Cisco ASA 5500 Series Configuration Guide using the CLI
Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, and ASA 5585-X
Released: January 31, 2011
Updated: October 31, 2012
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive
San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco ASA 5500 Series Configuration Guide using the CLI
Copyright © 2011-2012 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
About This Guide |
lxv |
|
Document Objectives |
lxv |
|
Audience lxv |
|
|
Related Documentation |
lxv |
|
Conventions |
lxvi |
|
|
|
Obtaining Documentation and Submitting a Service Request |
lxvii |
||||
|
|
|
|
|
|
|
|
|
|
Getting Started with the ASA |
|
|
|
|
|
P A R T 1 |
|
|
|
|
|
||
|
|
Introduction to the Cisco ASA 5500 Series |
|
|
|
||
C H A P T E R 1 |
1-1 |
|
|
||||
|
|
Hardware and Software Compatibility |
1-1 |
|
|
|
|
|
|
VPN Specifications 1-1 |
|
|
|
|
|
|
|
New Features 1-1 |
|
|
|
|
|
|
|
New Features in Version 8.6(1) |
1-2 |
|
|
|
|
|
|
New Features in Version 8.4(5) |
1-4 |
|
|
|
|
|
|
New Features in Version 8.4(4.1) |
1-6 |
|
|
|
|
|
|
New Features in Version 8.4(3) |
1-9 |
|
|
|
|
|
|
New Features in Version 8.4(2) |
1-12 |
|
|
|
|
|
|
New Features in Version 8.4(1) |
1-19 |
|
|
|
|
|
|
Firewall Functional Overview |
1-24 |
|
|
|
|
|
|
Security Policy Overview |
1-24 |
|
|
|
|
|
|
Permitting or Denying Traffic with Access Lists 1-25 |
|
|
|||
|
|
Applying NAT 1-25 |
|
|
|
|
|
|
|
Protecting from IP Fragments |
1-25 |
|
|
||
|
|
Using AAA for Through Traffic 1-25 |
|
|
|||
|
|
Applying HTTP, HTTPS, or FTP Filtering 1-25 |
|
|
|||
|
|
Applying Application Inspection |
1-25 |
|
|
||
|
|
Sending Traffic to the IPS Module |
1-26 |
|
|
||
|
|
Sending Traffic to the Content Security and Control Module 1-26 |
|||||
|
|
Applying QoS Policies |
1-26 |
|
|
|
|
|
|
Applying Connection Limits and TCP Normalization |
1-26 |
|
|||
|
|
Enabling Threat Detection |
1-26 |
|
|
|
|
|
|
Enabling the Botnet Traffic Filter |
1-27 |
|
|
||
|
|
Configuring Cisco Unified Communications 1-27 |
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
iii
Contents
|
|
Firewall Mode Overview 1-27 |
|
|
|
|
|
|
|||
|
|
Stateful Inspection Overview |
1-27 |
|
|
|
|
|
|||
|
|
VPN Functional Overview |
1-28 |
|
|
|
|
|
|
|
|
|
|
Security Context Overview |
1-29 |
|
|
|
|
|
|
|
|
|
|
Getting Started |
|
|
|
|
|
|
|
|
|
C H A P T E R |
2 |
2-1 |
|
|
|
|
|
|
|
|
|
|
|
Accessing the Appliance Command-Line Interface |
2-1 |
|
|
|
|||||
|
|
Configuring ASDM Access for Appliances 2-2 |
|
|
|
|
|||||
|
|
Accessing ASDM Using the Factory Default Configuration |
2-2 |
|
|||||||
|
|
Accessing ASDM Using a Non-Default Configuration (ASA 5505) |
2-3 |
||||||||
|
|
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher) 2-5 |
|||||||||
|
|
Starting ASDM |
2-6 |
|
|
|
|
|
|
|
|
|
|
Connecting to ASDM for the First Time |
2-7 |
|
|
|
|
||||
|
|
Starting ASDM from the ASDM-IDM Launcher |
2-8 |
|
|
|
|||||
|
|
Starting ASDM from the Java Web Start Application |
2-8 |
|
|
||||||
|
|
Using ASDM in Demo Mode |
2-9 |
|
|
|
|
|
|||
|
|
Factory Default Configurations |
2-10 |
|
|
|
|
|
|
||
|
|
Restoring the Factory Default Configuration |
2-11 |
|
|
|
|||||
|
|
ASA 5505 Default Configuration |
2-11 |
|
|
|
|
|
|||
|
|
ASA 5505 Routed Mode Default Configuration |
2-11 |
|
|
||||||
|
|
ASA 5505 Transparent Mode Sample Configuration |
2-13 |
|
|||||||
|
|
ASA 5510 and Higher Default Configuration |
2-15 |
|
|
|
|||||
|
|
Working with the Configuration |
2-15 |
|
|
|
|
|
|
||
|
|
Saving Configuration Changes 2-16 |
|
|
|
|
|
||||
|
|
Saving Configuration Changes in Single Context Mode |
2-16 |
|
|||||||
|
|
Saving Configuration Changes in Multiple Context Mode 2-16 |
|||||||||
|
|
Copying the Startup Configuration to the Running Configuration |
2-17 |
||||||||
|
|
Viewing the Configuration |
2-18 |
|
|
|
|
|
|
||
|
|
Clearing and Removing Configuration Settings |
2-18 |
|
|
|
|||||
|
|
Creating Text Configuration Files Offline |
2-19 |
|
|
|
|||||
|
|
Applying Configuration Changes to Connections 2-19 |
|
|
|
||||||
|
|
Managing Feature Licenses |
|
|
|
|
|
|
|
|
|
C H A P T E R |
3 |
3-1 |
|
|
|
|
|
|
|
||
|
|
Supported Feature Licenses Per Model |
3-1 |
|
|
|
|
|
|||
|
|
Licenses Per Model |
3-1 |
|
|
|
|
|
|
|
|
|
|
License Notes 3-16 |
|
|
|
|
|
|
|
|
|
|
|
VPN License and Feature Compatibility |
3-20 |
|
|
|
|
||||
|
|
Information About Feature Licenses |
3-20 |
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
iv
Contents
Preinstalled License |
3-21 |
Permanent License |
3-21 |
Time-Based Licenses |
3-21 |
Time-Based License Activation Guidelines |
3-21 |
|
How the Time-Based License Timer Works |
3-21 |
|
How Permanent and Time-Based Licenses Combine 3-22 |
||
Stacking Time-Based Licenses |
3-23 |
|
Time-Based License Expiration |
3-23 |
|
Shared AnyConnect Premium Licenses |
3-23 |
|
|
||
Information About the Shared Licensing Server and Participants 3-24 |
|||||
Communication Issues Between Participant and Server |
3-25 |
||||
Information About the Shared Licensing Backup Server |
3-25 |
||||
Failover and Shared Licenses |
3-25 |
|
|
||
Maximum Number of Participants |
3-27 |
|
|
||
Failover Licenses (8.3(1) and Later) |
3-28 |
|
|
||
Failover License Requirements and Exceptions |
3-28 |
|
|||
How Failover Licenses Combine |
|
3-28 |
|
|
|
Loss of Communication Between Failover Units |
3-29 |
|
|||
Upgrading Failover Pairs |
3-30 |
|
|
|
|
No Payload Encryption Models |
3-30 |
|
|
|
|
Licenses FAQ 3-30 |
|
|
|
|
|
|
|
Guidelines and Limitations |
3-31 |
|
|
|
|
|
|
|
Configuring Licenses |
3-32 |
|
|
|
|
|
|
|
Obtaining an Activation Key |
3-33 |
|
|
|||
|
|
Activating or Deactivating Keys |
3-33 |
|
|
|||
|
|
Configuring a Shared License |
3-35 |
|
|
|||
|
|
Configuring the Shared Licensing Server |
3-35 |
|
||||
|
|
Configuring the Shared Licensing Backup Server (Optional) 3-37 |
||||||
|
|
Configuring the Shared Licensing Participant 3-37 |
||||||
|
|
Monitoring Licenses |
3-38 |
|
|
|
|
|
|
|
Viewing Your Current License |
3-38 |
|
|
|||
|
|
Monitoring the Shared License |
3-44 |
|
|
|||
|
|
Feature History for Licensing |
3-46 |
|
|
|
||
|
|
|
|
|
||||
|
|
Configuring Firewall and Security Context Modes |
|
|
||||
P A R T 2 |
|
|
||||||
|
|
Configuring the Transparent or Routed Firewall |
|
|
||||
C H A P T E R 4 |
4-1 |
|
||||||
|
|
Configuring the Firewall Mode |
4-1 |
|
|
|
||
|
|
Information About the Firewall Mode 4-1 |
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
v
Contents
Information About Routed Firewall Mode |
4-2 |
|
|
|
||||
Information About Transparent Firewall Mode |
4-2 |
|
|
|||||
Licensing Requirements for the Firewall Mode 4-6 |
|
|
|
|||||
Default Settings |
4-6 |
|
|
|
|
|
|
|
Guidelines and Limitations |
4-6 |
|
|
|
|
|
|
|
Setting the Firewall Mode |
4-8 |
|
|
|
|
|
|
|
Feature History for Firewall Mode |
4-9 |
|
|
