Cisco ASA Series Firewall ASDM
Configuration Guide
Software Version 7.1
For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module
Released: December 3, 2012
Updated: March 31, 2014
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco ASA Series Firewall ASDM Configuration Guide
Copyright © 2012-2014 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
About This Guide |
21 |
|
Document Objectives |
21 |
|
Related Documentation |
21 |
|
Conventions |
22 |
|
|
|
Obtaining Documentation and Submitting a Service Request |
22 |
||
|
|
|
|
|
|
|
|
Configuring Service Policies |
|
|
|
P A R T 1 |
|
|
|
||
|
|
Configuring a Service Policy |
|
|
|
C H A P T E R 1 |
1-1 |
|
|
||
|
|
Information About Service Policies 1-1 |
|
|
|
|
|
Supported Features 1-1 |
|
|
|
|
|
Feature Directionality |
1-2 |
|
|
|
|
Feature Matching Within a Service Policy |
1-3 |
|
|
|
|
Order in Which Multiple Feature Actions are Applied |
1-4 |
||
|
|
Incompatibility of Certain Feature Actions |
1-5 |
|
|
|
|
Feature Matching for Multiple Service Policies 1-5 |
|
||
|
|
Licensing Requirements for Service Policies |
1-5 |
|
|
|
|
Guidelines and Limitations |
1-6 |
|
|
|
|
Default Settings 1-7 |
|
|
|
|
|
Default Configuration |
1-7 |
|
|
|
|
Default Traffic Classes |
1-8 |
|
|
|
Task Flows for Configuring Service Policies |
1-8 |
|
|
Task Flow for Configuring a Service Policy Rule |
1-8 |
|
|
Adding a Service Policy Rule for Through Traffic 1-8 |
|
|
|
Adding a Service Policy Rule for Management Traffic |
1-13 |
|
|
Configuring a Service Policy Rule for Management Traffic 1-13 |
||
|
Managing the Order of Service Policy Rules |
1-15 |
|
|
Feature History for Service Policies 1-17 |
|
|
|
Configuring Special Actions for Application Inspections (Inspection Policy Map) 2-1 |
||
C H A P T E R 2 |
|||
|
Information About Inspection Policy Maps |
2-1 |
|
|
Guidelines and Limitations 2-2 |
|
|
|
Default Inspection Policy Maps 2-2 |
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
1
Contents
Defining Actions in an Inspection Policy Map |
2-3 |
Identifying Traffic in an Inspection Class Map |
2-3 |
Where to Go Next 2-4 |
|
|
|
Feature History for Inspection Policy Maps |
2-4 |
|
|
|
|
|
|
Configuring Network Address Translation |
|
P A R T 2 |
|
||
|
|
Information About NAT (ASA 8.3 and Later) |
|
C H A P T E R 3 |
3-1 |
||
|
|
Why Use NAT? 3-1 |
|
|
|
NAT Terminology 3-2 |
|
|
|
NAT Types 3-3 |
|
NAT Types Overview |
3-3 |
|
|
|
|
||
Static NAT |
|
3-3 |
|
|
|
|
|
Dynamic NAT |
3-8 |
|
|
|
|
|
|
Dynamic PAT |
3-10 |
|
|
|
|
|
|
Identity NAT |
3-12 |
|
|
|
|
|
|
NAT in Routed and Transparent Mode |
3-12 |
|
|||||
NAT in Routed Mode |
3-13 |
|
|
|
|
||
NAT in Transparent Mode |
3-13 |
|
|
||||
NAT and IPv6 |
3-15 |
|
|
|
|
|
|
How NAT is Implemented |
3-15 |
|
|
|
|
||
Main Differences Between Network Object NAT and Twice NAT |
3-15 |
||||||
Information About Network Object NAT 3-16 |
|
||||||
Information About Twice NAT |
3-16 |
|
|||||
NAT Rule Order |
|
3-20 |
|
|
|
|
|
NAT Interfaces |
3-21 |
|
|
|
|
|
|
Routing NAT Packets 3-21 |
|
|
|
|
|
||
Mapped Addresses and Routing |
|
3-22 |
|
||||
Transparent Mode Routing Requirements for Remote Networks |
3-24 |
||||||
Determining the Egress Interface |
3-24 |
|
|||||
NAT for VPN |
3-24 |
|
|
|
|
|
|
NAT and Remote Access VPN |
3-25 |
|
|||||
NAT and Site-to-Site VPN |
3-26 |
|
|
|
|||
NAT and VPN Management Access 3-28 |
|
||||||
Troubleshooting NAT and VPN |
|
3-30 |
|
||||
DNS and NAT |
3-30 |
|
|
|
|
|
|
Where to Go Next |
3-35 |
|
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
2
Contents
C H A P T E R 4 |
Configuring Network Object NAT (ASA 8.3 and Later) 4-1 |
|
|
Information About Network Object NAT |
4-1 |
|
Licensing Requirements for Network Object NAT 4-2 |
|
|
Prerequisites for Network Object NAT |
4-2 |
|
Guidelines and Limitations 4-2 |
|
|
Default Settings 4-3 |
|
|
Configuring Network Object NAT |
4-4 |
|
|
|||
|
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool |
4-4 |
|||||
|
Configuring Dynamic PAT (Hide) |
4-8 |
|
||||
|
Configuring Static NAT or Static NAT-with-Port-Translation |
4-11 |
|||||
|
Configuring Identity NAT |
4-15 |
|
|
|||
|
Configuring Per-Session PAT Rules |
4-18 |
|
||||
|
Monitoring Network Object NAT |
4-19 |
|
|
|||
|
Configuration Examples for Network Object NAT 4-20 |
|
|||||
|
Providing Access to an Inside Web Server (Static NAT) 4-21 |
|
|||||
|
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) 4-23 |
||||||
|
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) 4-28 |
||||||
|
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) 4-32 |
||||||
|
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS |
||||||
|
Modification) |
4-35 |
