menu |
3-4 |
|
|
|
|
|
|
|
|
|
View Menu |
3-5 |
|
|
|
|
|
|
|
|
|
Tools Menu |
3-6 |
|
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
iv
Contents
Wizards Menu |
3-8 |
|
Window Menu |
3-8 |
|
Help Menu 3-8 |
||
Toolbar 3-9 |
|
|
ASDM Assistant |
3-10 |
|
Status Bar |
3-10 |
|
Connection to Device 3-11 |
||
Device List |
3-11 |
|
Common Buttons |
3-11 |
|
Keyboard Shortcuts |
3-12 |
|
Find Function |
3-14 |
Using the Find Function in Most ASDM Panes 3-14
Using the Find Function in the ACL Manager Pane 3-15
Enabling Extended Screen Reader Support |
3-15 |
|||||
Organizational Folder |
|
3-16 |
|
|
|
|
About the Help Window |
3-16 |
|
|
|
||
Header Buttons |
3-16 |
|
|
|
|
|
Browser Window |
|
3-16 |
|
|
|
|
Home Pane (Single Mode and Context) 3-17 |
||||||
Device Dashboard Tab |
3-17 |
|
|
|||
Device Information Pane |
3-18 |
|
||||
Interface Status Pane |
3-19 |
|
||||
VPN Sessions Pane |
|
3-19 |
|
|
||
Failover Status Pane |
3-19 |
|
||||
System Resources Status Pane |
3-19 |
|||||
Traffic Status Pane |
|
3-19 |
|
|
||
Latest ASDM Syslog Messages Pane 3-19 |
||||||
Firewall Dashboard Tab |
|
3-21 |
|
|
||
Traffic Overview Pane |
3-21 |
|
||||
Top 10 Access Rules Pane |
3-22 |
|
||||
Top Usage Status Pane |
3-22 |
|
||||
Top Ten Protected Servers Under SYN Attack Pane 3-23 |
||||||
Top 200 Hosts Pane |
3-23 |
|
||||
Top Botnet Traffic Filter Hits Pane |
3-23 |
|||||
Content Security Tab |
3-23 |
|
|
|||
Intrusion Prevention Tab |
3-24 |
|
||||
ASA CX Status Tab |
3-26 |
|
|
|
||
Home Pane (System) |
3-27 |
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
v
Contents
Defining ASDM Preferences 3-28 |
|
Using the ASDM Assistant |
3-29 |
Enabling History Metrics |
3-30 |
Unsupported Commands |
3-31 |
|
Ignored and View-Only Commands |
3-31 |
|
|
Effects of Unsupported Commands |
3-32 |
|
|
Discontinuous Subnet Masks Not Supported 3-32 |
||
|
Interactive User Commands Not Supported by the ASDM CLI Tool 3-32 |
||
|
Managing Feature Licenses |
|
|
C H A P T E R 4 |
4-1 |
|
|
|
Supported Feature Licenses Per Model |
4-1 |
|
|
Licenses Per Model |
4-1 |
|
|
License Notes 4-16 |
|
|
VPN License and Feature Compatibility |
4-20 |
|
|
|
||||
Information About Feature Licenses |
4-20 |
|
|
|
|
|||
Preinstalled License |
4-21 |
|
|
|
|
|
|
|
Permanent License 4-21 |
|
|
|
|
|
|
||
Time-Based Licenses |
4-21 |
|
|
|
|
|
|
|
Time-Based License Activation Guidelines |
4-21 |
|
|
|||||
How the Time-Based License Timer Works |
4-21 |
|
||||||
How Permanent and Time-Based Licenses Combine 4-22 |
||||||||
Stacking Time-Based Licenses |
4-23 |
|
|
|
||||
Time-Based License Expiration |
4-23 |
|
|
|
||||
Shared AnyConnect Premium Licenses |
4-23 |
|
|
|
||||
Information About the Shared Licensing Server and Participants 4-24 |
||||||||
Communication Issues Between Participant and Server |
4-25 |
|||||||
Information About the Shared Licensing Backup Server |
4-25 |
|||||||
Failover and Shared Licenses |
4-25 |
|
|
|
|
|||
Maximum Number of Participants |
4-27 |
|
|
|
||||
Failover Licenses (8.3(1) and Later) |
4-28 |
|
|
|
|
|||
Failover License Requirements and Exceptions |
4-28 |
|
||||||
How Failover Licenses Combine |
4-28 |
|
|
|
||||
Loss of Communication Between Failover Units |
4-29 |
|
||||||
Upgrading Failover Pairs |
4-30 |
|
|
|
|
|
||
No Payload Encryption Models |
4-30 |
|
|
|
|
|||
Licenses FAQ |
4-30 |
|
|
|
|
|
|
|
Guidelines and Limitations |
4-31 |
|
|
|
|
|
|
|
Configuring Licenses |
4-32 |
|
|
|
|
|
|
|
Obtaining an Activation Key 4-33
Cisco ASA 5500 Series Configuration Guide using ASDM
vi
Contents
|
|
Activating or Deactivating Keys |
4-33 |
|
|
||
|
|
Configuring a Shared License |
4-35 |
|
|
||
|
|
Configuring the Shared Licensing Server |
4-35 |
|
|||
|
|
Configuring the Shared Licensing Participant and the Optional Backup Server 4-36 |
|||||
|
|
Monitoring Licenses 4-36 |
|
|
|
|
|
|
|
Viewing Your Current License |
4-37 |
|
|
||
|
|
Monitoring the Shared License |
4-38 |
|
|
||
|
|
Feature History for Licensing |
4-38 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Using ASDM Wizards |
|
|
|
|
|
P A R T 2 |
|
|
|
|
|
||
|
|
Using the Startup Wizard |
|
|
|
|
|
C H A P T E R 5 |
5-1 |
|
|
|
|
||
|
|
Information About the Startup Wizard 5-1 |
|
|
|||
|
|
Licensing Requirements for the Startup Wizard |
5-1 |
|
|||
|
|
Guidelines and Limitations 5-1 |
|
|
|
||
|
|
Startup Wizard Screens |
5-2 |
|
|
|
|
|
|
Starting Point or Welcome |
5-2 |
|
|
|
|
|
|
Basic Configuration |
5-3 |
|
|
|
|
|
|
Interface Screens |
5-3 |
|
|
|
|
Interface Selection (ASA 5505) |
5-3 |
|
|
||
Switch Port Allocation (ASA 5505) 5-3 |
|
|
|||
Interface IP Address Configuration (ASA 5505, Routed Mode) |
5-3 |
|
|||
Interface Configuration - PPPoE (ASA 5505, Routed Mode, Single Mode) 5-3 |
|||||
Outside Interface Configuration (ASA 5510 and Higher, Routed Mode) |
5-4 |
||||
Outside Interface Configuration - PPPoE (ASA 5510 and Higher, Routed Mode, Single |
|||||
Mode) |
5-4 |
|
|
|
|
Management IP Address Configuration (Transparent Mode) |
5-4 |
|
|||
Other Interfaces Configuration (ASA 5510 and Higher) 5-4 |
|
|
|||
Static Routes |
5-4 |
|
|
|
|
Easy VPN Remote Configuration (ASA 5505, Single Mode, Routed Mode) |
5-4 |
||||
DHCP Server |
5-4 |
|
|
|
|
Address Translation (NAT/PAT) 5-5 |
|
|
|||
Administrative Access |
5-5 |
|
|
|
|
IPS Basic Configuration (IPS SSP) |
5-5 |
|
|
||
Time Zone and Clock Configuration (ASA 5585-X) 5-6 |
|
|
|||
Auto Update Server (Single Mode) |
5-6 |
|
|
||
Startup Wizard Summary |
5-6 |
|
|
|
|
Feature History for the Startup Wizard |
5-7 |
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
vii
Contents
C H A P T E R 6 |
VPN Wizards 6-1 |
|
|
|
|
|
|
|
|
VPN Overview |
6-1 |
|
|
|
|
|
|
|
IPsec IKEv1 Remote Access Wizard |
6-2 |
|
|||||
|
Remote Access Client |
6-2 |
|
|
||||
|
VPN Client Authentication Method and Tunnel Group Name 6-3 |
|||||||
|
Client Authentication |
6-4 |
|
|
|
|||
|
User Accounts |
6-4 |
|
|
|
|
|
|
|
Address Pool |
6-4 |
|
|
|
|
|
|
|
Attributes Pushed to Client (Optional) |
6-5 |
||||||
|
IKE Policy |
6-5 |
|
|
|
|
|
|
|
IPsec Settings (Optional) |
6-6 |
|
|
||||
|
Summary |
6-7 |
|
|
|
|
|
|
|
IPsec Site-to-Site VPN Wizard |
6-7 |
|
|
||||
|
Peer Device Identification |
6-7 |
|
|
||||
|
IKE Version |
6-7 |
|
|
|
|
|
|
|
Traffic to Protects |
6-8 |
|
|
|
|
||
|
Authentication Methods |
6-8 |
|
|
||||
|
Encryption Algorithm |
|
6-8 |
|
|
|
||
|
Miscellaneous |
6-9 |
|
|
|
|
|
|
|
Summary |
6-9 |
|
|
|
|
|
|
|
AnyConnect VPN Wizard |
6-9 |
|
|
||||
|
Connection Profile Identification |
6-10 |
||||||
|
VPN Protocols |
6-10 |
|
|
|
|
||
|
Client Images |
6-11 |
|
|
|
|
|
|
|
Authentication Methods |
6-11 |
|
|
||||