|
|
|
||
Configuring ARP Inspection for the Transparent Firewall |
4-9 |
|
||||||
Information About ARP Inspection |
4-10 |
|
|
|
|
|
||
Licensing Requirements for ARP Inspection |
4-10 |
|
|
|
||||
Default Settings |
4-10 |
|
|
|
|
|
|
|
Guidelines and Limitations |
4-10 |
|
|
|
|
|
|
|
Configuring ARP Inspection |
4-11 |
|
|
|
|
|
|
|
Task Flow for Configuring ARP Inspection |
4-11 |
|
|
|
||||
Adding a Static ARP Entry 4-11 |
|
|
|
|
|
|||
Enabling ARP Inspection |
4-12 |
|
|
|
|
|
|
|
Monitoring ARP Inspection |
4-12 |
|
|
|
|
|
|
|
Feature History for ARP Inspection |
4-13 |
|
|
|
|
|||
Customizing the MAC Address Table for the Transparent Firewall |
4-13 |
|||||||
Information About the MAC Address Table 4-14 |
|
|
|
|||||
Licensing Requirements for the MAC Address Table |
4-14 |
|
||||||
Default Settings |
4-14 |
|
|
|
|
|
|
|
Guidelines and Limitations |
4-14 |
|
|
|
|
|
|
|
Configuring the MAC Address Table |
4-15 |
|
|
|
|
|||
Adding a Static MAC Address |
4-15 |
|
|
|
|
|||
Setting the MAC Address Timeout |
4-15 |
|
|
|
|
|||
Disabling MAC Address Learning |
4-16 |
|
|
|
|
|||
Monitoring the MAC Address Table |
4-16 |
|
|
|
|
|||
Feature History for the MAC Address Table |
4-17 |
|
|
|
||||
Firewall Mode Examples 4-17 |
|
|
|
|
|
|
|
|
How Data Moves Through the ASA in Routed Firewall Mode |
4-17 |
|||||||
An Inside User Visits a Web Server |
4-18 |
|
|
|
||||
An Outside User Visits a Web Server on the DMZ |
4-19 |
|
||||||
An Inside User Visits a Web Server on the DMZ |
4-20 |
|
||||||
An Outside User Attempts to Access an Inside Host |
4-21 |
|
||||||
A DMZ User Attempts to Access an Inside Host |
4-22 |
|
||||||
How Data Moves Through the Transparent Firewall |
4-23 |
|
||||||
An Inside User Visits a Web Server |
4-24 |
|
|
|
||||
An Inside User Visits a Web Server Using NAT |
4-25 |
|
Cisco ASA 5500 Series Configuration Guide using the CLI
vi
Contents
|
An Outside User Visits a Web Server on the Inside Network 4-26 |
||||||
|
An Outside User Attempts to Access an Inside Host 4-27 |
||||||
|
Configuring Multiple Context Mode |
|
|
|
|
||
C H A P T E R 5 |
5-1 |
|
|
|
|||
|
Information About Security Contexts |
5-1 |
|
|
|||
|
Common Uses for Security Contexts |
5-2 |
|
|
|||
|
Context Configuration Files |
5-2 |
|
|
|
||
|
Context Configurations |
5-2 |
|
|
|
||
|
System Configuration |
5-2 |
|
|
|
|
|
|
Admin Context Configuration |
5-2 |
|
|
|||
|
How the ASA Classifies Packets |
5-3 |
|
|
|||
|
Valid Classifier Criteria |
5-3 |
|
|
|
||
|
Classification Examples |
5-4 |
|
|
|
||
|
Cascading Security Contexts |
5-6 |
|
|
|
||
|
Management Access to Security Contexts |
5-7 |
|
||||
|
System Administrator Access |
5-7 |
|
|
|||
|
Context Administrator Access |
5-8 |
|
|
|||
|
Information About Resource Management |
5-8 |
|
||||
|
Resource Limits |
5-8 |
|
|
|
|
|
|
Default Class 5-9 |
|
|
|
|
|
|
|
Class Members |
5-10 |
|
|
|
|
|
|
Information About MAC Addresses |
5-11 |
|
|
|||
|
Default MAC Address |
5-11 |
|
|
|
||
|
Interaction with Manual MAC Addresses |
5-11 |
|||||
|
Failover MAC Addresses |
5-12 |
|
|
|
||
|
MAC Address Format |
5-12 |
|
|
|
||
|
Licensing Requirements for Multiple Context Mode |
5-12 |
|||||
|
Guidelines and Limitations |
5-13 |
|
|
|
|
|
|
Default Settings 5-14 |
|
|
|
|
|
|
|
Configuring Multiple Contexts |
5-14 |
|
|
|
||
|
Task Flow for Configuring Multiple Context Mode 5-14 |
||||||
|
Enabling or Disabling Multiple Context Mode |
5-15 |
|||||
|
Enabling Multiple Context Mode 5-15 |
|
|
||||
|
Restoring Single Context Mode |
5-16 |
|
|
Configuring a Class for Resource Management 5-16
Configuring a Security Context 5-18
Automatically Assigning MAC Addresses to Context Interfaces 5-22
Changing Between Contexts and the System Execution Space 5-23
Managing Security Contexts 5-23
Cisco ASA 5500 Series Configuration Guide using the CLI
vii
Contents
|
|
Removing a Security Context |
5-24 |
|
|
|
|
|
|||
|
|
Changing the Admin Context |
5-24 |
|
|
|
|
|
|
||
|
|
Changing the Security Context URL |
5-25 |
|
|
|
|
||||
|
|
Reloading a Security Context |
5-26 |
|
|
|
|
|
|||
|
|
Reloading by Clearing the Configuration |
5-26 |
|
|
|
|||||
|
|
Reloading by Removing and Re-adding the Context |
5-27 |
|
|||||||
|
|
Monitoring Security Contexts |
5-27 |
|
|
|
|
|
|
|
|
|
|
Viewing Context Information |
5-27 |
|
|
|
|
|
|
||
|
|
Viewing Resource Allocation |
5-29 |
|
|
|
|
|
|||
|
|
Viewing Resource Usage |
5-32 |
|
|
|
|
|
|
||
|
|
Monitoring SYN Attacks in Contexts |
5-33 |
|
|
|
|
||||
|
|
Viewing Assigned MAC Addresses |
5-35 |
|
|
|
|
||||
|
|
Viewing MAC Addresses in the System Configuration 5-36 |
|||||||||
|
|
Viewing MAC Addresses Within a Context |
5-37 |
|
|
||||||
|
|
Configuration Examples for Multiple Context Mode |
5-38 |
|
|
||||||
|
|
Feature History for Multiple Context Mode |
5-39 |
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Interfaces |
|
|
|
|
|
|
|
|
|
P A R T 3 |
|
|
|
|
|
|
|
|
|
||
|
|
Starting Interface Configuration (ASA 5510 and Higher) |
|
|
|||||||
C H A P T E R 6 |
6-1 |
|
|||||||||
|
|
Information About Starting ASA 5510 and Higher Interface Configuration 6-1 |
|||||||||
|
|
Auto-MDI/MDIX Feature |
6-2 |
|
|
|
|
|
|
|
|
|
|
Interfaces in Transparent Mode |
6-2 |
|
|
|
|
|
|||
|
|
Management Interface |
6-2 |
|
|
|
|
|
|
|
|
|
|
Management Interface Overview |
6-2 |
|
|
|
|
||||
|
|
Management Slot/Port Interface |
6-2 |
|
|
|
|
||||
|
|
Using Any Interface for Management-Only Traffic |
6-3 |
|
|||||||
|
|
Management Interface for Transparent Mode |
6-3 |
|
|
||||||
|
|
No Support for Redundant Management Interfaces |
6-4 |
|
|||||||
|
|
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X 6-4 |
|||||||||
|
|
Redundant Interfaces |
6-4 |
|
|
|
|
|
|
|
|
|
|
Redundant Interface MAC Address 6-4 |
|
|
|
|
|||||
|
|
EtherChannels 6-5 |
|
|
|
|
|
|
|
|
|
|
|
Channel Group Interfaces |
6-5 |
|
|
|
|
|
|||
|
|
Connecting to an EtherChannel on Another Device |
6-5 |
|
|||||||
|
|
Link Aggregation Control Protocol |
6-6 |
|
|
|
|
||||
|
|
Load Balancing |
6-7 |
|
|
|
|
|
|
|
|
|
|
EtherChannel MAC Address |
6-7 |
|
|
|
|
|
|||
|
|
Licensing Requirements for ASA 5510 and Higher Interfaces |
6-8 |
|
Cisco ASA 5500 Series Configuration Guide using the CLI
viii
Contents
|
Guidelines and Limitations |
6-9 |
|
|
|
|
|
|
|
|
|
Default Settings |
6-11 |
|
|
|
|
|
|
|
|
|
Starting Interface Configuration (ASA 5510 and Higher) |
6-12 |
|
|||||||
|
Task Flow for Starting Interface Configuration |
6-12 |
|
|
|
|||||
|
Converting In-Use Interfaces to a Redundant or EtherChannel Interface |
6-13 |
||||||||
|
Enabling the Physical Interface and Configuring Ethernet Parameters |
6-22 |
||||||||
|
Configuring a Redundant Interface |
6-25 |
|
|
|
|
||||
|
Configuring a Redundant Interface |
6-25 |
|
|
|
|
||||
|
Changing the Active Interface |
6-27 |
|
|
|
|
||||
|
Configuring an EtherChannel |
6-27 |