|
|
|
|
|
|
DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS |
||||||
|
Modification) |
4-38 |
|
|
|
|
|
|
IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with |
||||||
|
DNS64 Modification) |
4-40 |
|
|
|
||
|
Feature History for Network Object NAT 4-45 |
|
|||||
|
Configuring Twice NAT (ASA 8.3 and Later) 5-1 |
|
|||||
C H A P T E R 5 |
|
||||||
|
Information About Twice NAT |
|
5-1 |
|
|
||
|
Licensing Requirements for Twice NAT |
5-2 |
|
||||
|
Prerequisites for Twice NAT |
|
5-2 |
|
|
||
|
Guidelines and Limitations |
5-2 |
|
|
|
||
|
Default Settings |
5-4 |
|
|
|
|
|
|
Configuring Twice NAT 5-4 |
|
|
|
|
||
|
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool |
5-4 |
|||||
|
Configuring Dynamic PAT (Hide) |
5-12 |
|
||||
|
Configuring Static NAT or Static NAT-with-Port-Translation |
5-18 |
|||||
|
Configuring Identity NAT |
5-24 |
|
|
|||
|
Configuring Per-Session PAT Rules |
5-29 |
|
Cisco ASA Series Firewall ASDM Configuration Guide
3
Contents
|
Monitoring Twice NAT |
5-29 |
|
|
||
|
Configuration Examples for Twice NAT |
5-30 |
||||
|
Different Translation Depending on the Destination (Dynamic PAT) 5-30 |
|||||
|
Different Translation Depending on the Destination Address and Port (Dynamic PAT) 5-39 |
|||||
|
Feature History for Twice NAT |
5-48 |
|
|||
|
Configuring NAT (ASA 8.2 and Earlier) |
|
||||
C H A P T E R 6 |
6-1 |
|||||
|
NAT Overview |
6-1 |
|
|
|
|
|
Introduction to NAT |
6-1 |
|
|
||
|
NAT in Routed Mode |
6-2 |
|
|
||
|
NAT in Transparent Mode |
6-3 |
|
|||
|
NAT Control |
6-4 |
|
|
|
|
|
NAT Types |
6-6 |
|
|
|
|
|
Policy NAT |
6-11 |
|
|
|
|
|
NAT and Same Security Level Interfaces 6-13 |
|||||
|
Order of NAT Rules Used to Match Real Addresses 6-14 |
|||||
|
Mapped Address Guidelines |
6-14 |
|
|||
|
DNS and NAT |
6-14 |
|
|
|
|
|
Configuring NAT Control |
6-16 |
|
|
||
|
Using Dynamic NAT |
6-17 |
|
|
|
|
Dynamic NAT Implementation |
6-17 |
|
|
|||
|
|
Managing Global Pools |
6-22 |
|
|
|
|
|
|
|
Configuring Dynamic NAT, PAT, or Identity NAT |
6-23 |
|||||
|
|
Configuring Dynamic Policy NAT or PAT |
6-25 |
|
||||
|
|
Using Static NAT 6-27 |
|
|
|
|
|
|
|
|
Configuring Static NAT, PAT, or Identity NAT |
6-28 |
|||||
|
|
Configuring Static Policy NAT, PAT, or Identity NAT 6-31 |
||||||
|
|
Using NAT Exemption |
6-33 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Access Control |
|
|
|
|
|
|
P A R T 3 |
|
|
|
|
|
|||
|
|
Configuring Access Rules |
|
|
|
|
|
|
C H A P T E R 7 |
7-1 |
|
|
|
|
|||
|
|
Information About Access Rules |
7-1 |
|
|
|
||
|
|
General Information About Rules |
7-2 |
|
|
|||
|
|
Information About Access Rules |
7-5 |
|
|
|||
|
|
Information About EtherType Rules |
7-6 |
|
||||
|
|
Licensing Requirements for Access Rules |
7-7 |
|
||||
|
|
Guidelines and Limitations |
7-7 |
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
4
Contents
|
|
|
Default Settings |
7-7 |
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Access Rules |
7-8 |
|
|
|
|
|
|
|||
|
|
|
Adding an Access Rule |
|
7-8 |
|
|
|
|
|
|
||
|
|
|
Adding an EtherType Rule (Transparent Mode Only) |
7-9 |
|
|
|||||||
|
|
|
Configuring Management Access Rules |
|
7-10 |
|
|
|
|||||
|
|
|
Advanced Access Rule Configuration |
7-11 |
|
|
|
|
|||||
|
|
|
Configuring HTTP Redirect |
|
7-12 |
|
|
|
|
|
|
||
|
|
|
Feature History for Access Rules |
|
7-14 |
|
|
|
|
|
|
||
|
|
|
Configuring AAA Rules for Network Access |
|
|
|
|
||||||
C H A P T E R |
8 |
8-1 |
|
|
|
||||||||
|
|
|
AAA Performance |
8-1 |
|
|
|
|
|
|
|
|
|
|
|
|
Licensing Requirements for AAA Rules |
8-1 |
|
|
|
|
|||||
|
|
|
Guidelines and Limitations |
8-2 |
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Authentication for Network Access |
8-2 |
|
|
|
||||||
|
|
|
Information About Authentication |
8-2 |
|
|
|
|
|
||||
|
|
|
Configuring Network Access Authentication |
8-6 |
|
|
|
||||||
|
|
|
Enabling the Redirection Method of Authentication for HTTP and HTTPS |
8-7 |
|||||||||
|
|
|
Enabling Secure Authentication of Web Clients 8-8 |
|
|
|
|||||||
|
|
|
Authenticating Directly with the ASA |
8-9 |
|
|
|
|
|||||
|
|
|
Configuring the Authentication Proxy Limit |
8-11 |
|
|
|
||||||
|
|
|
Configuring Authorization for Network Access |
8-12 |
|
|
|
||||||
|
|
|
Configuring TACACS+ Authorization |
8-12 |
|
|
|
|
|||||
|
|
|
Configuring RADIUS Authorization |
8-13 |
|
|
|
|
|||||
|
|
|
Configuring Accounting for Network Access |
8-17 |
|
|
|
||||||
|
|
|
Using MAC Addresses to Exempt Traffic from Authentication and Authorization |
8-19 |
|||||||||
|
|
|
Feature History for AAA Rules |
8-20 |
|
|
|
|
|
|
|||
|
|
|
Configuring Public Servers |
|
|
|
|
|
|
|
|
|
|
C H A P T E R |
9 |
9-1 |
|
|
|
|
|
|
|
|
|||
|
|
|
