Cisco ASA 5545-X, ASA Services Module, ASA 5580, ASA 5585-X, ASA 5555-X User Manual

...

Cisco ASA Series Firewall ASDM Configuration Guide

Software Version 7.1

For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module

Released: December 3, 2012 Updated: March 31, 2014

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Text Part Number: N/A, Online only

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco ASA Series Firewall ASDM Configuration Guide

About This Guide 21

Document Objectives 21

Related Documentation 21

Conventions 22

Obtaining Documentation and Submitting a Service Request 22

PART

1 Configuring Service Policies

CHAPTER

1 Configuring a Service Policy 1-1

Information About Service Policies 1-1

Supported Features 1-1 Feature Directionality 1-2 Feature Matching Within a Service Policy 1-3 Order in Which Multiple Feature Actions are Applied 1-4 Incompatibility of Certain Feature Actions 1-5 Feature Matching for Multiple Service Policies 1-5

Licensing Requirements for Service Policies 1-5

Guidelines and Limitations 1-6

Default Settings 1-7

Default Configuration 1-7 Default Traffic Classes 1-8

Task Flows for Configuring Service Policies 1-8

Task Flow for Configuring a Service Policy Rule 1-8

Adding a Service Policy Rule for Through Traffic 1-8

Adding a Service Policy Rule for Management Traffic 1-13

Configuring a Service Policy Rule for Management Traffic 1-13

CHAPTER

Managing the Order of Service Policy Rules 1-15

Feature History for Service Policies 1-17

2 Configuring Special Actions for Application Inspections (Inspection Policy Map) 2-1

Information About Inspection Policy Maps 2-1

Guidelines and Limitations 2-2

Default Inspection Policy Maps 2-2

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

Defining Actions in an Inspection Policy Map 2-3

Identifying Traffic in an Inspection Class Map 2-3

Where to Go Next 2-4

Feature History for Inspection Policy Maps 2-4

PART

2 Configuring Network Address Translation

CHAPTER

3 Information About NAT (ASA 8.3 and Later) 3-1

Why Use NAT? 3-1

NAT Terminology 3-2

NAT Types 3-3

NAT Types Overview 3-3 Static NAT 3-3 Dynamic NAT 3-8 Dynamic PAT 3-10 Identity NAT 3-12

NAT in Routed and Transparent Mode 3-12

NAT in Routed Mode 3-13 NAT in Transparent Mode 3-13

NAT and IPv6 3-15

How NAT is Implemented 3-15

Main Differences Between Network Object NAT and Twice NAT 3-15 Information About Network Object NAT 3-16 Information About Twice NAT 3-16

NAT Rule Order 3-20

NAT Interfaces 3-21

Routing NAT Packets 3-21

Mapped Addresses and Routing 3-22 Transparent Mode Routing Requirements for Remote Networks 3-24 Determining the Egress Interface 3-24

NAT for VPN 3-24

NAT and Remote Access VPN 3-25 NAT and Site-to-Site VPN 3-26 NAT and VPN Management Access 3-28 Troubleshooting NAT and VPN 3-30

DNS and NAT 3-30

Where to Go Next 3-35

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

CHAPTER

4 Configuring Network Object NAT (ASA 8.3 and Later) 4-1

Information About Network Object NAT 4-1

Licensing Requirements for Network Object NAT 4-2

Prerequisites for Network Object NAT 4-2

Guidelines and Limitations 4-2

Default Settings 4-3

Configuring Network Object NAT 4-4

Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool 4-4 Configuring Dynamic PAT (Hide) 4-8 Configuring Static NAT or Static NAT-with-Port-Translation 4-11 Configuring Identity NAT 4-15 Configuring Per-Session PAT Rules 4-18

Monitoring Network Object NAT 4-19

Configuration Examples for Network Object NAT 4-20

Providing Access to an Inside Web Server (Static NAT) 4-21 NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) 4-23 Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) 4-28 Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) 4-32 DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS

Modification)

4-35

DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification)

4-38

IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification)