|
|
|
|
|
|||
|
Adding Interfaces to the EtherChannel 6-27 |
|
|
|
||||||
|
Customizing the EtherChannel |
6-29 |
|
|
|
|
||||
|
Configuring VLAN Subinterfaces and 802.1Q Trunking |
|
6-30 |
|
||||||
|
Enabling Jumbo Frame Support (Supported Models) |
6-32 |
|
|||||||
|
Monitoring Interfaces 6-33 |
|
|
|
|
|
|
|
|
|
|
Configuration Examples for ASA 5510 and Higher Interfaces |
6-33 |
|
|||||||
|
Physical Interface Parameters Example |
6-33 |
|
|
|
|
||||
|
Subinterface Parameters Example |
6-33 |
|
|
|
|
|
|||
|
Multiple Context Mode Example |
6-34 |
|
|
|
|
|
|||
|
EtherChannel Example |
6-34 |
|
|
|
|
|
|
|
|
|
Where to Go Next |
6-34 |
|
|
|
|
|
|
|
|
|
Feature History for ASA 5510 and Higher Interfaces |
6-35 |
|
|
||||||
|
Starting Interface Configuration (ASA 5505) |
|
|
|
|
|
||||
C H A P T E R 7 |
7-1 |
|
|
|
|
|||||
|
Information About ASA 5505 Interfaces |
7-1 |
|
|
|
|
|
|||
|
Understanding ASA 5505 Ports and Interfaces |
7-2 |
|
|
|
|||||
|
Maximum Active VLAN Interfaces for Your License |
7-2 |
|
|
||||||
|
VLAN MAC Addresses |
7-4 |
|
|
|
|
|
|
|
|
|
Power over Ethernet 7-4 |
|
|
|
|
|
|
|
||
|
Monitoring Traffic Using SPAN |
7-4 |
|
|
|
|
|
|||
|
Auto-MDI/MDIX Feature |
7-4 |
|
|
|
|
|
|
|
|
|
Licensing Requirements for ASA 5505 Interfaces |
7-4 |
|
|
|
|||||
|
Guidelines and Limitations |
7-5 |
|
|
|
|
|
|
|
|
|
Default Settings |
7-5 |
|
|
|
|
|
|
|
|
|
Starting ASA 5505 Interface Configuration |
7-6 |
|
|
|
|
||||
|
Task Flow for Starting Interface Configuration |
7-6 |
|
|
|
|||||
|
Configuring VLAN Interfaces |
7-6 |
|
|
|
|
|
|
||
|
Configuring and Enabling Switch Ports as Access Ports |
7-7 |
|
Cisco ASA 5500 Series Configuration Guide using the CLI
ix
Contents
|
Configuring and Enabling Switch Ports as Trunk Ports 7-9 |
|||
|
Monitoring Interfaces |
7-11 |
||
|
Configuration Examples for ASA 5505 Interfaces 7-11 |
|||
|
Access Port Example |
7-11 |
||
|
Trunk Port Example |
7-12 |
||
|
Where to Go Next |
7-13 |
|
|
|
Feature History for ASA 5505 Interfaces 7-13 |
|||
|
Completing Interface Configuration (Routed Mode) 8-1 |
|||
C H A P T E R 8 |
||||
|
Information About Completing Interface Configuration in Routed Mode 8-1 |
|||
|
Security Levels |
8-1 |
|
|
|
Dual IP Stack (IPv4 and IPv6) 8-2 |
|||
|
Licensing Requirements for Completing Interface Configuration in Routed Mode 8-2 |
|||
|
Guidelines and Limitations |
8-5 |
||
|
Default Settings |
8-5 |
|
|
Completing Interface Configuration in Routed Mode |
8-5 |
|
Task Flow for Completing Interface Configuration |
8-6 |
|
Configuring General Interface Parameters |
8-6 |
|
Configuring the MAC Address and MTU |
8-9 |
|
Configuring IPv6 Addressing 8-11 |
|
|
|
Information About IPv6 8-12 |
|
||
|
Configuring a Global IPv6 Address and Other Options 8-13 |
|||
|
Allowing Same Security Level Communication 8-15 |
|||
|
Monitoring Interfaces |
8-16 |
|
|
|
Configuration Examples for Interfaces in Routed Mode |
8-16 |
||
|
ASA 5505 Example |
8-16 |
|
|
|
Feature History for Interfaces in Routed Mode 8-17 |
|
||
|
Completing Interface Configuration (Transparent Mode) 9-1 |
|||
C H A P T E R 9 |
||||
|
Information About Completing Interface Configuration in Transparent Mode 9-1 |
|||
|
Bridge Groups in Transparent Mode 9-1 |
|
||
|
Security Levels |
9-2 |
|
|
|
Licensing Requirements for Completing Interface Configuration in Transparent Mode 9-2 |
|||
|
Guidelines and Limitations |
9-5 |
|
|
|
Default Settings 9-6 |
|
|
|
|
Completing Interface Configuration in Transparent Mode |
9-6 |
||
|
Task Flow for Completing Interface Configuration |
9-6 |
Cisco ASA 5500 Series Configuration Guide using the CLI
x
Contents
Configuring Bridge Groups |
9-7 |
|
Configuring General Interface Parameters |
9-8 |
|
Configuring a Management Interface (ASA 5510 and Higher) 9-11 |
||
Configuring the MAC Address and MTU |
9-12 |
|
Configuring IPv6 Addressing |
9-15 |
|
|
|
Information About IPv6 |
9-15 |
|
|
|
|
|
|||
|
|
Configuring a Global IPv6 Address and Other Options |
9-17 |
||||||||
|
|
Allowing Same Security Level Communication |
9-18 |
|
|
||||||
|
|
Monitoring Interfaces |
9-19 |
|
|
|
|
|
|
|
|
|
|
Configuration Examples for Interfaces in Transparent Mode |
9-19 |
||||||||
|
|
Feature History for Interfaces in Transparent Mode |
9-20 |
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Basic Settings |
|
|
|
|
|
|
|
|
|
P A R T 4 |
|
|
|
|
|
|
|
|
|||
|
|
Configuring Basic Settings |
|
|
|
|
|
|
|
|
|
C H A P T E R 10 |
10-1 |
|
|
|
|
|
|
|
|||
|
|
Configuring the Hostname, Domain Name, and Passwords |
10-1 |
||||||||
|
|
Changing the Login Password 10-1 |
|
|
|
|
|
||||
|
|
Changing the Enable Password |
10-2 |
|
|
|
|
|
|||
|
|
Setting the Hostname |
10-2 |
|
|
|
|
|
|
|
|
|
|
Setting the Domain Name |
10-3 |
|
|
|
|
|
|
||
|
|
Setting the Date and Time |
10-3 |
|
|
|
|
|
|
|
|
|
|
Setting the Time Zone and Daylight Saving Time Date Range 10-3 |
|||||||||
|
|
Setting the Date and Time Using an NTP Server |
10-4 |
|
|||||||
|
|
Setting the Date and Time Manually |
10-6 |
|
|
|
|
||||
|
|
Configuring the Master Passphrase |
10-6 |
|
|
|
|
|
|||
|
|
Information About the Master Passphrase |
10-6 |
|
|
|
|||||
|
|
Licensing Requirements for the Master Passphrase |
10-7 |
|
|||||||
|
|
Guidelines and Limitations |
10-7 |
|
|
|
|
|
|
||
|
|
Adding or Changing the Master Passphrase |
10-7 |
|
|
||||||
|
|
Disabling the Master Passphrase |
10-9 |
|
|
|
|
||||
|
|
Recovering the Master Passphrase |
10-10 |
|
|
|
|
||||
|
|
Feature History for the Master Passphrase |
10-11 |
|
|
||||||
|
|
Configuring the DNS Server |
10-11 |
|
|
|
|
|
|
||
|
|
Monitoring DNS Cache |
10-12 |
|
|
|
|
|
|
|
|
|
|
DNS Cache Monitoring Commands |
10-12 |
|
|
|
|
||||
|
|
Feature History for DNS Cache |
10-12 |
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xi
Contents
C H A P T E R 11 |
Configuring DHCP 11-1 |
|
|
Information About DHCP |
11-1 |
|
Licensing Requirements for DHCP 11-1 |
|
|
Guidelines and Limitations |
11-2 |
|
Configuring a DHCP Server |
11-2 |
Enabling the DHCP Server |
11-3 |
|
Configuring DHCP Options |
11-4 |
|
Options that Return an IP Address |
11-4 |
|
Options that Return a Text String |
11-4 |
|
Options that Return a Hexadecimal Value 11-5 |
|
Using Cisco IP Phones with a DHCP Server 11-6 |
||
|
Configuring DHCP Relay Services |
11-7 |
|
|
DHCP Monitoring Commands 11-8 |
|
|
|
Feature History for DHCP |
11-8 |
|
|
Configuring Dynamic DNS |
|
|
C H A P T E R 12 |
12-1 |
|
|
|
Information About DDNS |
12-1 |
|
|
Licensing Requirements for DDNS |
12-2 |
|
|
Guidelines and Limitations |
12-2 |
|
|
Configuring DDNS 12-2 |
|
|
|
Configuration Examples for DDNS |
12-3 |
|
|
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 12-3 |
||
|
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN |
||
|
Provided Through Configuration |
12-3 |
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs.