Information About Public Servers |
|
9-1 |
|
|
|
|
|
|
||
|
|
|
Licensing Requirements for Public Servers |
9-1 |
|
|
|
|
|||||
|
|
|
Guidelines and Limitations |
9-1 |
|
|
|
|
|
|
|
|
|
|
|
|
Adding a Public Server that Enables Static NAT |
9-2 |
|
|
|
||||||
|
|
|
Adding a Public Server that Enables Static NAT with PAT |
9-2 |
|
|
|||||||
|
|
|
Editing Settings for a Public Server |
9-3 |
|
|
|
|
|
|
|||
|
|
|
Feature History for Public Servers |
9-4 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
Configuring Application Inspection |
|
|
|
|
|
|
|
|||
P A R T 4 |
|
|
|
|
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
5
Contents
C H A P T E R |
10 |
Getting Started with Application Layer Protocol Inspection 10-1 |
||||||||
|
|
Information about Application Layer Protocol Inspection 10-1 |
||||||||
|
|
How Inspection Engines Work |
10-1 |
|
|
|||||
|
|
When to Use Application Protocol Inspection |
10-2 |
|||||||
|
|
Guidelines and Limitations |
10-3 |
|
|
|
|
|
||
|
|
Default Settings and NAT Limitations |
10-4 |
|
|
|||||
|
|
Configuring Application Layer Protocol Inspection |
10-7 |
|||||||
|
|
Configuring Inspection of Basic Internet Protocols |
|
|||||||
C H A P T E R |
11 |
11-1 |
||||||||
|
|
DNS Inspection |
11-1 |
|
|
|
|
|
|
|
|
|
Information About DNS Inspection |
11-2 |
|
|
|||||
|
|
Default Settings for DNS Inspection |
11-2 |
|
|
|||||
|
|
(Optional) Configuring a DNS Inspection Policy Map and Class Map 11-3 |
||||||||
|
|
Configuring DNS Inspection |
11-16 |
|
|
|
||||
|
|
FTP Inspection |
11-17 |
|
|
|
|
|
|
|
|
|
FTP Inspection Overview |
11-17 |
|
|
|
|
|||
|
|
Using Strict FTP |
11-17 |
|
|
|
|
|
|
|
|
|
Select FTP Map |
11-18 |
|
|
|
|
|
|
|
|
|
FTP Class Map 11-19 |
|
|
|
|
|
|
||
|
|
Add/Edit FTP Traffic Class Map |
11-19 |
|
|
|||||
|
|
Add/Edit FTP Match Criterion |
|
11-20 |
|
|
||||
|
|
FTP Inspect Map |
11-21 |
|
|
|
|
|
|
|
|
|
File Type Filtering |
11-22 |
|
|
|
|
|
||
|
|
Add/Edit FTP Policy Map (Security Level) |
11-22 |
|||||||
|
|
Add/Edit FTP Policy Map (Details) |
11-23 |
|
|
|||||
|
|
Add/Edit FTP Map |
11-24 |
|
|
|
|
|
||
|
|
Verifying and Monitoring FTP Inspection |
11-25 |
|||||||
|
|
HTTP Inspection |
11-26 |
|
|
|
|
|
|
|
|
|
HTTP Inspection Overview |
11-26 |
|
|
|
||||
|
|
Select HTTP Map |
11-26 |
|
|
|
|
|
||
|
|
HTTP Class Map |
11-27 |
|
|
|
|
|
|
|
|
|
Add/Edit HTTP Traffic Class Map |
11-27 |
|
|
|||||
|
|
Add/Edit HTTP Match Criterion |
11-28 |
|
|
|||||
|
|
HTTP Inspect Map |
11-32 |
|
|
|
|
|
||
|
|
URI Filtering |
11-33 |
|
|
|
|
|
|
|
|
|
Add/Edit HTTP Policy Map (Security Level) |
11-33 |
|||||||
|
|
Add/Edit HTTP Policy Map (Details) |
11-34 |
|
|
|||||
|
|
Add/Edit HTTP Map 11-35 |
|
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
6
Contents
ICMP Inspection |
11-39 |
|
|
|
|
|
|
|
|
ICMP Error Inspection |
11-39 |
|
|
|
|
|
|
||
Instant Messaging Inspection |
11-39 |
|
|
|
|
||||
IM Inspection Overview |
11-40 |
|
|
|
|
||||
Adding a Class Map for IM Inspection |
11-40 |
|
|
||||||
Select IM Map |
11-41 |
|
|
|
|
|
|
||
IP Options Inspection |
11-41 |
|
|
|
|
|
|
||
IP Options Inspection Overview |
11-41 |
|
|
|
|||||
Configuring IP Options Inspection |
11-42 |
|
|
||||||
Select IP Options Inspect Map |
11-43 |
|
|
|
|||||
IP Options Inspect Map |
11-44 |
|
|
|
|
|
|||
Add/Edit IP Options Inspect Map |
11-44 |
|
|
||||||
IPsec Pass Through Inspection |
11-45 |
|
|
|
|
||||
IPsec Pass Through Inspection Overview |
11-45 |
|
|||||||
Select IPsec-Pass-Thru Map |
11-46 |
|
|
|
|||||
IPsec Pass Through Inspect Map |
11-46 |
|
|
|
|||||
Add/Edit IPsec Pass Thru Policy Map (Security Level) |
11-47 |
||||||||
Add/Edit IPsec Pass Thru Policy Map (Details) |
11-47 |
|
|||||||
IPv6 Inspection |
11-48 |
|
|
|
|
|
|
|
|
Information about IPv6 Inspection |
11-48 |
|
|
||||||
Default Settings for IPv6 Inspection |
11-48 |
|
|
||||||
(Optional) Configuring an IPv6 Inspection Policy Map |
11-48 |
||||||||
Configuring IPv6 Inspection 11-49 |
|
|
|
|
|||||
NetBIOS Inspection |
11-50 |
|
|
|
|
|
|
||
NetBIOS Inspection Overview |
11-50 |
|
|
|
|||||
Select NETBIOS Map |
11-50 |
|
|
|
|
|
|||
NetBIOS Inspect Map |
11-51 |
|
|
|
|
|
|||
Add/Edit NetBIOS Policy Map |
11-51 |
|
|
|
|||||
PPTP Inspection |
11-51 |
|
|
|
|
|
|
|
|
SMTP and Extended SMTP Inspection |
11-52 |
|
|
||||||
SMTP and ESMTP Inspection Overview |
11-52 |
|
|
||||||
Select ESMTP Map |
11-53 |
|
|
|
|
|
|||
ESMTP Inspect Map |
11-54 |
|
|
|
|
|
|||
MIME File Type Filtering |
11-55 |
|
|
|
|
||||
Add/Edit ESMTP Policy Map (Security Level) |
11-55 |
|
|||||||
Add/Edit ESMTP Policy Map (Details) |
11-56 |
|
|
||||||
Add/Edit ESMTP Inspect |
11-57 |
|
|
|
|
||||
TFTP Inspection |
11-60 |
|
|
|