4-40

CHAPTER

Feature History for Network Object NAT 4-45

5 Configuring Twice NAT (ASA 8.3 and Later) 5-1

Information About Twice NAT 5-1

Licensing Requirements for Twice NAT 5-2

Prerequisites for Twice NAT 5-2

Guidelines and Limitations 5-2

Default Settings 5-4

Configuring Twice NAT 5-4

Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool 5-4 Configuring Dynamic PAT (Hide) 5-12 Configuring Static NAT or Static NAT-with-Port-Translation 5-18 Configuring Identity NAT 5-24 Configuring Per-Session PAT Rules 5-29

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

Monitoring Twice NAT 5-29

Configuration Examples for Twice NAT 5-30

Different Translation Depending on the Destination (Dynamic PAT) 5-30 Different Translation Depending on the Destination Address and Port (Dynamic PAT) 5-39

Feature History for Twice NAT 5-48

CHAPTER

6 Configuring NAT (ASA 8.2 and Earlier) 6-1

NAT Overview 6-1

Introduction to NAT 6-1 NAT in Routed Mode 6-2 NAT in Transparent Mode 6-3 NAT Control 6-4 NAT Types 6-6 Policy NAT 6-11 NAT and Same Security Level Interfaces 6-13 Order of NAT Rules Used to Match Real Addresses 6-14 Mapped Address Guidelines 6-14 DNS and NAT 6-14

Configuring NAT Control 6-16

Using Dynamic NAT 6-17

Dynamic NAT Implementation 6-17 Managing Global Pools 6-22 Configuring Dynamic NAT, PAT, or Identity NAT 6-23 Configuring Dynamic Policy NAT or PAT 6-25

Using Static NAT 6-27

Configuring Static NAT, PAT, or Identity NAT 6-28 Configuring Static Policy NAT, PAT, or Identity NAT 6-31

Using NAT Exemption 6-33

PART

3 Configuring Access Control

CHAPTER

7 Configuring Access Rules 7-1

Information About Access Rules 7-1

General Information About Rules 7-2 Information About Access Rules 7-5 Information About EtherType Rules 7-6

Licensing Requirements for Access Rules 7-7

Guidelines and Limitations 7-7

Cisco ASA Series Firewall ASDM Configuration Guide

Default Settings 7-7 Configuring Access Rules 7-8 Adding an Access Rule 7-8 Adding an EtherType Rule (Transparent Mode Only) 7-9 Configuring Management Access Rules 7-10 Advanced Access Rule Configuration 7-11 Configuring HTTP Redirect 7-12

Feature History for Access Rules 7-14

Contents

CHAPTER

8 Configuring AAA Rules for Network Access 8-1

AAA Performance 8-1

Licensing Requirements for AAA Rules 8-1

Guidelines and Limitations 8-2

Configuring Authentication for Network Access 8-2

Information About Authentication 8-2 Configuring Network Access Authentication 8-6 Enabling the Redirection Method of Authentication for HTTP and HTTPS 8-7 Enabling Secure Authentication of Web Clients 8-8 Authenticating Directly with the ASA 8-9 Configuring the Authentication Proxy Limit 8-11

Configuring Authorization for Network Access 8-12

Configuring TACACS+ Authorization 8-12 Configuring RADIUS Authorization 8-13

Configuring Accounting for Network Access 8-17

Using MAC Addresses to Exempt Traffic from Authentication and Authorization 8-19

Feature History for AAA Rules 8-20

CHAPTER

9 Configuring Public Servers 9-1

Information About Public Servers 9-1

Licensing Requirements for Public Servers 9-1

Guidelines and Limitations 9-1

Adding a Public Server that Enables Static NAT 9-2

Adding a Public Server that Enables Static NAT with PAT 9-2

Editing Settings for a Public Server 9-3

Feature History for Public Servers 9-4

PART

4 Configuring Application Inspection

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

CHAPTER

10 Getting Started with Application Layer Protocol Inspection 10-1

Information about Application Layer Protocol Inspection 10-1

How Inspection Engines Work 10-1 When to Use Application Protocol Inspection 10-2