|
Client Address Assignment |
6-11 |
|
|
||||
|
Network Name Resolution Servers |
6-12 |
||||||
|
NAT Exempt |
|
6-12 |
|
|
|
|
|
|
AnyConnect Client Deployment |
6-12 |
||||||
|
Summary |
6-12 |
|
|
|
|
|
|
|
Clientless SSL VPN Wizard |
6-12 |
|
|
||||
|
SSL VPN Interface |
6-12 |
|
|
|
|||
|
User Authentication |
6-13 |
|
|
|
|||
|
Group Policy |
|
6-13 |
|
|
|
|
|
|
Bookmark List |
6-13 |
|
|
|
|
|
|
|
|
|
|
Summary 6-14 |
|
|
Using the High Availability and Scalability Wizard 7-1 |
|||
C H A P T E R 7 |
|
||||
|
|
|
|
|
Information About the High Availability and Scalability Wizard 7-1 |
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM |
|
|
|
|
|
||
|
|
|
|
|
|
|
viii |
|
|
|
|
|
|
|
|
|
Contents
Licensing Requirements for the High Availability and Scalability Wizard |
7-2 |
Prerequisites for the High Availability and Scalability Wizard 7-3 |
|
Configuring Failover with the High Availability and Scalability Wizard |
7-3 |
Accessing the High Availability and Scalability Wizard 7-3 |
|
Configuring Active/Active Failover with the High Availability and Scalability Wizard |
7-4 |
Configuring Active/Standby Failover with the High Availability and Scalability Wizard |
7-5 |
High Availability and Scalability Wizard Screens 7-5 |
|
|
Configuration Type |
7-6 |
|
|
|
|
|
|
|
|
|
Failover Peer Connectivity and Compatibility Check |
|
7-6 |
|
|
|
||||
|
Change a Device to Multiple Mode |
7-7 |
|
|
|
|
|
|||
|
Security Context Configuration |
7-7 |
|
|
|
|
|
|
||
|
Failover Link Configuration |
7-7 |
|
|
|
|
|
|
|
|
|
State Link Configuration |
7-8 |
|
|
|
|
|
|
|
|
|
Standby Address Configuration |
7-8 |
|
|
|
|
|
|
||
|
Summary 7-9 |
|
|
|
|
|
|
|
|
|
|
Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard |
7-9 |
||||||||
|
VPN Cluster Load Balancing Configuration |
7-10 |
|
|
|
|
|
|||
|
Feature History for the High Availability and Scalability Wizard |
7-12 |
|
|
|
|||||
|
Using the Cisco Unified Communication Wizard 8-1 |
|
|
|
|
|
||||
C H A P T E R 8 |
|
|
|
|
|
|||||
|
Information about the Cisco Unified Communication Wizard |
8-1 |
|
|
|
|||||
|
Licensing Requirements for the Unified Communication Wizard |
8-3 |
|
|
|
|||||
|
Guidelines and Limitations |
8-4 |
|
|
|
|
|
|
|
|
|
Configuring the Phone Proxy by using the Unified Communication Wizard 8-4 |
|
|
|||||||
|
Configuring the Private Network for the Phone Proxy |
8-5 |
|
|
|
|
||||
|
Configuring Servers for the Phone Proxy |
8-6 |
|
|
|
|
|
|||
|
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones |
8-8 |
|
|
||||||
|
Configuring the Public IP Phone Network |
8-9 |
|
|
|
|
|
|||
|
Configuring the Media Termination Address for Unified Communication Proxies |
8-10 |
||||||||
|
Configuring the Mobility Advantage by using the Unified Communication Wizard 8-11 |
|
||||||||
|
Configuring the Topology for the Cisco Mobility Advantage Proxy |
8-12 |
|
|
||||||
|
Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy |
8-12 |
||||||||
|
Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy |
8-13 |
||||||||
|
Configuring the Presence Federation Proxy by using the Unified Communication Wizard |
8-14 |
||||||||
|
Configuring the Topology for the Cisco Presence Federation Proxy |
8-14 |
|
|
||||||
|
Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy |
8-15 |
||||||||
|
Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy |
8-15 |
||||||||
|
Configuring the UC-IME by using the Unified Communication Wizard |
8-16 |
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
ix
Contents
|
Configuring the Topology for the Cisco Intercompany Media Engine Proxy |
8-17 |
|
|||||||||
|
Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy |
8-18 |
||||||||||
|
Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy 8-20 |
|
||||||||||
|
Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy |
8-20 |
||||||||||
|
Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy |
8-21 |
||||||||||
|
Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy |
8-22 |
||||||||||
|
Working with Certificates in the Unified Communication Wizard |
8-23 |
|
|
||||||||
|
Exporting an Identity Certificate |
8-23 |
|
|
|
|
|
|||||
|
Installing a Certificate |
8-23 |
|
|
|
|
|
|
|
|||
|
Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy 8-24 |
|||||||||||
|
Saving the Identity Certificate Request |
8-25 |
|
|
|
|
||||||
|
Installing the ASA Identity Certificate on the Mobility Advantage Server |
8-26 |
|
|||||||||
|
Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media |
|||||||||||
|
Engine Servers |
8-26 |
|
|
|
|
|
|
|
|
||
|
Configuring Trend Micro Content Security |
|
|
|
|
|
||||||
C H A P T E R 9 |
9-1 |
|
|
|
|
|||||||
|
Information About the CSC SSM |
9-1 |
|
|
|
|
|
|
||||
|
Licensing Requirements for the CSC SSM |
9-1 |
|
|
|
|
||||||
|
Prerequisites for the CSC SSM |
9-2 |
|
|
|
|
|
|
||||
|
Guidelines and Limitations |
9-2 |
|
|
|
|
|
|
|
|||
|
Default Settings |
9-3 |
|
|
|
|
|
|
|
|
||
|
CSC SSM Setup |
9-3 |
|
|
|
|
|
|
|
|
||
|
Activation/License 9-4 |
|
|
|
|
|
|
|
||||
|
IP Configuration |
9-4 |
|
|
|
|
|
|
|
|
||
|
Host/Notification Settings |
9-5 |
|
|
|
|
|
|
||||
|
Management Access Host/Networks |
9-6 |
|
|
|
|
||||||
|
Password |
9-6 |
|
|
|
|
|
|
|
|
|
|
|
Restoring the Default Password |
9-7 |
|
|
|
|
|
|||||
|
Wizard Setup |
9-8 |
|
|
|
|
|
|
|
|
||
|
CSC Setup Wizard Activation Codes Configuration |
9-8 |
|
|
|
|||||||
|
CSC Setup Wizard IP Configuration |
9-8 |
|
|
|
|
||||||
|
CSC Setup Wizard Host Configuration 9-9 |
|
|
|
|
|||||||
|
CSC Setup Wizard Management Access Configuration |
9-9 |
|
|
||||||||
|
CSC Setup Wizard Password Configuration 9-10 |
|
|
|
|
|||||||
|
CSC Setup Wizard Traffic Selection for CSC Scan |
9-10 |
|
|
|
|||||||
|
CSC Setup Wizard Summary |
9-11 |
|
|
|
|
|
|||||
|
Using the CSC SSM GUI |
9-12 |
|
|
|
|
|
|
|
|||
|
Web |
9-13 |
|
|
|
|
|
|
|
|
|
|
|
9-13 |
|
|
|
|
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
x
Contents
|
|
SMTP Tab |
9-14 |
|
|
|
|
|
|
|
|
|
|
POP3 Tab |
9-14 |
|
|
|
|
|
|
|
|
|
|
File Transfer |
9-15 |
|
|
|
|
|
|
|
|
|
|
Updates |
9-16 |
|
|
|
|
|
|
|
|
|
|
Where to Go Next |
9-16 |
|
|
|
|
|
|
||
|
|
Additional References |
9-17 |
|
|
|
|
|
|
||
|
|
Feature History for the CSC SSM |
9-17 |
|
|
|
|
|
|||
|
|
|
|
|
|||||||
|
|
Configuring Firewall and Security Context Modes |
|
|
|||||||
P A R T 3 |
|
|
|||||||||
|
|
Configuring the Transparent or Routed Firewall |
|
|
|
||||||
C H A P T E R 10 |
10-1 |
|
|
||||||||
|
|
Configuring the Firewall Mode |
10-1 |
|
|
|
|
|
|||
|
|
Information About the Firewall Mode |
10-1 |
|
|
|
|||||
|
|
Information About Routed Firewall Mode |
10-2 |
|
|
||||||
|
|
Information About Transparent Firewall Mode |