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
7
Contents
C H A P T E R 12 |
Configuring Inspection for Voice and Video Protocols 12-1 |
||||||
|
CTIQBE Inspection |
12-1 |
|
|
|
||
|
CTIQBE Inspection Overview |
12-1 |
|
||||
|
Limitations and Restrictions |
12-2 |
|
||||
|
H.323 Inspection |
12-2 |
|
|
|
|
|
|
H.323 Inspection Overview |
12-3 |
|
||||
|
How H.323 Works |
12-3 |
|
|
|
||
|
H.239 Support in H.245 Messages |
12-4 |
|||||
|
Limitations and Restrictions |
12-4 |
|
||||
|
Select H.323 Map |
12-5 |
|
|
|
||
|
H.323 Class Map |
12-5 |
|
|
|
||
|
Add/Edit H.323 Traffic Class Map |
12-6 |
|||||
|
Add/Edit H.323 Match Criterion 12-6 |
||||||
|
H.323 Inspect Map |
12-7 |
|
|
|||
|
Phone Number Filtering |
12-8 |
|
||||
|
Add/Edit H.323 Policy Map (Security Level) 12-8 |
||||||
|
Add/Edit H.323 Policy Map (Details) |
12-9 |
|||||
|
Add/Edit HSI Group |
12-11 |
|
|
|||
|
Add/Edit H.323 Map 12-11 |
|
|
||||
|
MGCP Inspection |
|
12-12 |
|
|
|
|
|
MGCP Inspection Overview |
12-12 |
|
||||
|
Select MGCP Map |
12-14 |
|
|
|||
|
MGCP Inspect Map |
12-14 |
|
|
|||
|
Gateways and Call Agents |
12-15 |
|
||||
|
Add/Edit MGCP Policy Map |
12-15 |
|
||||
|
Add/Edit MGCP Group |
12-16 |
|
||||
|
RTSP Inspection |
12-16 |
|
|
|
|
|
|
RTSP Inspection Overview |
12-17 |
|
||||
|
Using RealPlayer |
12-17 |
|
|
|
||
|
Restrictions and Limitations |
12-18 |
|
||||
|
Select RTSP Map |
12-18 |
|
|
|
||
|
RTSP Inspect Map |
12-18 |
|
|
|||
|
Add/Edit RTSP Policy Map |
12-19 |
|
||||
|
RTSP Class Map |
12-19 |
|
|
|
||
|
Add/Edit RTSP Traffic Class Map |
12-20 |
|||||
|
SIP Inspection |
12-20 |
|
|
|
|
|
|
SIP Inspection Overview |
12-21 |
|
||||
|
SIP Instant Messaging |
12-22 |
|
||||
|
Select SIP Map |
12-22 |
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
8
Contents
|
|
SIP Class Map |
12-23 |
|
|
|
|
|
||
|
|
Add/Edit SIP Traffic Class Map |
12-24 |
|
|
|||||
|
|
Add/Edit SIP Match Criterion |
|
12-24 |
|
|
||||
|
|
SIP Inspect Map |
12-26 |
|
|
|
|
|
||
|
|
Add/Edit SIP Policy Map (Security Level) |
12-27 |
|
||||||
|
|
Add/Edit SIP Policy Map (Details) |
12-28 |
|
|
|||||
|
|
Add/Edit SIP Inspect |
12-30 |
|
|
|
|
|
||
|
|
Skinny (SCCP) Inspection |
12-32 |
|
|
|
|
|
||
|
|
SCCP Inspection Overview |
|
12-32 |
|
|
||||
|
|
Supporting Cisco IP Phones |
|
12-33 |
|
|
||||
|
|
Restrictions and Limitations |
|
12-33 |
|
|
||||
|
|
Select SCCP (Skinny) Map |
12-34 |
|
|
|
||||
|
|
SCCP (Skinny) Inspect Map |
|
12-34 |
|
|
||||
|
|
Message ID Filtering |
12-35 |
|
|
|
|
|
||
|
|
Add/Edit SCCP (Skinny) Policy Map (Security Level) 12-36 |
|
|||||||
|
|
Add/Edit SCCP (Skinny) Policy Map (Details) 12-37 |
|
|||||||
|
|
Add/Edit Message ID Filter |
|
12-38 |
|
|
||||
|
|
Configuring Inspection of Database and Directory Protocols |
|
|||||||
C H A P T E R |
13 |
13-1 |
||||||||
|
|
ILS Inspection |
13-1 |
|
|
|
|
|
|
|
|
|
SQL*Net Inspection |
13-2 |
|
|
|
|
|
||
|
|
Sun RPC Inspection |
13-3 |
|
|
|
|
|
||
|
|
Sun RPC Inspection Overview |
13-3 |
|
|
|||||
|
|
SUNRPC Server |
13-3 |
|
|
|
|
|
||
|
|
Add/Edit SUNRPC Service |
13-4 |
|
|
|
||||
|
|
Configuring Inspection for Management Application Protocols |
|
|||||||
C H A P T E R |
14 |
14-1 |
||||||||
|
|
DCERPC Inspection |
14-1 |
|
|
|
|
|
||
|
|
DCERPC Overview |
14-1 |
|
|
|
|
|
||
|
|
Select DCERPC Map |
14-2 |
|
|
|
|
|
||
|
|
DCERPC Inspect Map |
14-2 |
|
|
|
|
|
||
|
|
Add/Edit DCERPC Policy Map |
14-3 |
|
|
|||||
|
|
GTP Inspection |
14-4 |
|
|
|
|
|
|
|
|
|
GTP Inspection Overview 14-5 |
|
|
|
|||||
|
|
Select GTP Map |
14-5 |
|
|
|
|
|
||
|
|
GTP Inspect Map |
14-6 |
|
|
|
|
|
||
|
|
IMSI Prefix Filtering |
14-7 |
|
|
|
|
|
||
|
|
Add/Edit GTP Policy Map (Security Level) |
14-7 |
|
||||||
|
|
Add/Edit GTP Policy Map (Details) |
14-8 |
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
9
Contents
Add/Edit GTP Map |
14-9 |
|
|
RADIUS Accounting Inspection |
14-10 |
||
RADIUS Accounting Inspection Overview 14-11 |
|||
Select RADIUS Accounting Map 14-11 |
|||
Add RADIUS Accounting Policy Map 14-11 |
|||
RADIUS Inspect Map |
14-12 |
|
|
RADIUS Inspect Map Host |
14-12 |
||
RADIUS Inspect Map Other |
14-13 |
||
RSH Inspection |
14-13 |
|
|
SNMP Inspection |
14-13 |
|
|
SNMP Inspection Overview |
14-14 |
||
Select SNMP Map |
14-14 |
|
|
SNMP Inspect Map |
14-14 |
|
|
|
|
XDMCP Inspection 14-15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Unified Communications |
|
|
|
|
|
P A R T 5 |
|
|
|
|
|
|
||
|
|
|
Information About Cisco Unified Communications Proxy Features |
|
|
|
||
C H A P T E R |
15 |
15-1 |
|
|||||
|
|
|
Information About the Adaptive Security Appliance in Cisco Unified Communications |
15-1 |
||||
|
|
|
TLS Proxy Applications in Cisco Unified Communications |