Guidelines and Limitations 10-3

Default Settings and NAT Limitations 10-4

Configuring Application Layer Protocol Inspection 10-7

11 Configuring Inspection of Basic Internet Protocols 11-1

DNS Inspection 11-1

Information About DNS Inspection 11-2 Default Settings for DNS Inspection 11-2 (Optional) Configuring a DNS Inspection Policy Map and Class Map 11-3 Configuring DNS Inspection 11-16

FTP Inspection 11-17

FTP Inspection Overview 11-17 Using Strict FTP 11-17 Select FTP Map 11-18 FTP Class Map 11-19 Add/Edit FTP Traffic Class Map 11-19 Add/Edit FTP Match Criterion 11-20 FTP Inspect Map 11-21 File Type Filtering 11-22 Add/Edit FTP Policy Map (Security Level) 11-22 Add/Edit FTP Policy Map (Details) 11-23 Add/Edit FTP Map 11-24 Verifying and Monitoring FTP Inspection 11-25

HTTP Inspection 11-26

HTTP Inspection Overview 11-26 Select HTTP Map 11-26 HTTP Class Map 11-27 Add/Edit HTTP Traffic Class Map 11-27 Add/Edit HTTP Match Criterion 11-28 HTTP Inspect Map 11-32 URI Filtering 11-33 Add/Edit HTTP Policy Map (Security Level) 11-33 Add/Edit HTTP Policy Map (Details) 11-34 Add/Edit HTTP Map 11-35

Cisco ASA Series Firewall ASDM Configuration Guide

ICMP Inspection 11-39

ICMP Error Inspection 11-39

Instant Messaging Inspection 11-39

IM Inspection Overview 11-40 Adding a Class Map for IM Inspection 11-40 Select IM Map 11-41

IP Options Inspection 11-41

IP Options Inspection Overview 11-41 Configuring IP Options Inspection 11-42 Select IP Options Inspect Map 11-43 IP Options Inspect Map 11-44 Add/Edit IP Options Inspect Map 11-44

IPsec Pass Through Inspection 11-45

IPsec Pass Through Inspection Overview 11-45 Select IPsec-Pass-Thru Map 11-46 IPsec Pass Through Inspect Map 11-46 Add/Edit IPsec Pass Thru Policy Map (Security Level) 11-47 Add/Edit IPsec Pass Thru Policy Map (Details) 11-47

Contents

IPv6 Inspection 11-48

Information about IPv6 Inspection 11-48 Default Settings for IPv6 Inspection 11-48 (Optional) Configuring an IPv6 Inspection Policy Map 11-48 Configuring IPv6 Inspection 11-49

NetBIOS Inspection 11-50

NetBIOS Inspection Overview 11-50 Select NETBIOS Map 11-50 NetBIOS Inspect Map 11-51 Add/Edit NetBIOS Policy Map 11-51

PPTP Inspection 11-51

SMTP and Extended SMTP Inspection 11-52

SMTP and ESMTP Inspection Overview 11-52 Select ESMTP Map 11-53 ESMTP Inspect Map 11-54 MIME File Type Filtering 11-55 Add/Edit ESMTP Policy Map (Security Level) 11-55 Add/Edit ESMTP Policy Map (Details) 11-56 Add/Edit ESMTP Inspect 11-57

TFTP Inspection 11-60

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

CHAPTER

12 Configuring Inspection for Voice and Video Protocols 12-1

CTIQBE Inspection 12-1

CTIQBE Inspection Overview 12-1 Limitations and Restrictions 12-2

H.323 Inspection 12-2

H.323 Inspection Overview 12-3 How H.323 Works 12-3 H.239 Support in H.245 Messages 12-4 Limitations and Restrictions 12-4 Select H.323 Map 12-5 H.323 Class Map 12-5 Add/Edit H.323 Traffic Class Map 12-6 Add/Edit H.323 Match Criterion 12-6 H.323 Inspect Map 12-7 Phone Number Filtering 12-8 Add/Edit H.323 Policy Map (Security Level) 12-8 Add/Edit H.323 Policy Map (Details) 12-9 Add/Edit HSI Group 12-11 Add/Edit H.323 Map 12-11