10-2 |
|
|||||||
|
|
Licensing Requirements for the Firewall Mode 10-6 |
|
|
|||||||
|
|
Default Settings |
10-6 |
|
|
|
|
|
|
||
|
|
Guidelines and Limitations |
10-6 |
|
|
|
|
|
|||
|
|
Setting the Firewall Mode |
10-8 |
|
|
|
|
|
|||
|
|
Feature History for Firewall Mode |
10-9 |
|
|
|
|||||
|
|
Configuring ARP Inspection for the Transparent Firewall |
10-9 |
|
|||||||
|
|
Information About ARP Inspection |
10-10 |
|
|
|
|||||
|
|
Licensing Requirements for ARP Inspection |
10-10 |
|
|
||||||
|
|
Default Settings |
10-10 |
|
|
|
|
|
|
||
|
|
Guidelines and Limitations |
10-10 |
|
|
|
|
|
|||
|
|
Configuring ARP Inspection |
10-11 |
|
|
|
|
|
|||
|
|
Task Flow for Configuring ARP Inspection |
10-11 |
|
|||||||
|
|
Adding a Static ARP Entry 10-11 |
|
|
|
|
|||||
|
|
Enabling ARP Inspection |
10-12 |
|
|
|
|
|
|||
|
|
Feature History for ARP Inspection |
10-13 |
|
|
|
|||||
|
|
Customizing the MAC Address Table for the Transparent Firewall 10-13 |
|||||||||
|
|
Information About the MAC Address Table 10-13 |
|
|
|||||||
|
|
Licensing Requirements for the MAC Address Table |
10-14 |
|
|||||||
|
|
Default Settings |
10-14 |
|
|
|
|
|
|
||
|
|
Guidelines and Limitations |
10-14 |
|
|
|
|
|
|||
|
|
Configuring the MAC Address Table |
|
10-14 |
|
|
|
||||
|
|
Adding a Static MAC Address |
10-15 |
|
|
|
|||||
|
|
Disabling MAC Address Learning |
10-15 |
|
|
|
|||||
|
|
Feature History for the MAC Address Table |
10-16 |
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xi
Contents
|
Firewall Mode Examples |
10-16 |
|
|
|
|
|
|
|
How Data Moves Through the ASA in Routed Firewall Mode 10-16 |
|||||||
|
An Inside User Visits a Web Server |
10-17 |
|
|
||||
|
An Outside User Visits a Web Server on the DMZ |
|
10-18 |
|||||
|
An Inside User Visits a Web Server on the DMZ |
10-19 |
||||||
|
An Outside User Attempts to Access an Inside Host |
10-20 |
||||||
|
A DMZ User Attempts to Access an Inside Host |
10-21 |
||||||
|
How Data Moves Through the Transparent Firewall |
10-22 |
||||||
|
An Inside User Visits a Web Server |
10-23 |
|
|
||||
|
An Inside User Visits a Web Server Using NAT |
10-24 |
||||||
|
An Outside User Visits a Web Server on the Inside Network 10-25 |
|||||||
|
An Outside User Attempts to Access an Inside Host |
10-26 |
||||||
|
Configuring Multiple Context Mode |
|
|
|
|
|||
C H A P T E R 11 |
11-1 |
|
|
|
||||
|
Information About Security Contexts |
11-1 |
|
|
|
|||
|
Common Uses for Security Contexts |
11-2 |
|
|
|
|||
|
Context Configuration Files |
11-2 |
|
|
|
|
||
|
Context Configurations |
11-2 |
|
|
|
|
||
|
System Configuration |
11-2 |
|
|
|
|
||
|
Admin Context Configuration |
11-2 |
|
|
|
|||
|
How the ASA Classifies Packets |
11-3 |
|
|
|
|||
|
Valid Classifier Criteria |
11-3 |
|
|
|
|
||
|
Classification Examples |
11-4 |
|
|
|
|
||
|
Cascading Security Contexts |
11-6 |
|
|
|
|
||
|
Management Access to Security Contexts |
11-7 |
|
|
||||
|
System Administrator Access |
11-7 |
|
|
|
|||
|
Context Administrator Access |
11-8 |
|
|
|
|||
|
Information About Resource Management |
11-8 |
|
|
||||
|
Resource Limits |
11-8 |
|
|
|
|
|
|
|
Default Class |
11-9 |
|
|
|
|
|
|
|
Class Members |
11-10 |
|
|
|
|
|
|
|
Information About MAC Addresses |
11-11 |
|
|
||||
|
Default MAC Address |
11-11 |
|
|
|
|
||
|
Interaction with Manual MAC Addresses 11-11 |
|
|
|||||
|
Failover MAC Addresses |
11-12 |
|
|
|
|||
|
MAC Address Format |
11-12 |
|
|
|
|
Licensing Requirements for Multiple Context Mode 11-12
Guidelines and Limitations 11-13
Default Settings 11-14
Cisco ASA 5500 Series Configuration Guide using ASDM
xii
Contents
|
|
Configuring Multiple Contexts 11-14 |
|
|
|
|
|
|
||||
|
|
Task Flow for Configuring Multiple Context Mode |
11-14 |
|
||||||||
|
|
Enabling or Disabling Multiple Context Mode |
11-15 |
|
|
|||||||
|
|
Enabling Multiple Context Mode |
|
11-15 |
|
|
|
|
||||
|
|
Restoring Single Context Mode |
11-16 |
|
|
|
|
|||||
|
|
Configuring a Class for Resource Management |
11-16 |
|
|
|||||||
|
|
Configuring a Security Context |
11-19 |
|
|
|
|
|
||||
|
|
Automatically Assigning MAC Addresses to Context Interfaces 11-20 |
||||||||||
|
|
Monitoring Security Contexts |
11-21 |
|
|
|
|
|
|
|
||
|
|
Monitoring Context Resource Usage |
|
11-21 |
|
|
|
|
||||
|
|
Viewing Assigned MAC Addresses |
11-22 |
|
|
|
|
|||||
|
|
Viewing MAC Addresses in the System Configuration 11-23 |
||||||||||
|
|
Viewing MAC Addresses Within a Context |
11-23 |
|
|
|||||||
|
|
Feature History for Multiple Context Mode |
11-24 |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Interfaces |
|
|
|
|
|
|
|
|
|
|
P A R T 4 |
|
|
|
|
|
|
|
|
|
|||
|
|
Starting Interface Configuration (ASA 5510 and Higher) |
|
|
||||||||
C H A P T E R 12 |
12-1 |
|
||||||||||
|
|
Information About Starting ASA 5510 and Higher Interface Configuration 12-1 |
||||||||||
|
|
Auto-MDI/MDIX Feature |
12-2 |
|
|
|
|
|
|
|
||
|
|
Interfaces in Transparent Mode |
12-2 |
|
|
|
|
|
||||
|
|
Management Interface |
12-2 |
|
|
|
|
|
|
|
||
|
|
Management Interface Overview |
|
12-2 |
|
|
|
|
||||
|
|
Management Slot/Port Interface |
|
12-2 |
|
|
|
|
||||
|
|
Using Any Interface for Management-Only Traffic |
12-3 |
|
||||||||
|
|
Management Interface for Transparent Mode |
12-3 |
|
|
|||||||
|
|
No Support for Redundant Management Interfaces |
12-4 |
|
||||||||
|
|
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X 12-4 |
||||||||||
|
|
Redundant Interfaces |
12-4 |
|
|
|
|
|
|
|
||
|
|
Redundant Interface MAC Address |
12-4 |
|
|
|
|
|||||
|
|
EtherChannels |
12-5 |
|
|
|
|
|
|
|
|
|
|
|
Channel Group Interfaces |
12-5 |
|
|
|
|
|
|
|||
|
|
Connecting to an EtherChannel on Another Device |
12-5 |
|
||||||||
|
|
Link Aggregation Control Protocol |
12-6 |
|
|
|
|
|||||
|
|
Load Balancing |
12-7 |
|
|
|
|
|
|
|
||
|
|
EtherChannel MAC Address |
12-7 |
|
|
|
|
|
||||
|
|
Licensing Requirements for ASA 5510 and Higher Interfaces |
12-8 |
|
||||||||
|
|
Guidelines and Limitations |
|
12-9 |
|
|
|
|
|
|
|
|
|
|
Default Settings |
12-11 |
|
|
|
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xiii
Contents
|
Starting Interface Configuration (ASA 5510 and Higher) |
12-12 |
|
|||||||
|
Task Flow for Starting Interface Configuration |
12-12 |
|
|
||||||
|
Converting In-Use Interfaces to a Redundant or EtherChannel Interface |
12-13 |
||||||||
|
Enabling the Physical Interface and Configuring Ethernet Parameters |
12-23 |
||||||||
|
Configuring a Redundant Interface |
12-26 |
|
|
|
|||||
|
Configuring a Redundant Interface |
12-26 |
|
|
|
|||||
|
Changing the Active Interface |
12-29 |
|
|
|
|||||
|
Configuring an EtherChannel |
12-29 |
|
|
|
|
|
|||
|
Adding Interfaces to the EtherChannel 12-30 |