15-3 |
|
|
|
|
|
|
|
Licensing for Cisco Unified Communications Proxy Features |
15-4 |
|
|
|
|
|
|
|
Using the Cisco Unified Communication Wizard 16-1 |
|
|
|
|
|
C H A P T E R |
16 |
|
|
|
|
|||
|
|
|
Information about the Cisco Unified Communication Wizard |
16-1 |
|
|
|
|
|
|
|
Licensing Requirements for the Unified Communication Wizard 16-3 |
|
|
|
||
|
|
|
Guidelines and Limitations 16-4 |
|
|
|
|
|
|
|
|
Configuring the Phone Proxy by using the Unified Communication Wizard 16-4 |
|
||||
|
|
|
Configuring the Private Network for the Phone Proxy |
16-5 |
|
|
|
|
|
|
|
Configuring Servers for the Phone Proxy |
16-6 |
|
|
|
|
|
|
|
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones |
16-8 |
|
|||
|
|
|
Configuring the Public IP Phone Network |
16-9 |
|
|
|
|
|
|
|
Configuring the Media Termination Address for Unified Communication Proxies |
16-10 |
||||
|
|
|
Configuring the Mobility Advantage by using the Unified Communication Wizard 16-11 |
|||||
|
|
|
Configuring the Topology for the Cisco Mobility Advantage Proxy |
16-12 |
|
|||
|
|
|
Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy |
16-12 |
||||
|
|
|
Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy |
16-13 |
Configuring the Presence Federation Proxy by using the Unified Communication Wizard 16-14
Configuring the Topology for the Cisco Presence Federation Proxy
Cisco ASA Series Firewall ASDM Configuration Guide
10
Contents
|
Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy |
16-15 |
|
||||||||
|
Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy |
16-15 |
|
||||||||
|
Configuring the UC-IME by using the Unified Communication Wizard 16-16 |
|
|
|
|||||||
|
Configuring the Topology for the Cisco Intercompany Media Engine Proxy |
16-17 |
|
|
|||||||
|
Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy |
16-18 |
|||||||||
|
Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy |
16-20 |
|
||||||||
|
Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy |
16-20 |
|||||||||
|
Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy |
16-21 |
|||||||||
|
Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy |
16-22 |
|||||||||
|
Working with Certificates in the Unified Communication Wizard |
16-23 |
|
|
|
||||||
|
Exporting an Identity Certificate |
16-23 |
|
|
|
|
|
||||
|
Installing a Certificate |
16-23 |
|
|
|
|
|
|
|
|
|
|
Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy 16-24 |
||||||||||
|
Saving the Identity Certificate Request |
16-25 |
|
|
|
|
|||||
|
Installing the ASA Identity Certificate on the Mobility Advantage Server |
16-26 |
|
|
|||||||
|
Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media |
||||||||||
|
Engine Servers 16-26 |
|
|
|
|
|
|
|
|
|
|
|
Configuring the Cisco Phone Proxy |
|
|
|
|
|
|
|
|||
C H A P T E R 17 |
17-1 |
|
|
|
|
|
|
||||
|
Information About the Cisco Phone Proxy |
17-1 |
|
|
|
|
|
||||
|
Phone Proxy Functionality |
17-1 |
|
|
|
|
|
|
|
|
|
|
Supported Cisco UCM and IP Phones for the Phone Proxy |
17-3 |
|
|
|
||||||
|
Licensing Requirements for the Phone Proxy |
17-4 |
|
|
|
|
|||||
|
Prerequisites for the Phone Proxy |
17-6 |
|
|
|
|
|
|
|
||
|
Media Termination Instance Prerequisites |
17-6 |
|
|
|
|
|||||
|
Certificates from the Cisco UCM |
|
17-7 |
|
|
|
|
|
|
||
|
DNS Lookup Prerequisites |
17-7 |
|
|
|
|
|
|
|
|
|
|
Cisco Unified Communications Manager Prerequisites 17-7 |
|
|
|
|||||||
|
ACL Rules 17-7 |
|
|
|
|
|
|
|
|
|
|
|
NAT and PAT Prerequisites |
17-8 |
|
|
|
|
|
|
|
||
|
Prerequisites for IP Phones on Multiple Interfaces 17-9 |
|
|
|
|
||||||
|
7960 and 7940 IP Phones Support |
17-9 |
|
|
|
|
|
||||
|
Cisco IP Communicator Prerequisites |
17-10 |
|
|
|
|
|
||||
|
Prerequisites for Rate Limiting TFTP Requests 17-10 |
|
|
|
|
||||||
|
End-User Phone Provisioning |
17-11 |
|
|
|
|
|
|
|||
|
Phone Proxy Guidelines and Limitations |
17-12 |
|
|
|
|
|
||||
|
Configuring the Phone Proxy |
17-14 |
|
|
|
|
|
|
|
|
|
|
Task Flow for Configuring the Phone Proxy |
17-14 |
|
|
|
|
|||||
|
Creating the CTL File |
17-15 |
|
|
|
|
|
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
11
Contents
Adding or Editing a Record Entry in a CTL File 17-16
Creating the Media Termination Instance 17-17
Creating the Phone Proxy Instance 17-18
|
Adding or Editing the TFTP Server for a Phone Proxy |
17-20 |
|
|
|
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy |
17-21 |
||
|
Feature History for the Phone Proxy 17-22 |
|
|
|
|
Configuring the TLS Proxy for Encrypted Voice Inspection |
|
|
|
C H A P T E R 18 |
18-1 |
|
||
|
Information about the TLS Proxy for Encrypted Voice Inspection 18-1 |
|
||
|
Decryption and Inspection of Unified Communications Encrypted Signaling |