MGCP Inspection 12-12

MGCP Inspection Overview 12-12 Select MGCP Map 12-14 MGCP Inspect Map 12-14 Gateways and Call Agents 12-15 Add/Edit MGCP Policy Map 12-15 Add/Edit MGCP Group 12-16

RTSP Inspection 12-16

RTSP Inspection Overview 12-17 Using RealPlayer 12-17 Restrictions and Limitations 12-18 Select RTSP Map 12-18 RTSP Inspect Map 12-18 Add/Edit RTSP Policy Map 12-19 RTSP Class Map 12-19 Add/Edit RTSP Traffic Class Map 12-20

SIP Inspection 12-20

SIP Inspection Overview 12-21 SIP Instant Messaging 12-22 Select SIP Map 12-22

Cisco ASA Series Firewall ASDM Configuration Guide

SIP Class Map 12-23 Add/Edit SIP Traffic Class Map 12-24 Add/Edit SIP Match Criterion 12-24 SIP Inspect Map 12-26 Add/Edit SIP Policy Map (Security Level) 12-27 Add/Edit SIP Policy Map (Details) 12-28 Add/Edit SIP Inspect 12-30

Skinny (SCCP) Inspection 12-32

SCCP Inspection Overview 12-32 Supporting Cisco IP Phones 12-33 Restrictions and Limitations 12-33 Select SCCP (Skinny) Map 12-34 SCCP (Skinny) Inspect Map 12-34 Message ID Filtering 12-35 Add/Edit SCCP (Skinny) Policy Map (Security Level) 12-36 Add/Edit SCCP (Skinny) Policy Map (Details) 12-37 Add/Edit Message ID Filter 12-38

Contents

CHAPTER

13 Configuring Inspection of Database and Directory Protocols 13-1

ILS Inspection 13-1

SQL*Net Inspection 13-2

Sun RPC Inspection 13-3

Sun RPC Inspection Overview 13-3 SUNRPC Server 13-3 Add/Edit SUNRPC Service 13-4

14 Configuring Inspection for Management Application Protocols 14-1

DCERPC Inspection 14-1

DCERPC Overview 14-1 Select DCERPC Map 14-2 DCERPC Inspect Map 14-2 Add/Edit DCERPC Policy Map 14-3

GTP Inspection 14-4

GTP Inspection Overview 14-5 Select GTP Map 14-5 GTP Inspect Map 14-6 IMSI Prefix Filtering 14-7 Add/Edit GTP Policy Map (Security Level) 14-7 Add/Edit GTP Policy Map (Details) 14-8

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

Add/Edit GTP Map 14-9

RADIUS Accounting Inspection 14-10

RADIUS Accounting Inspection Overview 14-11 Select RADIUS Accounting Map 14-11 Add RADIUS Accounting Policy Map 14-11 RADIUS Inspect Map 14-12 RADIUS Inspect Map Host 14-12 RADIUS Inspect Map Other 14-13

RSH Inspection 14-13

SNMP Inspection 14-13

SNMP Inspection Overview 14-14 Select SNMP Map 14-14 SNMP Inspect Map 14-14

XDMCP Inspection 14-15

PART

5 Configuring Unified Communications

CHAPTER

15 Information About Cisco Unified Communications Proxy Features 15-1

Information About the Adaptive Security Appliance in Cisco Unified Communications 15-1

TLS Proxy Applications in Cisco Unified Communications 15-3

Licensing for Cisco Unified Communications Proxy Features 15-4

CHAPTER

16 Using the Cisco Unified Communication Wizard 16-1

Information about the Cisco Unified Communication Wizard 16-1

Licensing Requirements for the Unified Communication Wizard 16-3

Guidelines and Limitations 16-4

Configuring the Phone Proxy by using the Unified Communication Wizard 16-4

Configuring the Private Network for the Phone Proxy 16-5 Configuring Servers for the Phone Proxy 16-6 Enabling Certificate Authority Proxy Function (CAPF) for IP Phones 16-8 Configuring the Public IP Phone Network 16-9 Configuring the Media Termination Address for Unified Communication Proxies 16-10

Configuring the Mobility Advantage by using the Unified Communication Wizard 16-11