|
|
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; |
|||
|
|
Honors Client Request and Updates Both A and PTR RR |
12-5 |
|
|
|
|
Example 5: Client Updates A RR; Server Updates PTR RR |
12-5 |
|
|
|
|
DDNS Monitoring Commands |
12-6 |
|
|
|
|
Feature History for DDNS 12-6 |
|
|
|
|
|
|
|
|
|
|
|
Configuring Objects and Access Lists |
|
|
|
P A R T 5 |
|
|
|||
|
|
Configuring Objects 13-1 |
|
|
|
C H A P T E R 13 |
|
|
|
||
|
|
Configuring Objects and Groups |
13-1 |
|
|
Information About Objects and Groups 13-1
Information About Objects 13-2
Cisco ASA 5500 Series Configuration Guide using the CLI
xii
Contents
|
|
Information About Object Groups |
13-2 |
|
|
|
||||||
|
|
Licensing Requirements for Objects and Groups |
13-2 |
|
||||||||
|
|
Guidelines and Limitations for Objects and Groups |
13-3 |
|
||||||||
|
|
Configuring Objects |
13-3 |
|
|
|
|
|
|
|
|
|
|
|
Configuring a Network Object |
13-3 |
|
|
|
|
|||||
|
|
Configuring a Service Object |
13-4 |
|
|
|
|
|||||
|
|
Configuring Object Groups |
13-6 |
|
|
|
|
|
|
|||
|
|
Adding a Protocol Object Group |
|
13-6 |
|
|
|
|||||
|
|
Adding a Network Object Group |
13-7 |
|
|
|
||||||
|
|
Adding a Service Object Group |
13-8 |
|
|
|
||||||
|
|
Adding an ICMP Type Object Group |
13-9 |
|
|
|
||||||
|
|
Nesting Object Groups |
|
13-10 |
|
|
|
|
|
|
||
|
|
Removing Object Groups |
13-11 |
|
|
|
|
|
||||
|
|
Monitoring Objects and Groups 13-11 |
|
|
|
|
||||||
|
|
Feature History for Objects and Groups |
|
13-12 |
|
|
|
|||||
|
|
Configuring Regular Expressions |
13-12 |
|
|
|
|
|
||||
|
|
Creating a Regular Expression |
13-12 |
|
|
|
|
|
||||
|
|
Creating a Regular Expression Class Map |
13-15 |
|
|
|||||||
|
|
Scheduling Extended Access List Activation |
|
13-16 |
|
|
|
|||||
|
|
Information About Scheduling Access List Activation |
13-16 |
|
||||||||
|
|
Licensing Requirements for Scheduling Access List Activation |
13-16 |
|||||||||
|
|
Guidelines and Limitations for Scheduling Access List Activation |
13-16 |
|||||||||
|
|
Configuring and Applying Time Ranges |
|
13-17 |
|
|
|
|||||
|
|
Configuration Examples for Scheduling Access List Activation |
13-18 |
|||||||||
|
|
Feature History for Scheduling Access List Activation |
13-18 |
|
||||||||
|
|
Information About Access Lists |
|
|
|
|
|
|
|
|||
C H A P T E R |
14 |
14-1 |
|
|
|
|
|
|
||||
|
|
Access List Types |
14-1 |
|
|
|
|
|
|
|
|
|
|
|
Access Control Entry Order |
14-2 |
|
|
|
|
|
|
|
||
|
|
Access Control Implicit Deny |
14-3 |
|
|
|
|
|
|
|||
|
|
IP Addresses Used for Access Lists When You Use NAT |
14-3 |
|
||||||||
|
|
Where to Go Next |
14-3 |
|
|
|
|
|
|
|
|
|
|
|
Adding an Extended Access List |
|
|
|
|
|
|
|
|
||
C H A P T E R |
15 |
|
15-1 |
|
|
|
|
|
|
|||
|
|
Information About Extended Access Lists |
15-1 |
|
|
|
||||||
|
|
Licensing Requirements for Extended Access Lists |
15-1 |
|
|
|||||||
|
|
Default Settings |
15-2 |
|
|
|
|
|
|
|
|
|
|
|
Configuring Extended Access Lists |
15-2 |
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xiii
Contents
|
|
Adding an Extended Access List |
15-3 |
|
|
|
|||
|
|
Adding Remarks to Access Lists |
15-5 |
|
|
|
|||
|
|
Monitoring Extended Access Lists |
15-5 |
|
|
|
|||
|
|
Configuration Examples for Extended Access Lists |
15-5 |
|
|||||
|
|
Configuration Examples for Extended Access Lists (No Objects) |
15-6 |
||||||
|
|
Configuration Examples for Extended Access Lists (Using Objects) |
15-6 |
||||||
|
|
Where to Go Next |
15-7 |
|
|
|
|
|
|
|
|
Feature History for Extended Access Lists |
15-7 |
|
|
||||
|
|
Adding an EtherType Access List |
|
|
|
|
|||
C H A P T E R |
16 |
16-1 |
|
|
|
||||
|
|
Information About EtherType Access Lists |
16-1 |
|
|
||||
|
|
Licensing Requirements for EtherType Access Lists |
16-1 |
|
|||||
|
|
Guidelines and Limitations |
16-2 |
|
|
|
|
||
|
|
Default Settings |
16-2 |
|
|
|
|
|
|
|
|
Configuring EtherType Access Lists |
16-2 |
|
|
|
|||
|
|
Task Flow for Configuring EtherType Access Lists 16-2 |
|
||||||
|
|
Adding EtherType Access Lists |
16-3 |
|
|
|
|||
|
|
Adding Remarks to Access Lists |
16-4 |
|
|
|
|||
|
|
What to Do Next |
16-4 |
|
|
|
|
|
|
|
|
Monitoring EtherType Access Lists |
16-4 |
|
|
|
|||
|
|
Configuration Examples for EtherType Access Lists |
16-5 |
|
|||||
|
|
Feature History for EtherType Access Lists |
16-5 |
|
|
||||
|
|
Adding a Standard Access List |
|
|
|
|
|
||
C H A P T E R |
17 |
17-1 |
|
|
|
|
|||
|
|
Information About Standard Access Lists |
17-1 |
|
|
||||
|
|
Licensing Requirements for Standard Access Lists |
17-1 |
|
|||||
|
|
Guidelines and Limitations |
17-1 |
|
|
|
|
||
|
|
Default Settings |
17-2 |
|
|
|
|
|
|
Adding Standard Access Lists 17-3
Task Flow for Configuring Extended Access Lists 17-3
Adding a Standard Access List
Adding Remarks to Access Lists
What to Do Next 17-4
Monitoring Access Lists 17-4
Configuration Examples for Standard Access Lists
Feature History for Standard Access Lists
Cisco ASA 5500 Series Configuration Guide using the CLI
xiv
Contents
C H A P T E R 18 |
Adding a Webtype Access List |
18-1 |
|
Licensing Requirements for Webtype Access Lists 18-1 |
|
|
Guidelines and Limitations |
18-1 |
|
Default Settings 18-2 |
|
|
Using Webtype Access Lists |
18-2 |
|
|
|
|
|
Task Flow for Configuring Webtype Access Lists |
18-2 |
||||
|
Adding Webtype Access Lists with a URL String |
18-3 |
||||
|
Adding Webtype Access Lists with an IP Address |
18-4 |
||||
|
Adding Remarks to Access Lists |
18-5 |
|
|
||
|
What to Do Next |
18-5 |
|
|
|
|
|
Monitoring Webtype Access Lists |
18-5 |
|
|
||
|
Configuration Examples for Webtype Access Lists 18-5 |
|||||
|
Feature History for Webtype Access Lists |
18-7 |
|
|||
|
Adding an IPv6 Access List |
|
|
|
|
|
C H A P T E R 19 |
19-1 |
|
|
|
||
|
Information About IPv6 Access Lists |
19-1 |
|
|
||
|
Licensing Requirements for IPv6 Access Lists 19-1 |
|
||||
|
Prerequisites for Adding IPv6 Access Lists |
19-2 |
|
|||
|
Guidelines and Limitations |
19-2 |
|
|
|
|
|
Default Settings |
19-3 |
|
|
|
|
|
Configuring IPv6 Access Lists |
19-4 |
|
|
|
|
|
Task Flow for Configuring IPv6 Access Lists |
19-4 |
||||
|
Adding IPv6 Access Lists |
19-5 |
|
|
|
|
|
Adding Remarks to Access Lists |
19-6 |
|
|
||
|
Monitoring IPv6 Access Lists |
19-7 |
|
|
|
|
|
Configuration Examples for IPv6 Access Lists |
19-7 |
|
|||
|
Where to Go Next |
19-7 |
|
|
|
|
|
Feature History for IPv6 Access Lists |
19-7 |
|
|
||
|
Configuring Logging for Access Lists |
|
|
|
||
C H A P T E R 20 |
20-1 |
|
|
|||
|
Configuring Logging for Access Lists |
20-1 |
|
|
||
|
Information About Logging Access List Activity |
20-1 |
||||
|
Licensing Requirements for Access List Logging |
20-2 |
||||
|
Guidelines and Limitations |
20-2 |
|
|
|
|
|
Default Settings |
20-3 |
|
|
|
|
|
Configuring Access List Logging |
20-3 |
|
|
||
|
Monitoring Access Lists |
20-4 |
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xv
Contents
|
|
Configuration Examples for Access List Logging |
20-4 |
|||||||
|
|
Feature History for Access List Logging |
20-5 |
|
||||||
|
|
Managing Deny Flows |
20-5 |
|
|
|
|
|
|
|
|
|
Information About Managing Deny Flows |
20-6 |
|
||||||
|
|
Licensing Requirements for Managing Deny Flows |
20-6 |
|||||||
|
|
Guidelines and Limitations |
20-6 |
|
|
|
|
|||
|
|
Default Settings |
20-7 |
|
|
|
|
|
|
|
|
|
Managing Deny Flows |
20-7 |
|
|
|
|
|
||
|
|
Monitoring Deny Flows |
20-7 |
|
|
|
|
|||
|
|