18-2 |
||
|
Supported Cisco UCM and IP Phones for the TLS Proxy |
|
18-3 |
|
|
Licensing for the TLS Proxy 18-4 |
|
|
|
|
Prerequisites for the TLS Proxy for Encrypted Voice Inspection |
18-6 |
|
|
|
Configuring the TLS Proxy for Encrypted Voice Inspection |
18-6 |
|
|
|
CTL Provider 18-6 |
|
|
|
|
|
Add/Edit CTL Provider 18-7 |
|
|
|
|
|
|
|
Configure TLS Proxy Pane |
18-8 |
|
|
|
|
|
|
Adding a TLS Proxy Instance |
18-9 |
|
|
|
|
|
|
Add TLS Proxy Instance Wizard – Server Configuration |
18-9 |
||||
|
|
Add TLS Proxy Instance Wizard – Client Configuration |
18-10 |
||||
|
|
Add TLS Proxy Instance Wizard – Other Steps |
18-12 |
|
|
||
|
|
Edit TLS Proxy Instance – Server Configuration |
18-13 |
|
|
||
|
|
Edit TLS Proxy Instance – Client Configuration |
18-14 |
|
|
||
|
|
TLS Proxy 18-16 |
|
|
|
|
|
|
|
Feature History for the TLS Proxy for Encrypted Voice Inspection |
18-17 |
||||
|
|
Configuring Cisco Mobility Advantage |
|
|
|
|
|
C H A P T E R |
19 |
19-1 |
|
|
|
||
|
|
Information about the Cisco Mobility Advantage Proxy Feature |
19-1 |
||||
|
|
Cisco Mobility Advantage Proxy Functionality |
19-1 |
|
|
||
|
|
Mobility Advantage Proxy Deployment Scenarios 19-2 |
|
||||
|
|
Trust Relationships for Cisco UMA Deployments |
19-4 |
|
|||
|
|
Licensing for the Cisco Mobility Advantage Proxy Feature |
19-6 |
|
|||
|
|
Configuring Cisco Mobility Advantage |
19-6 |
|
|
|
|
|
|
Task Flow for Configuring Cisco Mobility Advantage |
19-7 |
|
|||
|
|
Feature History for Cisco Mobility Advantage 19-7 |
|
|
|
||
|
|
Configuring Cisco Unified Presence |
|
|
|
|
|
C H A P T E R |
20 |
20-1 |
|
|
|
||
|
|
Information About Cisco Unified Presence 20-1 |
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
12
Contents
|
Architecture for Cisco Unified Presence for SIP Federation Deployments 20-1 |
|
|||||
|
Trust Relationship in the Presence Federation |
20-4 |
|
|
|||
|
Security Certificate Exchange Between Cisco UP and the Security Appliance |
20-5 |
|||||
|
XMPP Federation Deployments |
20-5 |
|
|
|
|
|
|
Configuration Requirements for XMPP Federation |
20-6 |
|
|
|||
|
Licensing for Cisco Unified Presence |
20-7 |
|
|
|
|
|
|
Configuring Cisco Unified Presence Proxy for SIP Federation |
20-8 |
|
||||
|
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 20-9 |
||||||
|
Feature History for Cisco Unified Presence 20-9 |
|
|
|
|
||
|
Configuring Cisco Intercompany Media Engine Proxy |
|
|
|
|||
C H A P T E R 21 |
21-1 |
|
|
||||
|
Information About Cisco Intercompany Media Engine Proxy |
21-1 |
|
||||
|
Features of Cisco Intercompany Media Engine Proxy |
21-1 |
|
||||
|
How the UC-IME Works with the PSTN and the Internet |
21-2 |
|
||||
|
Tickets and Passwords |
21-3 |
|
|
|
|
|
|
Call Fallback to the PSTN 21-5 |
|
|
|
|
|
|
|
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine |
21-5 |
|||||
|
Licensing for Cisco Intercompany Media Engine |
21-8 |
|
|
|
||
|
Guidelines and Limitations |
21-9 |
|
|
|
|
|
Configuring Cisco Intercompany Media Engine Proxy |
21-11 |
|
|
|
Task Flow for Configuring Cisco Intercompany Media Engine |
21-11 |
|||
Configuring NAT for Cisco Intercompany Media Engine Proxy |
21-12 |
|||
Configuring PAT for the Cisco UCM Server |
21-14 |
|
|
|
Creating ACLs for Cisco Intercompany Media Engine Proxy |
21-16 |
|||
Creating the Media Termination Instance |
21-17 |
|
|
|
Creating the Cisco Intercompany Media Engine Proxy |
21-18 |
|
||
Creating Trustpoints and Generating Certificates |
21-21 |
|
||
Creating the TLS Proxy 21-24 |
|
|
|
|
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy 21-25 |
||||
(Optional) Configuring TLS within the Local Enterprise |
21-27 |
|||
(Optional) Configuring Off Path Signaling |
21-30 |
|
|
|
|
|
Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 21-31 |
|
|
|
Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 21-33 |
|
|
|
Feature History for Cisco Intercompany Media Engine Proxy 21-37 |
|
|
|
|
|
|
|
Configuring Connection Settings and QoS |
|
P A R T 6 |
Cisco ASA Series Firewall ASDM Configuration Guide
13
Contents
C H A P T E R 22 |
Configuring Connection Settings |
22-1 |
|
|
|
Information About Connection Settings |
22-1 |
||
|
TCP Intercept and Limiting Embryonic Connections 22-2 |
|||
|
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 22-2 |
|||
|
Dead Connection Detection (DCD) |
22-2 |
||
|
TCP Sequence Randomization |
22-3 |
|
|
|
TCP Normalization |
22-3 |
|
|
|
TCP State Bypass |
22-3 |
|
|
|
Licensing Requirements for Connection Settings 22-4 |
|||
|
Guidelines and Limitations 22-5 |
|
|
|
|
Default Settings 22-5 |
|
|
|
|
Configuring Connection Settings |
22-6 |
|
|
||
|
Task Flow For Configuring Connection Settings |
22-6 |
||||
|