Configuring the Topology for the Cisco Mobility Advantage Proxy 16-12 Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy 16-12 Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy 16-13

Configuring the Presence Federation Proxy by using the Unified Communication Wizard 16-14

Configuring the Topology for the Cisco Presence Federation Proxy 16-14

Cisco ASA Series Firewall ASDM Configuration Guide

Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy 16-15

Configuring the UC-IME by using the Unified Communication Wizard 16-16

Configuring the Topology for the Cisco Intercompany Media Engine Proxy 16-17 Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy 16-18 Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy 16-20 Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy 16-20 Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy 16-21 Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy 16-22

Working with Certificates in the Unified Communication Wizard 16-23

Exporting an Identity Certificate 16-23 Installing a Certificate 16-23 Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy 16-24 Saving the Identity Certificate Request 16-25 Installing the ASA Identity Certificate on the Mobility Advantage Server 16-26 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media

Engine Servers

16-26

Contents

CHAPTER

17 Configuring the Cisco Phone Proxy 17-1

Information About the Cisco Phone Proxy 17-1

Phone Proxy Functionality 17-1 Supported Cisco UCM and IP Phones for the Phone Proxy 17-3

Licensing Requirements for the Phone Proxy 17-4

Prerequisites for the Phone Proxy 17-6

Media Termination Instance Prerequisites 17-6 Certificates from the Cisco UCM 17-7 DNS Lookup Prerequisites 17-7 Cisco Unified Communications Manager Prerequisites 17-7 ACL Rules 17-7 NAT and PAT Prerequisites 17-8 Prerequisites for IP Phones on Multiple Interfaces 17-9 7960 and 7940 IP Phones Support 17-9 Cisco IP Communicator Prerequisites 17-10 Prerequisites for Rate Limiting TFTP Requests 17-10 End-User Phone Provisioning 17-11

Phone Proxy Guidelines and Limitations 17-12

Configuring the Phone Proxy 17-14

Task Flow for Configuring the Phone Proxy 17-14 Creating the CTL File 17-15

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

Adding or Editing a Record Entry in a CTL File 17-16 Creating the Media Termination Instance 17-17 Creating the Phone Proxy Instance 17-18 Adding or Editing the TFTP Server for a Phone Proxy 17-20 Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy 17-21

Feature History for the Phone Proxy 17-22

CHAPTER

18 Configuring the TLS Proxy for Encrypted Voice Inspection 18-1

Information about the TLS Proxy for Encrypted Voice Inspection 18-1

Decryption and Inspection of Unified Communications Encrypted Signaling 18-2 Supported Cisco UCM and IP Phones for the TLS Proxy 18-3

Licensing for the TLS Proxy 18-4

Prerequisites for the TLS Proxy for Encrypted Voice Inspection 18-6

Configuring the TLS Proxy for Encrypted Voice Inspection 18-6

CTL Provider 18-6

Add/Edit CTL Provider 18-7 Configure TLS Proxy Pane 18-8 Adding a TLS Proxy Instance 18-9 Add TLS Proxy Instance Wizard – Server Configuration 18-9 Add TLS Proxy Instance Wizard – Client Configuration 18-10 Add TLS Proxy Instance Wizard – Other Steps 18-12 Edit TLS Proxy Instance – Server Configuration 18-13 Edit TLS Proxy Instance – Client Configuration 18-14

TLS Proxy 18-16

Feature History for the TLS Proxy for Encrypted Voice Inspection 18-17

CHAPTER

19 Configuring Cisco Mobility Advantage 19-1

Information about the Cisco Mobility Advantage Proxy Feature 19-1

Cisco Mobility Advantage Proxy Functionality 19-1 Mobility Advantage Proxy Deployment Scenarios 19-2 Trust Relationships for Cisco UMA Deployments 19-4

Licensing for the Cisco Mobility Advantage Proxy Feature 19-6

Configuring Cisco Mobility Advantage 19-6

Task Flow for Configuring Cisco Mobility Advantage 19-7

Feature History for Cisco Mobility Advantage 19-7

20 Configuring Cisco Unified Presence 20-1

Information About Cisco Unified Presence 20-1

Cisco ASA Series Firewall ASDM Configuration Guide

Architecture for Cisco Unified Presence for SIP Federation Deployments 20-1 Trust Relationship in the Presence Federation 20-4 Security Certificate Exchange Between Cisco UP and the Security Appliance 20-5 XMPP Federation Deployments 20-5 Configuration Requirements for XMPP Federation 20-6