|
|
|||||||
|
Customizing the EtherChannel |
12-32 |
|
|
|
|||||
|
Configuring VLAN Subinterfaces and 802.1Q Trunking |
12-35 |
|
|||||||
|
Enabling Jumbo Frame Support (Supported Models) |
12-38 |
|
|||||||
|
Monitoring Interfaces |
12-38 |
|
|
|
|
|
|
||
|
ARP Table |
12-39 |
|
|
|
|
|
|
|
|
|
MAC Address Table |
12-39 |
|
|
|
|
|
|
||
|
Interface Graphs |
12-39 |
|
|
|
|
|
|
||
|
Graph/Table |
12-41 |
|
|
|
|
|
|
||
|
Where to Go Next 12-42 |
|
|
|
|
|
|
|
||
|
Feature History for ASA 5510 and Higher Interfaces |
12-42 |
|
|||||||
|
Starting Interface Configuration (ASA 5505) |
|
|
|
|
|||||
C H A P T E R 13 |
13-1 |
|
|
|
||||||
|
Information About ASA 5505 Interfaces |
13-1 |
|
|
|
|||||
|
Understanding ASA 5505 Ports and Interfaces |
13-2 |
|
|
||||||
|
Maximum Active VLAN Interfaces for Your License |
13-2 |
|
|||||||
|
VLAN MAC Addresses |
13-4 |
|
|
|
|
|
|
||
|
Power over Ethernet |
13-4 |
|
|
|
|
|
|
||
|
Monitoring Traffic Using SPAN |
13-4 |
|
|
|
|
||||
|
Auto-MDI/MDIX Feature 13-4 |
|
|
|
|
|
|
|||
|
Licensing Requirements for ASA 5505 Interfaces |
13-4 |
|
|
||||||
|
Guidelines and Limitations |
13-5 |
|
|
|
|
|
|
||
|
Default Settings |
13-5 |
|
|
|
|
|
|
|
|
|
Starting ASA 5505 Interface Configuration |
13-6 |
|
|
|
|||||
|
Task Flow for Starting Interface Configuration |
13-6 |
|
|
||||||
|
Configuring VLAN Interfaces |
13-6 |
|
|
|
|
|
|||
|
Configuring and Enabling Switch Ports as Access Ports 13-8 |
|
||||||||
|
Configuring and Enabling Switch Ports as Trunk Ports |
13-10 |
|
|||||||
|
Monitoring Interfaces |
13-12 |
|
|
|
|
|
|
||
|
ARP Table |
13-12 |
|
|
|
|
|
|
|
|
|
MAC Address Table |
13-12 |
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xiv
Contents
|
Interface Graphs |
13-13 |
|
|
|
|
Graph/Table 13-15 |
|
|
|
|
|
Where to Go Next |
13-15 |
|
|
|
|
Feature History for ASA 5505 Interfaces 13-16 |
|
|||
|
Completing Interface Configuration (Routed Mode) |
|
|||
C H A P T E R 14 |
14-1 |
||||
|
Information About Completing Interface Configuration in Routed Mode 14-1 |
||||
|
Security Levels |
14-1 |
|
|
|
|
Dual IP Stack (IPv4 and IPv6) |
14-2 |
|
|
|
|
Licensing Requirements for Completing Interface Configuration in Routed Mode 14-2 |
||||
|
Guidelines and Limitations 14-5 |
|
|
|
|
|
Default Settings 14-5 |
|
|
|
|
|
Completing Interface Configuration in Routed Mode |
14-5 |
|||
|
Task Flow for Completing Interface Configuration |
14-6 |
|||
|
Configuring General Interface Parameters |
14-6 |
|
||
|
PPPoE IP Address and Route Settings |
14-10 |
|
||
|
Configuring the MAC Address and MTU |
14-12 |
|
||
|
Configuring IPv6 Addressing |
14-14 |
|
|
|
|
Information About IPv6 |
14-14 |
|
|
Configuring a Global IPv6 Address and Other Options 14-16
(Optional) Configuring the Link-Local Addresses Automatically 14-20
(Optional) Configuring the Link-Local Addresses Manually 14-20
Allowing Same Security Level Communication 14-21
Monitoring Interfaces |
14-22 |
||
ARP Table |
14-22 |
|
|
DHCP 14-22 |
|
|
|
DHCP Server Table 14-22 |
|||
DHCP Client Lease Information 14-23 |
|||
DHCP Statistics |
14-24 |
||
MAC Address Table |
14-25 |
||
Dynamic ACLs |
14-25 |
|
|
Interface Graphs |
14-25 |
||
Graph/Table |
14-27 |
||
PPPoE Client |
14-28 |
|
|
Interface Connection |
14-28 |
||
Track Status for |
14-28 |
Monitoring Statistics for 14-28
Feature History for Interfaces in Routed Mode 14-29
Cisco ASA 5500 Series Configuration Guide using ASDM
xv
Contents
C H A P T E R 15 |
Completing Interface Configuration (Transparent Mode, 8.4 and Later) 15-1 |
|
Information About Completing Interface Configuration in Transparent Mode (8.4 and Later) 15-1 |
|
Bridge Groups in Transparent Mode 15-2 |
|
Security Levels 15-2 |
|
Licensing Requirements for Completing Interface Configuration in Transparent Mode 15-3 |
|
Guidelines and Limitations 15-5 |
|
Default Settings 15-6 |
Completing Interface Configuration in Transparent Mode (8.4 and Later) 15-6 |
||
Task Flow for Completing Interface Configuration 15-6 |
||
Configuring Bridge Groups |
15-7 |
|
Configuring General Interface Parameters |
15-8 |
|
Configuring a Management Interface (ASA 5510 and Higher) 15-11 |
||
Configuring the MAC Address and MTU |
15-14 |
|
Configuring IPv6 Addressing |
15-16 |
|
|
Information About IPv6 |
15-16 |
|
|
|||
|
Configuring a Global IPv6 Address and Other Options |
15-18 |
|||||
|
(Optional) Configuring the Link-Local Addresses Automatically 15-20 |
||||||
|
(Optional) Configuring the Link-Local Addresses Manually 15-20 |
||||||
|
Allowing Same Security Level Communication |
15-21 |
|
||||
|
Monitoring Interfaces |
15-21 |
|
|
|
||
|
ARP Table |
15-22 |
|
|
|
|
|
|
DHCP 15-22 |
|
|
|
|
|
|
|
DHCP Server Table 15-22 |
|
|
||||
|
DHCP Client Lease Information 15-23 |
|
|
||||
|
DHCP Statistics |
15-24 |
|
|
|
||
|
MAC Address Table |
15-25 |
|
|
|
||
|
Dynamic ACLs |
15-25 |
|
|
|
|
|
|
Interface Graphs |
15-25 |
|
|
|
||
|
Graph/Table |
15-27 |
|
|
|
||
|
PPPoE Client |
15-28 |
|
|
|
|
|
|
Interface Connection |
15-28 |
|
|
|
||
|
Track Status for |
15-28 |
|
|
|
||
|
Monitoring Statistics for |
15-28 |
|
|
|||
|
Feature History for Interfaces in Transparent Mode |
15-29 |
|
||||
|
Completing Interface Configuration (Transparent Mode, 8.3 and Earlier) 16-1 |
||||||
C H A P T E R 16 |
|||||||
|
Information About Completing Interface Configuration in Transparent Mode (8.3 and Earlier) 16-1 |
||||||
|
Information About the Global Management IP Address |
16-2 |
Cisco ASA 5500 Series Configuration Guide using ASDM
xvi
Contents
Security Levels 16-2
Licensing Requirements for Completing Interface Configuration in Transparent Mode 16-3
Guidelines and Limitations 16-3
Default Settings 16-4
Setting the Management IP Address for a Transparent Firewall (8.3 and Earlier) 16-4 |
|
Configuring the IPv4 Address |
16-4 |
Configuring the IPv6 Address |
16-5 |
Information About IPv6 |
16-5 |
Configuring the Global Address 16-7 |
|
Configuring the Link-Local Addresses Automatically 16-7 |
|
Configuring the Link-Local Address on an Interface Manually 16-8 |
|
Configuring DAD Settings |
16-8 |
|
|
Completing Interface Configuration in Transparent Mode (8.3 and Earlier) 16-9 |
|||||||
|
|
Task Flow for Completing Interface Configuration |
16-9 |
|
|
||||
|
|
Configuring General Interface Parameters |
16-10 |
|
|
|
|||
|
|
Configuring a Management Interface (ASA 5510 and Higher) |
16-11 |
||||||
|
|
Configuring General Parameters and the IPv4 Address |
16-11 |
|
|||||
|
|
Configuring a Global IPv6 Address and Other Options |
16-13 |
|
|||||
|
|
Configuring the MAC Address and MTU 16-15 |
|
|
|
|
|||
|
|
Allowing Same Security Level Communication |
16-17 |
|
|
|
|||
|
|
Monitoring Interfaces 16-17 |