Customizing the TCP Normalizer with a TCP Map |
22-6 |
||||
|
Configuring Connection Settings |
22-8 |
|
|||
|
Configuring Global Timeouts |
22-9 |
|
|||
|
Feature History for Connection Settings 22-11 |
|
||||
|
Configuring QoS |
|
|
|
|
|
C H A P T E R 23 |
23-1 |
|
|
|
|
|
|
Information About QoS 23-1 |
|
|
|
||
|
Supported QoS Features |
23-2 |
|
|
||
|
What is a Token Bucket? |
23-2 |
|
|
||
|
Information About Policing |
23-3 |
|
|
||
|
Information About Priority Queuing |
23-3 |
|
|||
|
Information About Traffic Shaping |
23-4 |
|
|||
|
How QoS Features Interact |
23-4 |
|
|
||
|
DSCP and DiffServ Preservation |
23-5 |
|
|||
|
Licensing Requirements for QoS |
23-5 |
|
|
||
|
Guidelines and Limitations |
23-5 |
|
|
|
|
|
Configuring QoS |
23-6 |
|
|
|
|
|
Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 |
|||||
|
Configuring the Standard Priority Queue for an Interface 23-8 |
|||||
|
Configuring a Service Rule for Standard Priority Queuing and Policing 23-9 |
|||||
|
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing 23-10 |
|||||
|
Monitoring QoS |
23-11 |
|
|
|
|
|
Viewing QoS Police Statistics |
23-12 |
|
|||
|
Viewing QoS Standard Priority Statistics 23-12 |
|
||||
|
Viewing QoS Shaping Statistics |
23-13 |
|
Cisco ASA Series Firewall ASDM Configuration Guide
14
Contents
|
|
|
Viewing QoS Standard Priority Queue Statistics |
23-13 |
|
||||||||
|
|
|
Feature History for QoS |
23-14 |
|
|
|
|
|
|
|||
|
|
|
Troubleshooting Connections and Resources |
|
|
|
|||||||
C H A P T E R |
24 |
24-1 |
|
|
|||||||||
|
|
|
Testing Your Configuration |
24-1 |
|
|
|
|
|
|
|||
|
|
|
Pinging ASA Interfaces |
24-1 |
|
|
|
|
|
|
|||
|
|
|
Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping 24-3 |
||||||||||
|
|
|
Determining Packet Routing with Traceroute |
24-6 |
|
|
|||||||
|
|
|
Tracing Packets with Packet Tracer |
24-7 |
|
|
|
|
|||||
|
|
|
Monitoring Performance |
|
24-8 |
|
|
|
|
|
|
||
|
|
|
Monitoring System Resources |
24-9 |
|
|
|
|
|
||||
|
|
|
Blocks |
24-9 |
|
|
|
|
|
|
|
|
|
|
|
|
CPU 24-10 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Memory |
24-10 |
|
|
|
|
|
|
|
|
|
|
|
|
Monitoring Connections |
|
24-11 |
|
|
|
|
|
|
||
|
|
|
Monitoring Per-Process CPU Usage |
24-12 |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
||||||
|
|
|
Configuring Advanced Network Protection |
|
|
|
|
||||||
P A R T 7 |
|
|
|
|
|
||||||||
|
|
|
Configuring the ASA for Cisco Cloud Web Security |
|
|
||||||||
C H A P T E R |
25 |
25-1 |
|
||||||||||
|
|
|
Information About Cisco Cloud Web Security |
25-2 |
|
|
|
||||||
|
|
|
Redirection of Web Traffic to Cloud Web Security |
25-2 |
|
||||||||
|
|
|
User Authentication and Cloud Web Security |
25-2 |
|
|
|||||||
|
|
|
Authentication Keys |
|
25-3 |
|
|
|
|
|
|
||
|
|
|
ScanCenter Policy |
25-4 |
|
|
|
|
|
|
|
||
|
|
|
Cloud Web Security Actions |
25-5 |
|
|
|
|
|
||||
|
|
|
Bypassing Scanning with Whitelists 25-6 |
|
|
|
|
||||||
|
|
|
IPv4 and IPv6 Support |
25-6 |
|
|
|
|
|
|
|||
|
|
|
Failover from Primary to Backup Proxy Server |
25-6 |
|
|
|||||||
|
|
|
Licensing Requirements for Cisco Cloud Web Security |
25-6 |
|
||||||||
|
|
|
Prerequisites for Cloud Web Security |
25-7 |
|
|
|
|
|||||
|
|
|
Guidelines and Limitations |
25-7 |
|
|
|
|
|
|
|||
|
|
|
Default Settings 25-8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Cisco Cloud Web Security |
25-8 |
|
|
|
|
Configuring Communication with the Cloud Web Security Proxy Server 25-8
(Multiple Context Mode) Allowing Cloud Web Security Per Security Context 25-10
Configuring a Service Policy to Send Traffic to Cloud Web Security (Optional) Configuring Whitelisted Traffic
Cisco ASA Series Firewall ASDM Configuration Guide
15
Contents
(Optional) Configuring the User Identity Monitor 25-25 |
|
Configuring the Cloud Web Security Policy |
25-26 |
Monitoring Cloud Web Security 25-26 |
|
Related Documents 25-27 |
|
Feature History for Cisco Cloud Web Security |
25-27 |
C H A P T E R 26 |
Configuring the Botnet Traffic Filter |
26-1 |
|
|
Information About the Botnet Traffic Filter |
26-1 |
|
|
Botnet Traffic Filter Address Types |
26-2 |
|
|
Botnet Traffic Filter Actions for Known Addresses 26-2 |
||
|
Botnet Traffic Filter Databases |
26-2 |
|
How the Botnet Traffic Filter Works 26-5
Licensing Requirements for the Botnet Traffic Filter 26-6
Prerequisites for the Botnet Traffic Filter
Guidelines and Limitations
Default Settings 26-6
|
Configuring the Botnet Traffic Filter |
26-7 |
|
|
|
||
|
Task Flow for Configuring the Botnet Traffic Filter |
26-7 |
|||||
|
Configuring the Dynamic Database |
26-8 |
|
||||
|
Adding Entries to the Static Database |
|
26-9 |
|
|||
|
Enabling DNS Snooping |
26-9 |
|
|
|
|
|
|