Licensing for Cisco Unified Presence 20-7

Configuring Cisco Unified Presence Proxy for SIP Federation 20-8

Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 20-9

Feature History for Cisco Unified Presence 20-9

Contents

CHAPTER

21 Configuring Cisco Intercompany Media Engine Proxy 21-1

Information About Cisco Intercompany Media Engine Proxy 21-1

Features of Cisco Intercompany Media Engine Proxy 21-1 How the UC-IME Works with the PSTN and the Internet 21-2 Tickets and Passwords 21-3 Call Fallback to the PSTN 21-5 Architecture and Deployment Scenarios for Cisco Intercompany Media Engine 21-5

Licensing for Cisco Intercompany Media Engine 21-8

Guidelines and Limitations 21-9

Configuring Cisco Intercompany Media Engine Proxy 21-11

Task Flow for Configuring Cisco Intercompany Media Engine 21-11 Configuring NAT for Cisco Intercompany Media Engine Proxy 21-12 Configuring PAT for the Cisco UCM Server 21-14 Creating ACLs for Cisco Intercompany Media Engine Proxy 21-16 Creating the Media Termination Instance 21-17 Creating the Cisco Intercompany Media Engine Proxy 21-18 Creating Trustpoints and Generating Certificates 21-21 Creating the TLS Proxy 21-24 Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy 21-25 (Optional) Configuring TLS within the Local Enterprise 21-27 (Optional) Configuring Off Path Signaling 21-30 Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 21-31 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 21-33

Feature History for Cisco Intercompany Media Engine Proxy 21-37

PART

6 Configuring Connection Settings and QoS

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

CHAPTER

22 Configuring Connection Settings 22-1

Information About Connection Settings 22-1

TCP Intercept and Limiting Embryonic Connections 22-2 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 22-2 Dead Connection Detection (DCD) 22-2 TCP Sequence Randomization 22-3 TCP Normalization 22-3 TCP State Bypass 22-3

Licensing Requirements for Connection Settings 22-4

Guidelines and Limitations 22-5

Default Settings 22-5

Configuring Connection Settings 22-6

Task Flow For Configuring Connection Settings 22-6 Customizing the TCP Normalizer with a TCP Map 22-6 Configuring Connection Settings 22-8 Configuring Global Timeouts 22-9

Feature History for Connection Settings 22-11

CHAPTER

23 Configuring QoS 23-1

Information About QoS 23-1

Supported QoS Features 23-2 What is a Token Bucket? 23-2 Information About Policing 23-3 Information About Priority Queuing 23-3 Information About Traffic Shaping 23-4 How QoS Features Interact 23-4 DSCP and DiffServ Preservation 23-5

Licensing Requirements for QoS 23-5

Guidelines and Limitations 23-5

Configuring QoS 23-6

Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Configuring a Service Rule for Standard Priority Queuing and Policing 23-9 Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing 23-10

Monitoring QoS 23-11

Viewing QoS Police Statistics 23-12 Viewing QoS Standard Priority Statistics 23-12 Viewing QoS Shaping Statistics 23-13

Cisco ASA Series Firewall ASDM Configuration Guide

Viewing QoS Standard Priority Queue Statistics 23-13

Feature History for QoS 23-14

Contents

CHAPTER

24 Troubleshooting Connections and Resources 24-1

Testing Your Configuration 24-1

Pinging ASA Interfaces 24-1 Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping 24-3 Determining Packet Routing with Traceroute 24-6 Tracing Packets with Packet Tracer 24-7