Feature History for Managing Deny Flows |
20-8 |
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring IP Routing |
|
|
|
|
|
|
|
|
P A R T 6 |
|
|
|
|
|
|
|
|||
|
|
Routing Overview |
|
|
|
|
|
|
|
|
C H A P T E R 21 |
21-1 |
|
|
|
|
|
|
|
||
|
|
Information About Routing |
21-1 |
|
|
|
|
|
||
|
|
Switching |
21-2 |
|
|
|
|
|
|
|
|
|
Path Determination |
21-2 |
|
|
|
|
|
||
|
|
Supported Route Types |
21-2 |
|
|
|
|
|||
|
|
Static Versus Dynamic |
21-3 |
|
|
|
|
|||
|
|
Single-Path Versus Multipath |
21-3 |
|
|
|||||
|
|
Flat Versus Hierarchical |
21-3 |
|
|
|
||||
|
|
Link-State Versus Distance Vector |
|
21-4 |
|
|||||
|
|
How Routing Behaves Within the ASA |
21-4 |
|
|
|||||
|
|
Egress Interface Selection Process |
21-4 |
|
|
|||||
|
|
Next Hop Selection Process |
21-4 |
|
|
|
|
|||
|
|
Supported Internet Protocols for Routing |
21-5 |
|
||||||
|
|
Information About the Routing Table |
21-6 |
|
|
|
||||
|
|
Displaying the Routing Table |
21-6 |
|
|
|
||||
|
|
How the Routing Table Is Populated |
21-6 |
|
||||||
|
|
Backup Routes |
21-8 |
|
|
|
|
|
||
|
|
How Forwarding Decisions Are Made |
21-8 |
|
||||||
|
|
Dynamic Routing and Failover |
21-9 |
|
|
|
||||
|
|
Information About IPv6 Support |
21-9 |
|
|
|
|
|||
|
|
Features That Support IPv6 |
21-9 |
|
|
|
|
|||
|
|
IPv6-Enabled Commands |
21-10 |
|
|
|
|
|||
|
|
Entering IPv6 Addresses in Commands |
21-11 |
|
||||||
|
|
Disabling Proxy ARPs |
21-11 |
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xvi
Contents
C H A P T E R |
22 |
Configuring Static and Default Routes |
22-1 |
|
|
||||
|
|
Information About Static and Default Routes |
22-1 |
|
|||||
|
|
Licensing Requirements for Static and Default Routes |
22-2 |
||||||
|
|
Guidelines and Limitations |
22-2 |
|
|
|
|
|
|
|
|
Configuring Static and Default Routes |
22-2 |
|
|
||||
|
|
Configuring a Static Route |
22-3 |
|
|
|
|||
|
|
Adding or Editing a Static Route 22-3 |
|
||||||
|
|
Configuring a Default Static Route |
22-4 |
|
|
||||
|
|
Limitations on Configuring a Default Static Route 22-4 |
|||||||
|
|
Configuring IPv6 Default and Static Routes |
22-5 |
|
|||||
|
|
Monitoring a Static or Default Route |
22-6 |
|
|
||||
|
|
Configuration Examples for Static or Default Routes |
22-8 |
||||||
|
|
Feature History for Static and Default Routes |
22-8 |
|
|||||
|
|
Defining Route Maps |
|
|
|
|
|
|
|
C H A P T E R |
23 |
23-1 |
|
|
|
|
|
|
|
|
|
Information About Route Maps |
23-1 |
|
|
|
|||
|
|
Permit and Deny Clauses 23-2 |
|
|
|
|
|||
|
|
Match and Set Clause Values |
23-2 |
|
|
||||
|
|
Licensing Requirements for Route Maps |
23-3 |
|
|
||||
|
|
Guidelines and Limitations |
23-3 |
|
|
|
|
|
|
|
|
Defining a Route Map 23-4 |
|
|
|
|
|
||
|
|
Customizing a Route Map |
23-4 |
|
|
|
|
|
|
|
|
Defining a Route to Match a Specific Destination Address 23-4 |
|||||||
|
|
Configuring the Metric Values for a Route Action |
23-5 |
||||||
|
|
Configuration Example for Route Maps |
23-6 |
|
|
||||
|
|
Feature History for Route Maps |
23-6 |
|
|
|
|||
|
|
Configuring OSPF 24-1 |
|
|
|
|
|
|
|
C H A P T E R |
24 |
|
|
|
|
|
|
||
|
|
Information About OSPF |
24-1 |
|
|
|
|
|
|
|
|
Licensing Requirements for OSPF |
24-2 |
|
|
|
|||
|
|
Guidelines and Limitations |
24-3 |
|
|
|
|
|
|
|
|
Configuring OSPF |
24-3 |
|
|
|
|
|
|
|
|
Customizing OSPF |
24-4 |
|
|
|
|
|
|
Redistributing Routes Into OSPF 24-4
Configuring Route Summarization When Redistributing Routes Into OSPF 24-6
Configuring Route Summarization Between OSPF Areas 24-7
Configuring OSPF Interface Parameters 24-8
Cisco ASA 5500 Series Configuration Guide using the CLI
xvii
Contents
|
|
Configuring OSPF Area Parameters |
24-10 |
||||||
|
|
Configuring OSPF NSSA |
|
24-11 |
|
|
|||
|
|
Defining Static OSPF Neighbors |
24-12 |
|
|||||
|
|
Configuring Route Calculation Timers |
24-13 |
||||||
|
|
Logging Neighbors Going Up or Down |
24-13 |
||||||
|
|
Restarting the OSPF Process |
|
24-14 |
|
|
|||
|
|
Configuration Example for OSPF |
24-14 |
|
|||||
|
|
Monitoring OSPF |
24-16 |
|
|
|
|
|
|
|
|
Feature History for OSPF |
24-17 |
|
|
|
|||
|
|
Configuring RIP 25-1 |
|
|
|
|
|
|
|
C H A P T E R |
25 |
|
|
|
|
|
|
||
|
|
Information About RIP |
25-1 |
|
|
|
|
|
|
|
|
Routing Update Process |
|
25-2 |
|
|
|||
|
|
RIP Routing Metric |
25-2 |
|
|
|
|||
|
|
RIP Stability Features |
25-2 |
|
|
|
|||
|
|
RIP Timers |
25-2 |
|
|
|
|
|
|
|
|
Licensing Requirements for RIP |
25-3 |
|
|
||||
|
|
Guidelines and Limitations |
25-3 |
|
|
|
|||
|
|
Configuring RIP |
25-4 |
|
|
|
|
|
|
|
|
Enabling RIP |
25-4 |
|
|
|
|
|
|
|
|
Customizing RIP |
25-4 |
|
|
|
|
|
|
|
|
Configuring the RIP Version |
25-5 |
|
|
||||
|
|
Configuring Interfaces for RIP |
25-6 |
|
|||||
|
|
Configuring the RIP Send and Receive Version on an Interface 25-6 |
|||||||
|
|
Configuring Route Summarization |
25-7 |
||||||
|
|
Filtering Networks in RIP |
25-8 |
|
|
||||
|
|
Redistributing Routes into the RIP Routing Process 25-8 |
|||||||
|
|
Enabling RIP Authentication |
25-9 |
|
|
||||
|
|
. Restarting the RIP Process |
25-10 |
|
|||||
|
|
Monitoring RIP |
25-11 |
|
|
|
|
|
|
|
|
Configuration Example for RIP |
25-11 |
|
|
||||
|
|
Feature History for RIP |
25-11 |
|
|
|
|||
|
|
Configuring Multicast Routing |
|
|
|
||||
C H A P T E R |
26 |
26-1 |
|
|
|||||
|
|
Information About Multicast Routing |
26-1 |
|
|||||
|
|
Stub Multicast Routing |
|
26-2 |
|
|
|||
|
|
PIM Multicast Routing |
|
26-2 |
|
|
|
||
|
|
Multicast Group Concept |
26-2 |
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xviii
Contents
Multicast Addresses |
26-2 |
Licensing Requirements for Multicast Routing 26-2 |
|
Guidelines and Limitations |
26-3 |
Enabling Multicast Routing |
26-3 |
Customizing Multicast Routing |
26-4 |
Configuring Stub Multicast Routing and Forwarding IGMP Messages 26-4 |
|
Configuring a Static Multicast Route 26-4 |
|
Configuring IGMP Features |
26-5 |
Disabling IGMP on an Interface 26-6 |
|
|
|
|
Configuring IGMP Group Membership |
26-6 |
|
|
|
Configuring a Statically Joined IGMP Group |
26-6 |
|
||
Controlling Access to Multicast Groups |
26-7 |
|
||
Limiting the Number of IGMP States on an Interface |
26-7 |
|||
Modifying the Query Messages to Multicast Groups |
26-8 |
|||
Changing the IGMP Version 26-9 |
|
|
|
|
Configuring PIM Features |
26-9 |
|
|
|
Enabling and Disabling PIM on an Interface |
26-10 |
|
||
Configuring a Static Rendezvous Point Address 26-10 |
||||
Configuring the Designated Router Priority |
26-11 |
|
||
Configuring and Filtering PIM Register Messages |
26-11 |
|||
Configuring PIM Message Intervals 26-12 |
|
|
||
Filtering PIM Neighbors |
26-12 |
|
|
|
|
Configuring a Bidirectional Neighbor Filter |
26-13 |
|||||
|
Configuring a Multicast Boundary |
26-14 |
|
||||
|
Configuration Example for Multicast Routing |
26-14 |
|||||
|
Additional References |
26-15 |
|
|
|
||
|
Related Documents |
26-15 |
|
|
|
||
|
RFCs 26-15 |
|
|
|
|
|
|
|
Feature History for Multicast Routing |
26-15 |
|
||||
|
Configuring EIGRP |
|
|
|
|
|
|
C H A P T E R 27 |
27-1 |
|
|
|
|
||
|
Information About EIGRP |
27-1 |
|
|
|
||
|
Licensing Requirements for EIGRP |
27-2 |
|
||||
|
Guidelines and Limitations |
27-2 |
|
|
|
||
|
Configuring EIGRP |
27-3 |
|
|
|
|
|
|
Enabling EIGRP |
27-3 |
|
|
|
|
|
|
Enabling EIGRP Stub Routing |
27-3 |
|
|
|||
|
Customizing EIGRP |
27-4 |
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xix
Contents
|