|
|
|
|
|
|
|
|
|
Feature History for Interfaces in Transparent Mode |
16-18 |
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Basic Settings |
|
|
|
|
|
|
|
P A R T 5 |
|
|
|
|
|
|
|
||
|
|
Configuring Basic Settings |
|
|
|
|
|
|
|
C H A P T E R 17 |
17-1 |
|
|
|
|
|
|
||
|
|
Configuring the Hostname, Domain Name, and Passwords |
17-1 |
|
|
||||
|
|
Setting the Hostname, Domain Name, and the enable and Telnet Passwords 17-1 |
|||||||
|
|
Setting the Date and Time |
17-2 |
|
|
|
|
|
|
|
|
Setting the Date and Time Using an NTP Server |
17-2 |
|
|
||||
|
|
Adding or Editing the NTP Server Configuration |
17-3 |
|
|
||||
|
|
Setting the Date and Time Manually 17-3 |
|
|
|
|
|
||
|
|
Configuring the Master Passphrase |
17-4 |
|
|
|
|
|
|
|
|
Information About the Master Passphrase |
17-4 |
|
|
|
|
||
|
|
Licensing Requirements for the Master Passphrase |
17-5 |
|
|
||||
|
|
Guidelines and Limitations 17-5 |
|
|
|
|
|
|
|
|
|
Adding or Changing the Master Passphrase |
17-5 |
|
|
|
|||
|
|
Disabling the Master Passphrase |
17-6 |
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xvii
Contents
Recovering the Master Passphrase 17-7 |
|
Feature History for the Master Passphrase 17-7 |
|
Configuring the DNS Server |
17-7 |
Monitoring DNS Cache 17-9 |
|
Feature History for DNS Cache |
17-9 |
C H A P T E R |
18 |
|
Configuring DHCP |
18-1 |
|
|
|
|
|
|
Information About DHCP |
18-1 |
|
|
|
|
|
|
Licensing Requirements for DHCP |
18-1 |
|
||
|
|
|
Guidelines and Limitations |
18-2 |
|
|
|
|
|
|
Configuring DHCP Relay Services |
18-2 |
|
||
|
|
|
Editing DHCP Relay Agent Settings |
18-4 |
|||
|
|
|
Adding or Editing Global DHCP Relay Server Settings 18-4 |
||||
|
|
|
Configuring a DHCP Server |
18-5 |
|
|
|
|
|
|
Editing DHCP Servers |
18-6 |
|
|
|
|
|
|
Configuring Advanced DHCP Options |
18-7 |
|||
|
|
|
DHCP Monitoring |
18-8 |
|
|
|
|
|
|
Feature History for DHCP |
18-9 |
|
|
|
|
|
|
Configuring Dynamic DNS |
|
|
|
|
C H A P T E R |
19 |
19-1 |
|
|
|||
|
|
|
Information About DDNS |
19-1 |
|
|
|
|
|
|
Licensing Requirements for DDNS |
19-2 |
|
||
|
|
|
Guidelines and Limitations |
19-2 |
|
|
|
|
|
|
Configuring Dynamic DNS |
19-2 |
|
|
|
|
|
|
DDNS Monitoring |
19-4 |
|
|
|
|
|
|
Feature History for DDNS |
19-4 |
|
|
|
|
|
|
|
|
|
||
|
|
|
Configuring Objects and ACLs |
|
|
||
P A R T 6 |
|
|
|
||||
|
|
|
Configuring Objects |
|
|
|
|
C H A P T E R |
20 |
20-1 |
|
|
|
||
|
|
|
Configuring Network Objects and Groups |
20-1 |
|||
|
|
|
Network Object Overview 20-2 |
|
|||
|
|
|
Configuring a Network Object |
20-2 |
|
||
|
|
|
Configuring a Network Object Group |
20-3 |
|||
|
|
|
Using Network Objects and Groups in a Rule 20-4 |
||||
|
|
|
Viewing the Usage of a Network Object or Group 20-4 |
Configuring Service Objects and Service Groups 20-5
Cisco ASA 5500 Series Configuration Guide using ASDM
xviii
Contents
|
|
Information about Service Objects and Service Groups 20-5 |
|||||||
|
|
Adding and Editing a Service Object |
20-6 |
|
|
||||
|
|
Adding a Service Object |
20-6 |
|
|
|
|||
|
|
Editing a Service Object |
20-6 |
|
|
|
|||
|
|
Adding and Editing a Service Group |
20-7 |
|
|
||||
|
|
Adding a Service Group |
20-7 |
|
|
|
|||
|
|
Editing a Service Group |
20-8 |
|
|
|
|||
|
|
Browse Service Groups |
20-9 |
|
|
|
|
|
|
|
|
Licensing Requirements for Objects and Groups |
20-9 |
||||||
|
|
Guidelines and Limitations for Objects and Groups |
20-10 |
||||||
|
|
Configuring Regular Expressions |
20-10 |
|
|
|
|||
|
|
Creating a Regular Expression |
20-10 |
|
|
|
|||
|
|
Building a Regular Expression |
20-12 |
|
|
|
|||
|
|
Testing a Regular Expression |
20-14 |
|
|
||||
|
|
Creating a Regular Expression Class Map |
20-14 |
|
|||||
|
|
Configuring Time Ranges |
20-15 |
|
|
|
|
|
|
|
|
Add/Edit Time Range |
20-16 |
|
|
|
|
|
|
|
|
Adding a Time Range to an Access Rule 20-16 |
|||||||
|
|
Add/Edit Recurring Time Range |
20-17 |
|
|
||||
|
|
Using the ACL Manager |
|
|
|
|
|
|
|
C H A P T E R |
21 |
21-1 |
|
|
|
|
|
||
|
|
Information About the ACL Manager |
21-1 |
|
|
||||
|
|
Licensing Requirements for the ACL Manager |
21-1 |
|
|||||
|
|
Adding ACLs and ACEs |
|
21-2 |
|
|
|
|
|
|
|
Using Standard ACLs in the ACL Manager |
21-4 |
|
|||||
|
|
Feature History for the ACL Manager |
21-5 |
|
|
||||
|
|
Adding a StandardACL |
|
|
|
|
|
|
|
C H A P T E R |
22 |
22-1 |
|
|
|
|
|
|
|
|
|
Information About Standard ACLs |
22-1 |
|
|
|
|||
|
|
Licensing Requirements for Standard ACLs |
22-1 |
|
|||||
|
|
Guidelines and Limitations |
22-1 |
|
|
|
|
|
|
|
|
Default Settings 22-2 |
|
|
|
|
|
|
|
|
|
Using Standard ACLs |
22-2 |
|
|
|
|
|
|
|
|
Adding a Standard ACL |
22-3 |
|
|
|
|||
|
|
Adding an ACE to a Standard ACL |
22-3 |
|
|||||
|
|
Editing an ACE in a Standard ACL |
22-4 |
|
|||||
|
|
Feature History for Standard ACLs |
22-4 |
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xix
Contents
C H A P T E R 23 |
Adding a WebtypeACL 23-1 |
|
Licensing Requirements for Webtype ACLs 23-1 |
|
Guidelines and Limitations 23-1 |
|
Default Settings 23-2 |
|
|
Using Webtype ACLs |
23-2 |
|
|
|
|
|
|
|
|
Task Flow for Configuring Webtype ACLs |
23-2 |
||||||
|
|
Adding a Webtype ACL and ACE |
23-3 |
|
|||||
|
|
Editing Webtype ACLs and ACEs |
23-4 |
|
|||||
|
|
Deleting Webtype ACLs and ACEs |
|
23-5 |
|
||||
|
|
Feature History for Webtype Access Lists |
23-5 |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
Configuring IP Routing |
|
|
|
|
|
|
|
P A R T 7 |
|
|
|
|
|
|
|||
|
|
Routing Overview |
|
|
|
|
|
|
|
C H A P T E R 24 |
24-1 |
|
|
|
|
|
|
||
|
|
Information About Routing |
24-1 |
|
|
|
|
||
|
|
Switching |
24-2 |
|
|
|
|
|
|
|
|
Path Determination |
24-2 |
|
|
|
|
||
|
|
Supported Route Types |
24-2 |
|
|
|
|||
|
|
Static Versus Dynamic |
24-3 |
|
|
|
|||
|
|
Single-Path Versus Multipath |
|
24-3 |
|
||||
|
|
Flat Versus Hierarchical |
24-3 |
|
|
||||
|
|
Link-State Versus Distance Vector |
24-4 |
||||||
|
|
How Routing Behaves Within the ASA |
|
24-4 |
|
||||
|
|
Egress Interface Selection Process |
|
24-4 |
|
||||
|
|
Next Hop Selection Process |
24-4 |
|
|
|
|||
|
|
Supported Internet Protocols for Routing |
24-5 |
||||||
|
|
Information About the Routing Table |
24-6 |
|
|||||
|
|
Displaying the Routing Table |
24-6 |
|
|
||||
|
|
How the Routing Table Is Populated |
24-6 |
||||||
|
|
Backup Routes |
24-8 |
|
|
|
|
||
|
|
How Forwarding Decisions Are Made 24-8 |
|||||||
|
|
Dynamic Routing and Failover |
24-8 |
|
|
||||
|
|
Information About IPv6 Support |
24-9 |
|
|
|
|||
|
|
Features That Support IPv6 |
24-9 |
|
|
|
|||
|
|
IPv6-Enabled Commands |
24-10 |
|
|
|
|||
|
|
Entering IPv6 Addresses in Commands |
24-10 |
||||||
|
|
Disabling Proxy ARPs |