Monitoring Performance 24-8

Monitoring System Resources 24-9

Blocks 24-9 CPU 24-10 Memory 24-10

Monitoring Connections 24-11

Monitoring Per-Process CPU Usage 24-12

PART

7 Configuring Advanced Network Protection

CHAPTER

25 Configuring the ASA for Cisco Cloud Web Security 25-1

Information About Cisco Cloud Web Security 25-2

Redirection of Web Traffic to Cloud Web Security 25-2 User Authentication and Cloud Web Security 25-2 Authentication Keys 25-3 ScanCenter Policy 25-4 Cloud Web Security Actions 25-5 Bypassing Scanning with Whitelists 25-6 IPv4 and IPv6 Support 25-6 Failover from Primary to Backup Proxy Server 25-6

Licensing Requirements for Cisco Cloud Web Security 25-6

Prerequisites for Cloud Web Security 25-7

Guidelines and Limitations 25-7

Default Settings 25-8

Configuring Cisco Cloud Web Security 25-8

Configuring Communication with the Cloud Web Security Proxy Server 25-8 (Multiple Context Mode) Allowing Cloud Web Security Per Security Context 25-10 Configuring a Service Policy to Send Traffic to Cloud Web Security 25-10 (Optional) Configuring Whitelisted Traffic 25-23

Cisco ASA Series Firewall ASDM Configuration Guide

Contents

(Optional) Configuring the User Identity Monitor 25-25 Configuring the Cloud Web Security Policy 25-26

Monitoring Cloud Web Security 25-26

About This Guide

This preface introduces Cisco ASA Series Firewall ASDM Configuration Guide and includes the following sections:

• Document Objectives, page 3

• Related Documentation, page 3

• Conventions, page 4

• Obtaining Documentation and Submitting a Service Request, page 4

Document Objectives

The purpose of this guide is to help you configure the firewall features for ASA using ASDM. This guide does not cover every feature, but describes only the most common configuration scenarios.

This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.

Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the

latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the feature history table for each chapter to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Series Compatibility.

Configuring Service Policies

CHA PTER

Configuring a Service Policy

Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple service policy rules applied to an interface or applied globally.

This chapter includes the following sections:

• Information About Service Policies, page 1-1

• Licensing Requirements for Service Policies, page 1-5

• Guidelines and Limitations, page 1-6

• Default Settings, page 1-7

• Task Flows for Configuring Service Policies, page 1-8

• Adding a Service Policy Rule for Through Traffic, page 1-8

• Adding a Service Policy Rule for Management Traffic, page 1-13

• Managing the Order of Service Policy Rules, page 1-15

• Feature History for Service Policies, page 1-17

Information About Service Policies

This section describes how service policies work and includes the following topics:

• Supported Features, page 1-1

• Feature Directionality, page 1-2

• Feature Matching Within a Service Policy, page 1-3

• Order in Which Multiple Feature Actions are Applied, page 1-4

• Incompatibility of Certain Feature Actions, page 1-5

• Feature Matching for Multiple Service Policies, page 1-5

Supported Features

Table 1 -1 lists the features supported by service policy rules.

Cisco ASA Series Firewall ASDM Configuration Guide

1-1

Information About Service Policies

Table 1-1 Service Policy Rule Features

Chapter 1 Configuring a Service Policy

Feature

Application inspection (multiple types)

ASA CSC

ASA IPS

ASA CX

NetFlow Secure Event Logging filtering

QoS input and output policing

QoS standard priority queue

QoS traffic shaping, hierarchical priority queue

TCP and UDP connection limits and timeouts, and TCP sequence number randomization

TCP normalization

TCP state bypass

User statistics for Identity Firewall

For Through Traffic?

All except RADIUS accounting

For Management Traffic? See:

RADIUS

• Chapter 10, “Getting Started with Application

accounting only

• Chapter 11, “Configuring Inspection of Basic

Layer Protocol Inspection.”

Internet Protocols.”

• Chapter 12, “Configuring Inspection for Voice

and Video Protocols.”

• Chapter 13, “Configuring Inspection of Database

and Directory Protocols.”

• Chapter 14, “Configuring Inspection for

Management Application Protocols.”

• Chapter 25, “Configuring the ASA for Cisco

Cloud Web Security.”

Ye s No Chapter 32, “Configuring the ASA CSC Module.”

Ye s No Chapter 31, “Configuring the ASA IPS Module.”