Defining a Network for an EIGRP Routing Process |
|
27-5 |
|||||
|
Configuring Interfaces for EIGRP |
27-6 |
|
|
|
|||
|
Configuring Passive Interfaces |
27-7 |
|
|
||||
|
Configuring the Summary Aggregate Addresses on Interfaces 27-8 |
|||||||
|
Changing the Interface Delay Value |
27-9 |
|
|
||||
|
Enabling EIGRP Authentication on an Interface |
27-9 |
||||||
|
Defining an EIGRP Neighbor |
27-10 |
|
|
|
|
||
|
Redistributing Routes Into EIGRP |
27-11 |
|
|
|
|||
|
Filtering Networks in EIGRP |
27-12 |
|
|
|
|
||
|
Customizing the EIGRP Hello Interval and Hold Time |
27-13 |
||||||
|
Disabling Automatic Route Summarization 27-14 |
|
||||||
|
Configuring Default Information in EIGRP |
27-15 |
|
|
||||
|
Disabling EIGRP Split Horizon |
27-16 |
|
|
|
|
||
|
Restarting the EIGRP Process |
27-17 |
|
|
|
|
||
|
Monitoring EIGRP 27-17 |
|
|
|
|
|
|
|
|
Configuration Example for EIGRP |
27-18 |
|
|
|
|
||
|
Feature History for EIGRP |
27-19 |
|
|
|
|
|
|
|
Configuring IPv6 Neighbor Discovery |
|
|
|
|
|||
C H A P T E R 28 |
28-1 |
|
|
|
||||
|
Information About IPv6 Neighbor Discovery |
28-1 |
|
|
||||
|
Neighbor Solicitation Messages |
28-2 |
|
|
|
|||
|
Neighbor Reachable Time 28-3 |
|
|
|
|
|
||
|
Router Advertisement Messages |
28-3 |
|
|
|
|||
|
Static IPv6 Neighbors |
28-4 |
|
|
|
|
|
|
|
Licensing Requirements for IPv6 Neighbor Discovery |
28-4 |
||||||
|
Guidelines and Limitations |
28-4 |
|
|
|
|
|
|
|
Default Settings for IPv6 Neighbor Discovery |
28-6 |
|
|
||||
|
Configuring the Neighbor Solicitation Message Interval |
28-7 |
||||||
|
Configuring the Neighbor Reachable Time |
28-7 |
|
|
||||
|
Configuring the Router Advertisement Transmission Interval 28-8 |
|||||||
|
Configuring the Router Lifetime Value |
28-8 |
|
|
|
|||
|
Configuring DAD Settings |
28-9 |
|
|
|
|
|
|
|
Configuring IPv6 Addresses on an Interface |
28-9 |
|
|
||||
|
Suppressing Router Advertisement Messages |
28-10 |
|
|
||||
|
Configuring the IPv6 Prefix |
28-11 |
|
|
|
|
|
|
|
Configuring a Static IPv6 Neighbor |
28-12 |
|
|
|
|
||
|
Monitoring IPv6 Neighbor Discovery |
28-13 |
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xx
Contents
|
|
Additional References |
28-13 |
|
|
|
Related Documents for IPv6 Prefixes |
28-14 |
|
|
|
RFCs for IPv6 Prefixes and Documentation 28-14 |
||
|
|
Feature History for IPv6 Neighbor Discovery |
28-14 |
|
|
|
|
|
|
|
|
Configuring Network Address Translation |
|
|
P A R T 7 |
|
|||
|
|
Information About NAT |
|
|
C H A P T E R 29 |
29-1 |
|
||
|
|
Why Use NAT? 29-1 |
|
|
|
|
NAT Terminology 29-2 |
|
|
|
|
NAT Types 29-3 |
|
|
NAT Types Overview |
29-3 |
|
|
|
|
||
Static NAT |
29-3 |
|
|
|
|
|
|
Information About Static NAT |
29-3 |
|
|
||||
Information About Static NAT with Port Translation 29-4 |
|
||||||
Information About One-to-Many Static NAT |
29-6 |
|
|||||
Information About Other Mapping Scenarios (Not Recommended) 29-7 |
|||||||
Dynamic NAT |
29-8 |
|
|
|
|
|
|
Information About Dynamic NAT |
29-9 |
|
|
||||
Dynamic NAT Disadvantages and Advantages |
29-10 |
|
|||||
Dynamic PAT |
29-10 |
|
|
|
|
|
|
Information About Dynamic PAT |
29-10 |
|
|
||||
Dynamic PAT Disadvantages and Advantages |
29-11 |
|
|||||
Identity NAT |
29-11 |
|
|
|
|
|
|
NAT in Routed and Transparent Mode |
29-12 |
|
|
||||
NAT in Routed Mode |
29-13 |
|
|
|
|
||
NAT in Transparent Mode 29-13 |
|
|
|
|
|||
NAT for VPN 29-14 |
|
|
|
|
|
|
|
How NAT is Implemented |
29-16 |
|
|
|
|
||
Main Differences Between Network Object NAT and Twice NAT |
29-16 |
||||||
Information About Network Object NAT |
29-17 |
|
|
||||
Information About Twice NAT 29-17 |
|
|
|
||||
NAT Rule Order |
29-20 |
|
|
|
|
|
|
NAT Interfaces |
29-21 |
|
|
|
|
|
|
Routing NAT Packets |
29-21 |
|
|
|
|
||
Mapped Addresses and Routing |
29-22 |
|
|
||||
Transparent Mode Routing Requirements for Remote Networks |
29-24 |
||||||
Determining the Egress Interface |
29-24 |
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xxi
Contents
|
DNS and NAT 29-24 |
|
|
|
Where to Go Next |
29-27 |
|
|
Configuring Network Object NAT 30-1 |
|
|
C H A P T E R 30 |
|
||
|
Information About Network Object NAT |
30-1 |
|
|
Licensing Requirements for Network Object NAT 30-2 |
||
|
Prerequisites for Network Object NAT |
30-2 |
|
|
Guidelines and Limitations 30-2 |
|
|
|
Default Settings |
30-3 |
|
|
Configuring Network Object NAT |
30-3 |
|
||||
|
Configuring Dynamic NAT |
|
30-4 |
|
|
||
|
Configuring Dynamic PAT (Hide) |
30-6 |
|
||||
|
Configuring Static NAT or Static NAT-with-Port-Translation |
30-10 |
|||||
|
Configuring Identity NAT |
30-12 |
|
|
|||
|
Monitoring Network Object NAT |
30-14 |
|
||||
|
Configuration Examples for Network Object NAT 30-15 |
|
|||||
|
Providing Access to an Inside Web Server (Static NAT) 30-15 |
|
|||||
|
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) 30-16 |
||||||
|
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) 30-17 |
||||||
|
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) 30-18 |
||||||
|
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS |
||||||
|
Modification) |
30-19 |
|
|
|
|
|
|
DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS |
||||||
|
Modification) |
30-21 |
|
|
|
|
|
|
Feature History for Network Object NAT 30-22 |
|
|||||
|
Configuring Twice NAT |
|
|
|
|
|
|
C H A P T E R 31 |
31-1 |
|
|
|
|
||
|
Information About Twice NAT |
|
31-1 |
|
|
||
|
Licensing Requirements for Twice NAT |
31-2 |
|
||||
|
Prerequisites for Twice NAT |
31-2 |
|
|
|||
|
Guidelines and Limitations 31-2 |
|
|
||||
|
Default Settings |
31-3 |
|
|
|
|
|
|
Configuring Twice NAT |
31-3 |
|
|
|
|
|
|
Configuring Dynamic NAT |
|
31-4 |
|
|
||
|
Configuring Dynamic PAT (Hide) |
31-8 |
|
||||
|
Configuring Static NAT or Static NAT-with-Port-Translation |
31-15 |
|||||
|
Configuring Identity NAT |
31-20 |
|
|
|||
|
Monitoring Twice NAT |
31-24 |
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xxii
Contents
|
|
Configuration Examples for Twice NAT |
31-24 |
|
|
|
||
|
|
Different Translation Depending on the Destination (Dynamic PAT) |
31-24 |
|||||
|
|
Different Translation Depending on the Destination Address and Port (Dynamic PAT) 31-26 |
||||||
|
|
Feature History for Twice NAT 31-28 |
|
|
|
|
|
|
|
|
|
|
|||||
|
|
Configuring Service Policies Using the Modular Policy Framework |
|
|||||
P A R T 8 |
|
|||||||
|
|
Configuring a Service Policy Using the Modular Policy Framework |
|
|||||
C H A P T E R 32 |
32-1 |
|||||||
|
|
Information About Service Policies 32-1 |
|
|
|
|
|
|
|
|
Supported Features for Through Traffic |
32-2 |
|
|
|||
|
|
Supported Features for Management Traffic |
32-2 |
|
|
|||
|
|
Feature Directionality |
32-2 |
|
|
|
|
|
|
|
Feature Matching Within a Service Policy |
32-3 |
|
|
|||
|
|
Order in Which Multiple Feature Actions are Applied |
32-4 |
|
||||
|
|
Incompatibility of Certain Feature Actions |
32-5 |
|
|
|||
|
|
Feature Matching for Multiple Service Policies 32-6 |
|
|||||
|
|
Licensing Requirements for Service Policies |
32-6 |
|
|
|||
|
|
Guidelines and Limitations |
32-6 |
|
|
|
|
|
|
|
Default Settings 32-7 |
|
|
|
|
|
|
|
|
Default Configuration |
32-7 |
|
|
|
|
|
|
|
Default Class Maps |
32-8 |
|
|
|
|
|
|
|
Task Flows for Configuring Service Policies |
32-9 |
|
|
|||
|
|
Task Flow for Using the Modular Policy Framework |
32-9 |
|
||||
|
|
Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping 32-11 |
||||||
|
|
Identifying Traffic (Layer 3/4 Class Maps) |