24-11 |
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xx
Contents
C H A P T E R 25 |
Configuring Static and Default Routes |
25-1 |
|
|
|
Information About Static and Default Routes |
25-1 |
||
|
Licensing Requirements for Static and Default Routes 25-2 |
|||
|
Guidelines and Limitations 25-2 |
|
|
|
|
Configuring Static and Default Routes |
25-2 |
|
|
|
Configuring a Static Route |
25-3 |
|
|
|
Adding or Editing a Static Route 25-3 |
|||
|
Configuring Static Route Tracking |
25-5 |
||
|
Deleting Static Routes |
25-6 |
|
|
|
|
Configuring a Default Static Route |
25-6 |
|
|
|||||
|
|
Limitations on Configuring a Default Static Route 25-7 |
||||||||
|
|
Configuring IPv6 Default and Static Routes |
25-7 |
|
||||||
|
|
Monitoring a Static or Default Route 25-8 |
|
|
||||||
|
|
Configuration Examples for Static or Default Routes |
25-8 |
|||||||
|
|
Feature History for Static and Default Routes |
25-9 |
|
||||||
|
|
Defining Route Maps |
|
|
|
|
|
|
|
|
C H A P T E R |
26 |
26-1 |
|
|
|
|
|
|
||
|
|
Information About Route Maps 26-1 |
|
|
|
|||||
|
|
Permit and Deny Clauses |
26-2 |
|
|
|
||||
|
|
Match and Set Clause Values |
26-2 |
|
|
|
||||
|
|
Licensing Requirements for Route Maps |
26-3 |
|
|
|||||
|
|
Guidelines and Limitations |
|
26-3 |
|
|
|
|
||
|
|
Defining a Route Map |
26-4 |
|
|
|
|
|
||
|
|
Adding or Editing a Route Map |
26-4 |
|
|
|||||
|
|
Customizing a Route Map |
26-5 |
|
|
|
|
|||
|
|
Defining a Route to Match a Specific Destination Address 26-5 |
||||||||
|
|
Configuring Prefix Lists |
26-6 |
|
|
|
|
|||
|
|
Configuring Prefix Rules |
26-7 |
|
|
|
||||
|
|
Configuring the Metric Values for a Route Action |
26-7 |
|||||||
|
|
Configuration Example for Route Maps |
26-8 |
|
|
|||||
|
|
Feature History for Route Maps |
26-8 |
|
|
|
||||
|
|
Configuring OSPF |
|
|
|
|
|
|
|
|
C H A P T E R |
27 |
27-1 |
|
|
|
|
|
|
|
|
|
|
Information About OSPF |
27-1 |
|
|
|
|
|||
|
|
Licensing Requirements for OSPF |
27-2 |
|
|
|
||||
|
|
Guidelines and Limitations |
|
27-3 |
|
|
|
|
||
|
|
Configuring OSPF |
27-3 |
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxi
Contents
|
Customizing OSPF |
27-4 |
|
|
|
|
|
|
|
Redistributing Routes Into OSPF |
27-4 |
|
|
||||
|
Configuring Route Summarization When Redistributing Routes Into OSPF 27-6 |
|||||||
|
Adding a Route Summary Address |
27-6 |
|
|||||
|
Adding or Editing an OSPF Summary Address |
27-7 |
||||||
|
Configuring Route Summarization Between OSPF Areas 27-8 |
|||||||
|
Configuring OSPF Interface Parameters |
27-8 |
|
|||||
|
Configuring OSPF Area Parameters |
27-11 |
|
|||||
|
Configuring OSPF NSSA |
27-12 |
|
|
|
|||
|
Defining Static OSPF Neighbors |
27-13 |
|
|
||||
|
Configuring Route Calculation Timers |
27-13 |
|
|||||
|
Logging Neighbors Going Up or Down |
27-14 |
|
|||||
|
Configuring Filtering in OSPF |
27-14 |
|
|
||||
|
Configuring a Virtual Link in OSPF |
27-15 |
|
|||||
|
Restarting the OSPF Process |
27-17 |
|
|
|
|||
|
Configuration Example for OSPF |
27-17 |
|
|
||||
|
Monitoring OSPF |
27-18 |
|
|
|
|
|
|
|
Feature History for OSPF |
27-19 |
|
|
|
|
||
|
Configuring RIP 28-1 |
|
|
|
|
|
|
|
C H A P T E R 28 |
|
|
|
|
|
|
||
|
Information About RIP 28-1 |
|
|
|
|
|
||
|
Routing Update Process |
28-2 |
|
|
|
|||
|
RIP Routing Metric |
28-2 |
|
|
|
|
||
|
RIP Stability Features |
28-2 |
|
|
|
|
||
|
RIP Timers |
28-2 |
|
|
|
|
|
|
|
Licensing Requirements for RIP |
28-3 |
|
|
|
|||
|
Guidelines and Limitations |
28-3 |
|
|
|
|
||
|
Configuring RIP |
28-4 |
|
|
|
|
|
|
|
Enabling RIP |
28-4 |
|
|
|
|
|
|
|
Customizing RIP |
28-4 |
|
|
|
|
|
|
|
Configuring the RIP Version |
28-5 |
|
|
|
|||
|
Configuring Interfaces for RIP |
28-5 |
|
|
||||
|
Editing a RIP Interface |
28-6 |
|
|
|
|||
|
Configuring the RIP Send and Receive Version on an Interface 28-7 |
|||||||
|
Configuring Route Summarization |
28-7 |
|
|||||
|
Filtering Networks in RIP |
28-8 |
|
|
|
|||
|
Adding or Editing a Filter Rule |
28-9 |
|
|||||
|
Redistributing Routes into the RIP Routing Process |
28-10 |
||||||
|
Enabling RIP Authentication |
28-11 |
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxii
Contents
Restarting the RIP Process |
28-12 |
Monitoring RIP 28-12 |
|
Configuration Example for RIP |
28-12 |
Feature History for RIP 28-13 |
|
C H A P T E R 29 |
Configuring Multicast Routing |
29-1 |
|
Information About Multicast Routing 29-1 |
|
|
Stub Multicast Routing |
29-2 |
|
PIM Multicast Routing |
29-2 |
|
Multicast Group Concept |
29-2 |
|
Multicast Addresses |
29-2 |
|
Licensing Requirements for Multicast Routing 29-2 |
|
|
Guidelines and Limitations |
29-3 |
|
Enabling Multicast Routing |
29-3 |
Customizing Multicast Routing |
29-4 |
|
|
|
|
|
Configuring Stub Multicast Routing and Forwarding IGMP Messages 29-4 |
||||||
Configuring a Static Multicast Route |
29-5 |
|
|
|||
Configuring IGMP Features |
29-6 |
|
|
|
|
|
Disabling IGMP on an Interface |
29-6 |
|
|
|
||
Configuring IGMP Group Membership |
29-7 |
|
|
|||
Configuring a Statically Joined IGMP Group |
29-7 |
|
||||
Controlling Access to Multicast Groups 29-8 |
|
|||||
Limiting the Number of IGMP States on an Interface |
29-9 |
|||||
Modifying the Query Messages to Multicast Groups |
29-9 |
|||||
Changing the IGMP Version |
29-10 |
|
|
|
||
Configuring PIM Features |
29-10 |
|
|
|
|
|
Enabling and Disabling PIM on an Interface |
29-10 |
|
||||
Configuring a Static Rendezvous Point Address 29-11 |
||||||
Configuring the Designated Router Priority |
29-12 |
|
||||
Configuring and Filtering PIM Register Messages |
29-12 |
|||||
Configuring PIM Message Intervals |
29-13 |
|
|
|||
Configuring a Route Tree |
29-13 |
|
|
|
||
Configuring a Multicast Group |
29-14 |
|
|
|
||
Filtering PIM Neighbors |
29-14 |
|
|
|
|
|
Configuring a Bidirectional Neighbor Filter |
29-15 |
|
||||
Configuring a Multicast Boundary |
29-16 |
|
|
|
||
Configuration Example for Multicast Routing |
29-17 |
|
|
|||
Additional References 29-18 |
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxiii
Contents
|
|
Related Documents |
29-19 |
|
|
|
|
|
|
|
RFCs 29-19 |
|
|
|
|
|
|
|
|
Feature History for Multicast Routing |
29-19 |
|
|
|||
|
|
Configuring EIGRP |
|
|
|
|
|
|
C H A P T E R |
30 |
30-1 |
|
|
|
|
|
|
|
|
Information About EIGRP |
30-1 |
|
|
|
|
|
|
|
Licensing Requirements for EIGRP |
30-2 |
|
|
|||
|
|
Guidelines and Limitations |
30-2 |
|
|
|
|
|
|
|
Task List to Configure an EIGRP Process |
30-3 |
|
|
|||
|
|
Configuring EIGRP |
30-3 |
|
|
|
|
|
|
|
Enabling EIGRP 30-4 |
|
|
|
|
|
|
|
|
Enabling EIGRP Stub Routing |
30-5 |
|
|
|||
|
|
Customizing EIGRP |
30-6 |
|
|
|
|
|
|
|
Defining a Network for an EIGRP Routing Process |
30-6 |
|||||
|
|