Ye s No Chapter 30, “Configuring the ASA CX Module.”

Ye s Ye s Chapter 43, “Configuring NetFlow Secure Event

Logging (NSEL),” in the general operations

configuration guide.

Ye s No Chapter 23, “Configuring QoS.”

Ye s Ye s Chapter 23, “Configuring QoS.”

Ye s Ye s Chapter 22, “Configuring Connection Settings.”

Ye s No Chapter 22, “Configuring Connection Settings.”

Ye s Ye s See the user-statistics command in the command

reference.

Feature Directionality

Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions.

Cisco ASA Series Firewall ASDM Configuration Guide

1-2

Chapter 1 Configuring a Service Policy

Note When you use a global policy, all features are unidirectional; features that are normally bidirectional

when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.

For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or exits, depending on the feature) the interface to which you apply the policy map is affected. See

Table 1 -2 for the directionality of each feature.

Table 1-2 Feature Directionality

Feature Single Interface Direction Global Direction

Application inspection (multiple types) Bidirectional Ingress

ASA CSC Bidirectional Ingress

ASA CX Bidirectional Ingress

ASA CX authentication proxy Ingress Ingress

ASA IPS Bidirectional Ingress

NetFlow Secure Event Logging filtering N/A Ingress

QoS input policing Ingress Ingress

QoS output policing Egress Egress

QoS standard priority queue Egress Egress

QoS traffic shaping, hierarchical priority queue

TCP and UDP connection limits and timeouts, and TCP sequence number randomization

TCP normalization Bidirectional Ingress

TCP state bypass Bidirectional Ingress

User statistics for Identity Firewall Bidirectional Ingress

Information About Service Policies

Egress Egress

Bidirectional Ingress

Feature Matching Within a Service Policy

See the following information for how a packet matches rules in a policy for a given interface:

1. A packet can match only one rule for an interface for each feature type.

2. When the packet matches a rule for a feature type, the ASA does not attempt to match it to any

subsequent rules for that feature type.

3. If the packet matches a subsequent rule for a different feature type, however, then the ASA also

applies the actions for the subsequent rule, if supported. See the “Incompatibility of Certain Feature

Actions” section on page 1-5 for more information about unsupported combinations.

Note Application inspection includes multiple inspection types, and most are mutually exclusive.

For inspections that can be combined, each inspection is considered to be a separate feature.

Cisco ASA Series Firewall ASDM Configuration Guide

1-3

Information About Service Policies

For example, if a packet matches a rule for connection limits, and also matches a rule for an application inspection, then both actions are applied.

If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP inspection, then the second rule actions are not applied.

If a packet matches a rulefor HTTP inspection, but also matches another rule that includes FTP inspection, then the second rule actions are not applied because HTTP and FTP inspections cannpt be combined.

If a packet matches a rule for HTTP inspection, but also matches another rule that includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any other type of inspection.

Order in Which Multiple Feature Actions are Applied

The order in which different types of actions in a service policy are performed is independent of the order in which the actions appear in the table.

Chapter 1 Configuring a Service Policy

Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.

Actions are performed in the following order:

1. QoS input policing

2. TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number

randomization, and TCP state bypass.

Note When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP payload

(such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and after the proxy or payload modifying service.

3. ASA CSC

4. Application inspections that can be combined with other inspections:

a. IPv6

b. IP options

c. WAAS

5. Application inspections that cannot be combined with other inspections. See the “Incompatibility of

Certain Feature Actions” section on page 1-5 for more information.

6. ASA IPS

7. ASA CX

1-4

8. QoS output policing

9. QoS standard priority queue

10. QoS traffic shaping, hierarchical priority queue

Cisco ASA Series Firewall ASDM Configuration Guide

+ 724 hidden pages

Cisco ASA 5545-X, ASA Services Module, ASA 5580, ASA 5585-X, ASA 5555-X User Manual

CONTENTS

About This Guide

Configuring Service Policies

Configuring a Service Policy

Information About Service Policies

Supported Features

Feature Directionality

Feature Matching Within a Service Policy

Order in Which Multiple Feature Actions are Applied