|
32-12 |
|
|
||
|
|
Creating a Layer 3/4 Class Map for Through Traffic |
32-12 |
|
||||
|
|
Creating a Layer 3/4 Class Map for Management Traffic 32-14 |
|
|||||
|
|
Defining Actions (Layer 3/4 Policy Map) |
32-15 |
|
|
|
||
|
|
Applying Actions to an Interface (Service Policy) |
32-17 |
|
|
|||
|
|
Monitoring Modular Policy Framework |
32-18 |
|
|
|
||
|
|
Configuration Examples for Modular Policy Framework |
32-18 |
|
Applying Inspection and QoS Policing to HTTP Traffic
Applying Inspection to HTTP Traffic Globally 32-19
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 32-20
Applying Inspection to HTTP Traffic with NAT
Feature History for Service Policies
Cisco ASA 5500 Series Configuration Guide using the CLI
xxiii
Contents
C H A P T E R |
33 |
|
Configuring Special Actions for Application Inspections (Inspection Policy Map) 33-1 |
|||||
|
|
|
Information About Inspection Policy Maps 33-1 |
|||||
|
|
|
Guidelines and Limitations |
33-2 |
|
|
|
|
|
|
|
Default Inspection Policy Maps |
33-2 |
|
|
|
|
|
|
|
Defining Actions in an Inspection Policy Map |
33-2 |
|
|||
|
|
|
Identifying Traffic in an Inspection Class Map |
33-6 |
|
|||
|
|
|
Where to Go Next 33-7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Access Control |
|
|
|
|
|
P A R T 9 |
|
|
|
|
|
|
||
|
|
|
Configuring Access Rules |
|
|
|
|
|
C H A P T E R |
34 |
34-1 |
|
|
|
|
||
|
|
|
Information About Access Rules |
34-1 |
|
|
|
|
|
|
|
General Information About Rules |
34-2 |
|
|
||
|
|
|
Implicit Permits |
34-2 |
|
|
|
|
|
|
|
Information About Interface Access Rules and Global Access Rules 34-2 |
|||||
|
|
|
Using Access Rules and EtherType Rules on the Same Interface 34-2 |
|||||
|
|
|
Implicit Deny 34-3 |
|
|
|
|
|
|
|
|
Inbound and Outbound Rules |
34-3 |
|
|
Information About Extended Access Rules |
34-4 |
|||
Access Rules for Returning Traffic |
34-4 |
|||
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access |
||||
Rules |
34-5 |
|
|
|
Management Access Rules 34-5 |
|
|
||
Information About EtherType Rules 34-5 |
|
|||
Supported EtherTypes and Other Traffic |
34-6 |
|||
Access Rules for Returning Traffic |
34-6 |
|||
Allowing MPLS |
34-6 |
|
|
|
Licensing Requirements for Access Rules |
34-6 |
|
||
Prerequisites 34-7 |
|
|
|
|
Guidelines and Limitations |
34-7 |
|
|
|
Default Settings |
34-7 |
|
|
|
Configuring Access Rules |
34-7 |
|
|
|
Monitoring Access Rules |
34-8 |
|
|
Configuration Examples for Permitting or Denying Network Access
Feature History for Access Rules
Cisco ASA 5500 Series Configuration Guide using the CLI
xxiv
Contents
C H A P T E R 35 |
Configuring AAA Servers and the Local Database 35-1 |
||
|
Information About AAA 35-1 |
|
|
|
Information About Authentication |
35-2 |
|
|
Information About Authorization |
35-2 |
|
|
Information About Accounting |
35-3 |
|
|
Summary of Server Support |
35-3 |
|
RADIUS Server Support |
35-4 |
|
|
|
|
|||
Authentication Methods |
35-4 |
|
|
|
||||
Attribute Support |
35-4 |
|
|
|
|
|||
RADIUS Authorization Functions |
35-5 |
|
|
|||||
TACACS+ Server Support |
35-5 |
|
|
|
||||
RSA/SDI Server Support |
|
35-5 |
|
|
|
|
||
RSA/SDI Version Support |
35-5 |
|
|
|
||||
Two-step Authentication Process |
35-5 |
|
|
|||||
RSA/SDI Primary and Replica Servers 35-6 |
|
|||||||
NT Server Support |
35-6 |
|
|
|
|
|
||
Kerberos Server Support |
|
35-6 |
|
|
|
|
||
LDAP Server Support |
35-6 |
|
|
|
|
|||
Authentication with LDAP |
35-6 |
|
|
|
||||
LDAP Server Types |
35-7 |
|
|
|
|
|||
HTTP Forms Authentication for Clientless SSL VPN 35-8 |
||||||||
Local Database Support, Including as a Falback Method |
35-8 |
|||||||
How Fallback Works with Multiple Servers in a Group |
35-8 |
|||||||
Using Certificates and User Login Credentials |
35-9 |
|
||||||
Using User Login Credentials 35-9 |
|
|
||||||
Using Certificates |
35-9 |
|
|
|
|
|||
Licensing Requirements for AAA Servers |
35-10 |
|
|
|||||
Guidelines and Limitations |
35-10 |
|
|
|
|
|||
Configuring AAA |
35-10 |
|
|
|
|
|
|
|
Task Flow for Configuring AAA |
35-11 |
|
|
|||||
Configuring AAA Server Groups |
|
35-11 |
|
|
||||
Configuring Authorization with LDAP for VPN |
35-16 |
|
||||||
Configuring LDAP Attribute Maps |
35-18 |
|
|
|||||
Adding a User Account to the Local Database |
35-20 |
|
||||||
Guidelines |
35-20 |
|
|
|
|
|
|
|
Limitations 35-21 |
|
|
|
|
|
|
||
Managing User Passwords |
35-25 |
|
|
|
||||
.Changing User Passwords |
35-27 |
|
|
|
||||
Authenticating Users with a Public Key for SSH |
35-28 |
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xxv
Contents
|
Differentiating User Roles Using AAA |
35-28 |
|||
|
Using Local Authentication |
35-28 |
|||
|
Using RADIUS Authentication |
35-29 |
|||
|
Using LDAP Authentication |
35-29 |
|||
|
Using TACACS+ Authentication |
35-30 |
|||
|
Monitoring AAA Servers |
35-30 |
|
|
|
|
Additional References 35-31 |
|
|
|
|
|
RFCs 35-31 |
|
|
|
|
|
Feature History for AAA Servers |
35-31 |
|
||
|
Configuring the Identity Firewall |
|
|
|
|
C H A P T E R 36 |
36-1 |
|
|
||
|
Information About the Identity Firewall |
36-1 |
|||
|
Overview of the Identity Firewall |
36-1 |
|||
|
Architecture for Identity Firewall Deployments 36-2 |
||||
|
Features of the Identity Firewall |
36-3 |
|
||
|
Deployment Scenarios |
36-4 |
|
|
|
|
Cut-through Proxy and VPN Authentication 36-7 |
||||
|
Licensing for the Identity Firewall |
36-8 |
|
||
|
Guidelines and Limitations |
36-8 |
|
|
|
|
Prerequisites 36-9 |
|
|
|
|
|
Configuring the Identity Firewall |
36-10 |
|
|
|
|
Task Flow for Configuring the Identity Firewall |
36-10 |
|
||
|
Configuring the Active Directory Domain |
36-11 |
|
||
|
Configuring Active Directory Agents |
36-13 |
|
||
|
Configuring Identity Options |
36-14 |
|
|
|
|
Configuring Identity-based Access Rules |
36-20 |
|
||
|
Configuring Cut-through Proxy Authentication 36-22 |
||||
|
Configuring VPN Authentication 36-24 |
|
|
||
|
Monitoring the Identity Firewall |
36-25 |
|
|
|
|
Monitoring AD Agents 36-26 |
|
|
|
|
|
Monitoring Groups 36-26 |
|
|
|
|
|
Monitoring Memory Usage for the Identity Firewall |
36-26 |
|||
|
Monitoring Users for the Identity Firewall |
36-27 |
|
||
|
Feature History for the Identity Firewall |
36-28 |
|
|
|
|
Configuring Management Access |
|
|
|
|
C H A P T E R 37 |
37-1 |
|
|
|
|
|
Configuring ASA Access for ASDM, Telnet, or SSH |
37-1 |
Licensing Requirements for ASA Access for ASDM, Telnet, or SSH 37-2
Cisco ASA 5500 Series Configuration Guide using the CLI
xxvi
Contents
Guidelines and Limitations |
37-2 |
|
|
|
|
|
||
Configuring Telnet Access |
37-3 |
|
|
|
|
|
||
Using a Telnet Client |
37-4 |
|
|
|
|
|
||
Configuring SSH Access |
37-4 |
|
|
|
|
|
||
Using an SSH Client |
37-5 |
|
|
|
|
|
|
|
Configuring HTTPS Access for ASDM |
37-6 |
|
|
|
||||
Configuring CLI Parameters |
37-6 |
|
|
|
|
|
||
Licensing Requirements for CLI Parameters |
37-7 |
|
|
|||||
Guidelines and Limitations |
37-7 |
|
|
|
|
|
||
Configuring a Login Banner |
37-7 |
|
|
|
|
|||
Customizing a CLI Prompt |
37-8 |
|
|
|
|
|
||
Changing the Console Timeout |
37-9 |
|
|
|
|
|||
Configuring ICMP Access |
37-10 |
|
|
|
|
|
||
Information About ICMP Access |
37-10 |
|
|
|
|
|||
Licensing Requirements for ICMP Access |
37-10 |
|
|
|||||
Guidelines and Limitations |
37-10 |
|
|
|
|
|||
Default Settings |
37-11 |
|
|
|
|
|
|
|
Configuring ICMP Access |
37-11 |
|
|
|
|
|
||
Configuring Management Access Over a VPN Tunnel |