Configuring Interfaces for EIGRP |
30-7 |
|
|
|||
|
|
Configuring Passive Interfaces |
30-8 |
|
|
|||
|
|
Configuring the Summary Aggregate Addresses on Interfaces 30-8 |
||||||
|
|
Changing the Interface Delay Value 30-9 |
|
|
||||
|
|
Enabling EIGRP Authentication on an Interface |
30-10 |
|||||
|
|
Defining an EIGRP Neighbor |
30-11 |
|
|
|||
|
|
Redistributing Routes Into EIGRP |
30-11 |
|
|
|||
|
|
Filtering Networks in EIGRP |
30-13 |
|
|
|||
|
|
Customizing the EIGRP Hello Interval and Hold Time 30-14 |
||||||
|
|
Disabling Automatic Route Summarization |
30-15 |
|||||
|
|
Configuring Default Information in EIGRP |
30-15 |
|
||||
|
|
Disabling EIGRP Split Horizon |
30-16 |
|
|
|||
|
|
Restarting the EIGRP Process |
30-17 |
|
|
|||
|
|
Monitoring EIGRP |
30-17 |
|
|
|
|
|
|
|
Feature History for EIGRP |
30-18 |
|
|
|
|
|
|
|
Configuring IPv6 Neighbor Discovery |
|
|
|
|||
C H A P T E R |
31 |
31-1 |
|
|
||||
|
|
Information About IPv6 Neighbor Discovery 31-1 |
|
|||||
|
|
Neighbor Solicitation Messages |
31-2 |
|
|
|||
|
|
Neighbor Reachable Time 31-3 |
|
|
|
|||
|
|
Router Advertisement Messages |
31-3 |
|
|
|||
|
|
Static IPv6 Neighbors |
31-4 |
|
|
|
|
|
|
|
Licensing Requirements for IPv6 Neighbor Discovery |
31-4 |
|||||
|
|
Guidelines and Limitations |
31-4 |
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxiv
Contents
|
|
Default Settings for IPv6 Neighbor Discovery |
31-6 |
|
|
|
||||
|
|
Configuring the Neighbor Solicitation Message Interval |
31-6 |
|
|
|||||
|
|
Configuring the Neighbor Reachable Time |
31-7 |
|
|
|
||||
|
|
Configuring the Router Advertisement Transmission Interval |
31-7 |
|
||||||
|
|
Configuring the Router Lifetime Value |
31-8 |
|
|
|
|
|||
|
|
Configuring DAD Settings |
31-8 |
|
|
|
|
|
|
|
|
|
Configuring IPv6 Addresses on an Interface |
31-9 |
|
|
|
||||
|
|
Suppressing Router Advertisement Messages |
31-10 |
|
|
|
||||
|
|
Configuring the IPv6 Prefix |
31-10 |
|
|
|
|
|
|
|
|
|
Adding an IPv6 Static Neighbor 31-11 |
|
|
|
|
|
|
||
|
|
Editing Static Neighbors |
31-11 |
|
|
|
|
|
|
|
|
|
Deleting Static Neighbors |
31-12 |
|
|
|
|
|
|
|
|
|
Viewing and Clearing Dynamically Discovered Neighbors |
31-12 |
|
||||||
|
|
Additional References 31-13 |
|
|
|
|
|
|
||
|
|
Related Documents for IPv6 Prefixes |
31-13 |
|
|
|
||||
|
|
RFCs for IPv6 Prefixes and Documentation |
31-13 |
|
|
|
||||
|
|
Feature History for IPv6 Neighbor Discovery |
|
31-13 |
|
|
|
|||
|
|
|
||||||||
|
|
Configuring Network Address Translation (ASA 8.3 and Later) |
|
|||||||
P A R T 8 |
||||||||||
|
|
Information About NAT (ASA 8.3 and Later) |
|
|
|
|
||||
C H A P T E R 32 |
32-1 |
|
|
|
||||||
|
|
Why Use NAT? 32-1 |
|
|
|
|
|
|
|
|
|
|
NAT Terminology |
32-2 |
|
|
|
|
|
|
|
|
|
NAT Types 32-3 |
|
|
|
|
|
|
|
|
|
|
NAT Types Overview |
32-3 |
|
|
|
|
|
|
|
|
|
Static NAT |
32-3 |
|
|
|
|
|
|
|
|
|
Information About Static NAT |
32-3 |
|
|
|
|
|||
|
|
Information About Static NAT with Port Translation |
32-4 |
|
||||||
|
|
Information About One-to-Many Static NAT 32-6 |
|
|
||||||
|
|
Information About Other Mapping Scenarios (Not Recommended) 32-7 |
||||||||
|
|
Dynamic NAT |
32-8 |
|
|
|
|
|
|
|
|
|
Information About Dynamic NAT |
32-9 |
|
|
|
||||
|
|
Dynamic NAT Disadvantages and Advantages |
32-10 |
|
|
|||||
|
|
Dynamic PAT |
32-10 |
|
|
|
|
|
|
|
|
|
Information About Dynamic PAT |
32-10 |
|
|
|
||||
|
|
Dynamic PAT Disadvantages and Advantages |
32-11 |
|
|
|||||
|
|
Identity NAT |
32-11 |
|
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxv
Contents
NAT in Routed and Transparent Mode 32-12 |
||
NAT in Routed Mode |
32-13 |
|
NAT in Transparent Mode 32-13 |
||
NAT for VPN |
32-14 |
|
How NAT is Implemented |
32-16 |
|
Main Differences Between Network Object NAT and Twice NAT 32-16 |
||
Information About Network Object NAT 32-17 |
||
Information About Twice NAT 32-17 |
||
NAT Rule Order |
32-20 |
|
NAT Interfaces |
32-21 |
|
|
Routing NAT Packets |
32-21 |
|
|
|
Mapped Addresses and Routing |
32-22 |
||
|
Transparent Mode Routing Requirements for Remote Networks 32-24 |
|||
|
Determining the Egress Interface |
32-24 |
||
|
DNS and NAT |
32-24 |
|
|
|
Where to Go Next |
32-27 |
|
|
|
Configuring Network Object NAT (ASA 8.3 and Later) 33-1 |
|||
C H A P T E R 33 |
||||
|
Information About Network Object NAT |
33-1 |
||
|
Licensing Requirements for Network Object NAT 33-2 |
|||
|
Prerequisites for Network Object NAT |
33-2 |
||
|
Guidelines and Limitations 33-2 |
|
||
|
Default Settings |
33-3 |
|
Configuring Network Object NAT |
33-3 |
|
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool |
33-4 |
|
Configuring Dynamic PAT (Hide) 33-8 |
|
|
Configuring Static NAT or Static NAT-with-Port-Translation |
33-11 |
|
Configuring Identity NAT 33-15 |
|
|
Monitoring Network Object NAT |
33-18 |
|
Configuration Examples for Network Object NAT 33-19
Providing Access to an Inside Web Server (Static NAT) 33-19
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) 33-21
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) 33-30
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS
Modification)
DNS Server and
Modification)
Cisco ASA 5500 Series Configuration Guide using ASDM
xxvi
Contents
|
|
|
Feature History for Network Object NAT |
33-38 |
|
|
|
|||||
|
|
|
Configuring Twice NAT (ASA 8.3 and Later) |
|
|
|
|
|||||
C H A P T E R |
34 |
34-1 |
|
|
|
|||||||
|
|
|
Information About Twice NAT |
34-1 |
|
|
|
|
|
|||
|
|
|
Licensing Requirements for Twice NAT |
34-2 |
|
|
|
|
||||
|
|
|
Prerequisites for Twice NAT |
34-2 |
|
|
|
|
|
|||
|
|
|
Guidelines and Limitations 34-2 |
|
|
|
|
|
||||
|
|
|
Default Settings |
34-3 |
|
|
|
|
|
|
|
|
|
|
|
Configuring Twice NAT |
34-3 |
|
|
|
|
|
|
||
|
|
|
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool |
34-4 |
|
|||||||
|
|
|
Configuring Dynamic PAT (Hide) 34-11 |
|
|
|
|
|||||
|
|
|
Configuring Static NAT or Static NAT-with-Port-Translation |
34-17 |
|
|||||||
|
|
|
Configuring Identity NAT |
34-22 |
|
|
|
|
|
|||
|
|
|
Monitoring Twice NAT |
34-27 |
|
|
|
|
|
|
||
|
|
|
Configuration Examples for Twice NAT |
34-28 |
|
|
|
|
||||
|
|
|
Different Translation Depending on the Destination (Dynamic PAT) 34-28 |
|||||||||
|
|
|
Different Translation Depending on the Destination Address and Port (Dynamic PAT) 34-37 |
|||||||||
|
|
|
Feature History for Twice NAT |
34-46 |
|
|
|
|
|
|||
|
|
|
|
|
|
|||||||
|
|
|
Configuring Network Address Translation (ASA 8.2 and Earlier) |
|
|
|||||||
P A R T 9 |
|
|
|
|||||||||
|
|
|
Configuring NAT (ASA 8.2 and Earlier) |
|
|
|
|
|
||||
C H A P T E R |
35 |
35-1 |
|
|
|
|
||||||
|
|
|
NAT Overview |
35-1 |
|
|
|
|
|
|
|
|
|
|
|
Introduction to NAT |
35-1 |
|
|
|
|
|
|
||
|
|
|
NAT in Routed Mode |
35-2 |
|
|
|
|
|
|||
|
|
|
NAT in Transparent Mode |
35-3 |
|
|
|
|
|
|||
|
|
|
NAT Control |
35-4 |
|
|
|
|
|
|
|
|
|
|
|
NAT Types |
35-6 |
|
|
|
|
|
|
|
|
|
|
|
Dynamic NAT |
35-6 |
|
|
|
|
|
|
||
|
|
|
PAT 35-8 |
|
|
|
|
|
|
|
|
|
|
|
|
Static NAT |
35-8 |
|
|
|
|
|
|
||
|
|
|
Static PAT |
35-9 |
|
|
|
|
|
|
||
|
|
|
Bypassing NAT When NAT Control is Enabled |
35-10 |
|
|
||||||
|
|
|
Policy NAT |
35-10 |
|
|
|
|
|
|
|
|
|
|
|
NAT and Same Security Level Interfaces |
35-12 |
|
|
|
|||||
|
|
|
Order of NAT Rules Used to Match Real Addresses |
35-13 |
|
|
||||||
|
|
|
Mapped Address Guidelines 35-13 |
|
|
|
|
|
||||
|
|
|
DNS and NAT |
35-13 |
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxvii
Contents
|
|
Configuring NAT Control 35-15 |
|
|
|
|
|
|
|
|||
|
|
Using Dynamic NAT |
35-16 |
|
|
|
|
|
|
|
|
|
|
|
Dynamic NAT Implementation |
35-16 |
|
|
|
|
|
|
|||
|
|
Real Addresses and Global Pools Paired Using a Pool ID |
35-17 |
|
||||||||
|
|
NAT Rules on Different Interfaces with the Same Global Pools 35-17 |
||||||||||
|
|
Global Pools on Different Interfaces with the Same Pool ID |
35-18 |
|||||||||
|
|
Multiple NAT Rules with Different Global Pools on the Same Interface 35-18 |
||||||||||
|
|
Multiple Addresses in the Same Global Pool |
35-19 |
|
|
|||||||
|
|
Outside NAT |
35-20 |
|
|
|
|
|
|
|
||
|
|
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security |
||||||||||
|
|
Interfaces |
|
35-21 |
|
|
|
|
|
|
|
|
|
|
Managing Global Pools |
35-21 |
|
|
|
|
|
|
|
||
|
|
Configuring Dynamic NAT, PAT, or Identity NAT |
35-22 |
|
|
|||||||
|
|
Configuring Dynamic Policy NAT or PAT |
35-24 |
|
|
|
|
|||||
|
|
Using Static NAT |
35-26 |
|
|
|
|
|
|
|
|
|
|
|
Configuring Static NAT, PAT, or Identity NAT |
35-27 |
|
|
|
||||||
|
|
Configuring Static Policy NAT, PAT, or Identity NAT |
35-30 |
|
|
|||||||
|
|
Using NAT Exemption |
35-32 |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
Configuring Service Policies |
|
|
|
|
|
|
|
|
||
P A R T 10 |
|
|
|
|
|
|
|
|
||||
|
|
Configuring a Service Policy |
|
|
|
|
|
|
|
|
||
C H A P T E R 36 |
36-1 |
|
|
|
|
|
|
|
||||
|
|
Information About Service Policies |
36-1 |
|
|
|
|
|
|
|||
|
|
Supported Features for Through Traffic |
36-1 |
|
|
|
|
|
||||
|
|
Supported Features for Management Traffic |
36-2 |
|
|
|
||||||
|
|
Feature Directionality |
36-2 |
|
|
|
|
|
|
|
||
|
|
Feature Matching Within a Service Policy |
36-3 |
|
|
|
|
|||||
|
|
Order in Which Multiple Feature Actions are Applied |
36-4 |
|
|
|||||||
|
|
Incompatibility of Certain Feature Actions |
36-5 |
|
|
|
|
|||||
|
|
Feature Matching for Multiple Service Policies |
36-5 |
|
|
|
||||||
|
|
Licensing Requirements for Service Policies |
36-5 |
|
|
|
|
|
||||
|
|
Guidelines and Limitations |
36-6 |
|
|
|
|
|
|
|
||
|
|
Default Settings |
36-6 |
|
|
|
|
|
|
|
|
|
|
|
Default Configuration |
36-7 |
|
|
|
|
|
|
|
||
|
|
Default Traffic Classes |
36-7 |
|
|
|
|
|
|
|
||
|
|
Task Flows for Configuring Service Policies 36-8 |
|
|
|
|
|
|||||
|
|
Task Flow for Configuring a Service Policy Rule |
36-8 |
|
|
|
||||||
|
|
Adding a Service Policy Rule for Through Traffic |
36-8 |
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxviii
Contents
Adding a Service Policy Rule for Management Traffic 36-12
|
|
Configuring a Service Policy Rule for Management Traffic 36-12 |
|||
|
|
Managing the Order of Service Policy Rules 36-14 |
|||
|
|
Feature History for Service Policies |
36-16 |
|
|
|
|
|
|
|
|
|
|
Configuring Access Control |
|
|
|
P A R T 11 |
|
|
|||
|
|
Configuring Access Rules |
|
|
|
C H A P T E R 37 |
37-1 |
|
|
||
|
|
Information About Access Rules 37-1 |
|||
|
|
General Information About Rules |
37-2 |
|
|
|
|
Implicit Permits |
37-2 |
|
|
|
|
Information About Interface Access Rules and Global Access Rules 37-2 |
|||
|
|
Using Access Rules and EtherType Rules on the Same Interface 37-2 |
|||
|
|
Rule Order 37-3 |
|
|
|
|
|
Implicit Deny |
37-3 |
|
|
|
|
Using Remarks |
37-3 |
|
|
Inbound and Outbound Rules
Information About Access Rules 37-4
Access Rules for Returning Traffic 37-4
Allowing Broadcast and Multicast Traffic through
Rules
Management Access Rules 37-5
Information About EtherType Rules 37-5
Supported EtherTypes and Other Traffic
Access Rules for Returning Traffic
Allowing MPLS 37-6
Licensing Requirements for Access Rules
Guidelines and Limitations
Default Settings 37-7 |
|
|
Configuring Access Rules 37-7 |
|
|
Adding an Access Rule |
37-7 |
|
Adding an EtherType Rule (Transparent Mode Only) 37-8 |
||
Add/Edit EtherType Rule |
37-10 |
|
Configuring Management Access Rules |
37-10 |
|
Advanced Access Rule Configuration |
37-11 |
|
Access Rule Explosion |
37-12 |
|
Configuring HTTP Redirect |
37-12 |
|
Edit HTTP/HTTPS Settings
Feature History for Access Rules
xxix
Contents
C H A P T E R 38 |
Configuring AAA Servers and the Local Database 38-1 |
||
|
Information About AAA 38-1 |
|
|
|
Information About Authentication |
38-2 |
|
|
Information About Authorization |
38-2 |
|
|
Information About Accounting |
38-3 |
|
|
Summary of Server Support |
38-3 |
|
|
RADIUS Server Support 38-4 |
|
|
Authentication Methods |
38-4 |
|
|
|
|||
Attribute Support |
38-4 |
|
|
|
|
||
RADIUS Authorization Functions |
38-5 |
|
|||||
TACACS+ Server Support |
38-5 |
|
|
|
|||
RSA/SDI Server Support |
|
38-5 |
|
|
|
||
RSA/SDI Version Support |
38-5 |
|
|
|
|||
Two-step Authentication Process |
38-5 |
|
|||||
RSA/SDI Primary and Replica Servers |
38-6 |
|
|||||
NT Server Support |
38-6 |
|
|
|
|
|
|
Kerberos Server Support |
|
38-6 |
|
|
|
||
LDAP Server Support |
38-6 |
|
|
|
|
||
Authentication with LDAP |
38-6 |
|
|
|
|||
LDAP Server Types |
38-7 |
|
|
|
|
||
HTTP Forms Authentication for Clientless SSL VPN 38-7 |
|||||||
Local Database Support, Including as a Falback Method |
38-7 |
||||||
How Fallback Works with Multiple Servers in a Group |
38-8 |
||||||
Using Certificates and User Login Credentials 38-8 |
|
||||||
Using User Login Credentials 38-8 |
|
|
|||||
Using Certificates |
38-9 |
|
|
|
|
||
Licensing Requirements for AAA Servers |
38-9 |
|
|||||
Guidelines and Limitations |
38-10 |
|
|
|
|
||
Configuring AAA 38-10 |
|
|
|
|
|
|
|
Task Flow for Configuring AAA |
38-10 |
|
|
||||
Configuring AAA Server Groups |
38-11 |
|
|||||
Adding a Server to a Group |
|
38-13 |
|
|
|
||
Configuring AAA Server Parameters |
38-13 |
|
|||||
RADIUS Server Fields |
38-14 |
|
|
|
|||
TACACS+ Server Fields |
38-15 |
|
|
|
|||
SDI Server Fields |
38-15 |
|
|
|
|
||
Windows NT Domain Server Fields |
38-16 |
|
|||||
Kerberos Server Fields |
38-16 |
|
|
|
|||
LDAP Server Fields |
38-17 |
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
xxx