37-12 |
|||||||
Licensing Requirements for a Management Interface |
37-12 |
|||||||
Guidelines and Limitations |
37-12 |
|
|
|
|
|||
Configuring a Management Interface |
37-13 |
|
|
|||||
Configuring AAA for System Administrators |
37-13 |
|
|
|||||
Information About AAA for System Administrators |
|
37-14 |
||||||
Information About Management Authentication |
37-14 |
|||||||
Information About Command Authorization |
37-14 |
|||||||
Licensing Requirements for AAA for System Administrators 37-17 |
||||||||
Prerequisites 37-17 |
|
|
|
|
|
|
|
|
Guidelines and Limitations |
37-18 |
|
|
|
|
|||
Default Settings |
37-18 |
|
|
|
|
|
|
|
Configuring Authentication for CLI and ASDM Access |
37-19 |
Configuring Authentication to Access Privileged EXEC Mode (the enable Command) 37-19
Configuring Authentication for the enable Command 37-20
Authenticating Users with the login Command 37-20
Limiting User CLI and ASDM Access with Management Authorization 37-21
Configuring Command Authorization 37-22 |
|
Configuring Local Command Authorization |
37-23 |
Viewing Local Command Privilege Levels |
37-26 |
Configuring Commands on the TACACS+ Server 37-26
Cisco ASA 5500 Series Configuration Guide using the CLI
xxvii
Contents
Configuring TACACS+ Command Authorization 37-29 |
|
Configuring Management Access Accounting 37-30 |
|
Viewing the Currently Logged-In User |
37-30 |
Recovering from a Lockout 37-31 |
|
Setting a Management Session Quota |
37-32 |
|
Feature History for Management Access |
37-33 |
|
Configuring AAA Rules for Network Access 38-1 |
|
C H A P T E R 38 |
||
|
AAA Performance 38-1 |
|
|
Licensing Requirements for AAA Rules |
38-1 |
|
Guidelines and Limitations 38-2 |
|
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication 38-2
Applications Required to Receive an Authentication Challenge
ASA Authentication Prompts
Static PAT and HTTP 38-4
Configuring Network Access Authentication 38-4
Enabling Secure Authentication of Web Clients 38-6
Authenticating Directly with the ASA 38-7
|
Authenticating HTTP(S) Connections with a Virtual Server |
38-8 |
|||
|
Authenticating Telnet Connections with a Virtual Server |
38-9 |
|||
|
Configuring Authorization for Network Access |
38-11 |
|
||
|
Configuring TACACS+ Authorization |
38-11 |
|
||
|
Configuring RADIUS Authorization |
38-14 |
|
|
|
|
Configuring a RADIUS Server to Send Downloadable Access Control Lists 38-14 |
||||
|
Configuring a RADIUS Server to Download Per-User Access Control List Names 38-18 |
||||
|
Configuring Accounting for Network Access |
38-18 |
|
||
|
Using MAC Addresses to Exempt Traffic from Authentication and Authorization 38-20 |
||||
|
Feature History for AAA Rules |
38-21 |
|
|
|
|
Configuring Filtering Services |
|
|
|
|
C H A P T E R 39 |
39-1 |
|
|
|
|
|
Information About Web Traffic Filtering |
39-1 |
|
|
|
|
Configuring ActiveX Filtering |
39-2 |
|
|
|
|
Information About ActiveX Filtering |
39-2 |
|
|
|
|
Licensing Requirements for ActiveX Filtering |
39-2 |
|
||
|
Guidelines and Limitations for ActiveX Filtering 39-3 |
|
|||
|
Configuring ActiveX Filtering 39-3 |
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xxviii
Contents
|
|
Configuration Examples for ActiveX Filtering |
39-3 |
|
||||||
|
|
Feature History for ActiveX Filtering 39-4 |
|
|
|
|||||
|
|
Configuring Java Applet Filtering |
39-4 |
|
|
|
||||
|
|
Information About Java Applet Filtering |
39-4 |
|
||||||
|
|
Licensing Requirements for Java Applet Filtering |
39-4 |
|||||||
|
|
Guidelines and Limitations for Java Applet Filtering |
39-5 |
|||||||
|
|
Configuring Java Applet Filtering |
39-5 |
|
|
|
||||
|
|
Configuration Examples for Java Applet Filtering 39-5 |
||||||||
|
|
Feature History for Java Applet Filtering |
39-6 |
|
||||||
|
|
Filtering URLs and FTP Requests with an External Server |
39-6 |
|||||||
|
|
Information About URL Filtering |
39-6 |
|
|
|
||||
|
|
Licensing Requirements for URL Filtering |
39-7 |
|
||||||
|
|
Guidelines and Limitations for URL Filtering |
39-7 |
|
||||||
|
|
Identifying the Filtering Server |
|
39-8 |
|
|
|
|||
|
|
Configuring Additional URL Filtering Settings |
39-10 |
|||||||
|
|
Buffering the Content Server Response |
39-10 |
|
||||||
|
|
Caching Server Addresses |
|
39-11 |
|
|
|
|||
|
|
Filtering HTTP URLs |
39-11 |
|
|
|
|
|||
|
|
Filtering HTTPS URLs |
39-13 |
|
|
|
||||
|
|
Filtering FTP Requests |
39-14 |
|
|
|
||||
|
|
Monitoring Filtering Statistics |
39-15 |
|
|
|
|
|||
|
|
Feature History for URL Filtering |
39-17 |
|
|
|
||||
|
|
Configuring Web Cache Services Using WCCP |
|
|
||||||
C H A P T E R |
40 |
40-1 |
|
|||||||
|
|
Information About WCCP |
40-1 |
|
|
|
|
|
||
|
|
Guidelines and Limitations |
40-1 |
|
|
|
|
|
||
|
|
Licensing Requirements for WCCP |
40-2 |
|
|
|
||||
|
|
Enabling WCCP Redirection |
40-3 |
|
|
|
|
|
||
|
|
WCCP Monitoring Commands |
40-4 |
|
|
|
|
|||
|
|
Feature History for WCCP |
40-4 |
|
|
|
|
|
||
|
|
Configuring Digital Certificates |
|
|
|
|
|
|||
C H A P T E R |
41 |
41-1 |
|
|
|
|
||||
|
|
Information About Digital Certificates |
41-1 |
|
|
|
||||
|
|
Public Key Cryptography |
41-2 |
|
|
|
|
|
||
|
|
Certificate Scalability |
41-2 |
|
|
|
|
|
||
|
|
Key Pairs |
41-2 |
|
|
|
|
|
|
|
|
|
Trustpoints |
41-3 |
|
|
|
|
|
|
|
|
|
Certificate Enrollment |
41-3 |
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xxix
Contents
Proxy for SCEP Requests |
41-3 |
|
|
|
|||||
Revocation Checking |
41-4 |
|
|
|
|
|
|
||
Supported CA Servers |
41-4 |
|
|
|
|
||||
CRLs |
41-4 |
|
|
|
|
|
|
|
|
OCSP |
41-5 |
|
|
|
|
|
|
|
|
The Local CA 41-6 |
|
|
|
|
|
|
|
|
|
Storage for Local CA Files |
41-6 |
|
|
|
|||||
The Local CA Server |
41-6 |
|
|
|
|
|
|||
Licensing Requirements for Digital Certificates |
41-7 |
||||||||
Prerequisites for Local Certificates |
41-7 |
|
|
|
|||||
Prerequisites for SCEP Proxy Support |
41-7 |
|
|
||||||
Guidelines and Limitations |
41-8 |
|
|
|
|
|
|||
Configuring Digital Certificates |
41-9 |
|
|
|
|
||||
Configuring Key Pairs |
41-9 |
|
|
|
|
|
|||
Removing Key Pairs |
41-10 |
|
|
|
|
|
|
||
Configuring Trustpoints |
41-10 |
|
|
|
|
|
|||
Configuring CRLs for a Trustpoint |
41-13 |
|
|
||||||
Exporting a Trustpoint Configuration |
41-15 |
|
|
||||||
Importing a Trustpoint Configuration |
41-16 |
|
|
||||||
Configuring CA Certificate Map Rules |
41-17 |
|
|||||||
Obtaining Certificates Manually |
41-18 |
|
|
||||||
Obtaining Certificates Automatically with SCEP |
41-20 |
||||||||
Configuring Proxy Support for SCEP Requests |
|
41-21 |
|||||||
Enabling the Local CA Server |
41-22 |
|
|
|
|||||
Configuring the Local CA Server |
41-23 |
|
|
||||||
Customizing the Local CA Server |
41-25 |
|
|
||||||
Debugging the Local CA Server |
41-26 |
|
|
|
|||||
Disabling the Local CA Server |
41-26 |
|
|
|
|||||
Deleting the Local CA Server |
41-26 |
|
|
|
|||||
Configuring Local CA Certificate Characteristics |
41-27 |
||||||||
Configuring the Issuer Name |
41-28 |
|
|
||||||
Configuring the CA Certificate Lifetime |
41-28 |
||||||||
Configuring the User Certificate Lifetime |
|
41-29 |
|||||||
Configuring the CRL Lifetime |
41-30 |
|
|
||||||
Configuring the Server Keysize |
41-30 |
|
|
||||||
Setting Up External Local CA File Storage |
41-31 |
||||||||
Downloading CRLs |
41-33 |
|
|
|
|
|
|||
Storing CRLs |
41-34 |
|
|
|
|
|
|
||
Setting Up Enrollment Parameters |
41-35 |
|
Cisco ASA 5500 Series Configuration Guide using the CLI
xxx