Enabling Traffic Classification and Actions for the Botnet Traffic Filter 26-10 |
||||||
|
Blocking Botnet Traffic Manually |
26-12 |
|
|
|||
|
Searching the Dynamic Database |
26-13 |
|
||||
|
Monitoring the Botnet Traffic Filter |
26-14 |
|
|
|||
|
Botnet Traffic Filter Syslog Messaging |
26-14 |
|
||||
|
Botnet Traffic Filter Monitor Panes |
26-15 |
|
||||
|
Where to Go Next |
26-16 |
|
|
|
|
|
|
Feature History for the Botnet Traffic Filter |
26-16 |
|
||||
|
Configuring Threat Detection |
|
|
|
|
|
|
C H A P T E R 27 |
27-1 |
|
|
|
|
||
|
Information About Threat Detection |
27-1 |
|
|
|
||
|
Licensing Requirements for Threat Detection |
27-1 |
|
||||
|
Configuring Basic Threat Detection Statistics |
27-2 |
|
||||
|
Information About Basic Threat Detection Statistics |
27-2 |
|||||
|
Guidelines and Limitations 27-3 |
|
|
|
|
||
|
Default Settings |
27-3 |
|
|
|
|
|
|
Configuring Basic Threat Detection Statistics 27-4 |
|
Cisco ASA Series Firewall ASDM Configuration Guide
16
Contents
|
|
Monitoring Basic Threat Detection Statistics |
27-4 |
|
|
|||||||
|
|
Feature History for Basic Threat Detection Statistics |
27-5 |
|
||||||||
|
|
Configuring Advanced Threat Detection Statistics |
27-5 |
|
|
|||||||
|
|
Information About Advanced Threat Detection Statistics |
27-5 |
|||||||||
|
|
Guidelines and Limitations |
27-5 |
|
|
|
|
|
||||
|
|
Default Settings |
|
27-6 |
|
|
|
|
|
|
|
|
|
|
Configuring Advanced Threat Detection Statistics |
27-6 |
|
||||||||
|
|
Monitoring Advanced Threat Detection Statistics |
27-7 |
|
||||||||
|
|
Feature History for Advanced Threat Detection Statistics |
27-8 |
|||||||||
|
|
Configuring Scanning Threat Detection |
27-8 |
|
|
|
||||||
|
|
Information About Scanning Threat Detection |
27-9 |
|
||||||||
|
|
Guidelines and Limitations |
27-9 |
|
|
|
|
|
||||
|
|
Default Settings |
|
27-10 |
|
|
|
|
|
|
|
|
|
|
Configuring Scanning Threat Detection |
27-10 |
|
|
|||||||
|
|
Feature History for Scanning Threat Detection |
27-11 |
|
||||||||
|
|
Using Protection Tools |
|
|
|
|
|
|
|
|
|
|
C H A P T E R |
28 |
|
28-1 |
|
|
|
|
|
|
|
|
|
|
|
Preventing IP Spoofing |
28-1 |
|
|
|
|
|
|
|
|
|
|
|
Configuring the Fragment Size |
28-2 |
|
|
|
|
|
|
|||
|
|
Show Fragment |
28-2 |
|
|
|
|
|
|
|
|
|
|
|
Configuring TCP Options 28-3 |
|
|
|
|
|
|
|
|||
|
|
TCP Reset Settings |
28-4 |
|
|
|
|
|
|
|
||
|
|
Configuring IP Audit for Basic IPS Support |
|
28-5 |
|
|
|
|||||
|
|
IP Audit Policy |
28-5 |
|
|
|
|
|
|
|
|
|
|
|
Add/Edit IP Audit Policy Configuration |
28-5 |
|
|
|
||||||
|
|
IP Audit Signatures |
28-6 |
|
|
|
|
|
|
|
||
|
|
IP Audit Signature List |
28-6 |
|
|
|
|
|
|
|||
|
|
Configuring Filtering Services |
|
|
|
|
|
|
|
|
||
C H A P T E R |
29 |
|
29-1 |
|
|
|
|
|
|
|||
|
|
Information About Web Traffic Filtering |
29-1 |
|
|
|
||||||
|
|
Filtering URLs and FTP Requests with an External Server |
29-2 |
|
||||||||
|
|
Information About URL Filtering |
29-2 |
|
|
|
|
|||||
|
|
Licensing Requirements for URL Filtering 29-3 |
|
|
||||||||
|
|
Guidelines and Limitations for URL Filtering |
29-3 |
|
|
|||||||
|
|
Identifying the Filtering Server |
29-3 |
|
|
|
|
|
||||
|
|
Configuring Additional URL Filtering Settings |
29-4 |
|
|
|||||||
|
|
Configuring Filtering Rules |
29-6 |
|
|
|
|
|
|
|||
|
|
Filtering the Rule Table |
29-11 |
|
|
|
|
|
|
|||
|
|
Defining Queries |
|
29-12 |
|
|
|
|
|
|
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
17
Contents
|
|
Feature History for URL Filtering |
29-12 |
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Modules |
|
|
|
|
P A R T 8 |
|
|
|
|
||
|
|
Configuring the ASA CX Module 30-1 |
|
|
|
|
C H A P T E R 30 |
|
|
|
|||
|
|
Information About the ASA CX Module |
30-1 |
|
|
|
|
|
How the ASA CX Module Works with the ASA |
30-2 |
|||
|
|
Monitor-Only Mode |
30-3 |
|
|
|
|
|
Information About ASA CX Management |
30-4 |
|
||
|
|
Information About Authentication Proxy |
30-5 |
|
||
|
|
Information About VPN and the ASA CX Module |
30-5 |
|||
|
|
Compatibility with ASA Features |
30-5 |
|
|
|
|
|
Licensing Requirements for the ASA CX Module 30-6 |
||||
|
|
Prerequisites 30-6 |
|
|
|
|
|
|
Guidelines and Limitations |
30-6 |
|
|
|
|
|
Default Settings 30-8 |
|
|
|
|
Configuring the ASA CX Module 30-8
Task Flow for the ASA CX Module 30-8
Connecting the ASA CX Management Interface 30-9
(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module 30-12
(ASA 5585-X) Changing the ASA CX Management IP Address 30-14 |
|
||||
Configuring Basic ASA CX Settings at the ASA CX CLI |
30-16 |
|
|||
Configuring the Security Policy on the ASA CX Module Using PRSM 30-17 |
|
||||
(Optional) Configuring the Authentication Proxy Port |
30-18 |
|
|||
Redirecting Traffic to the ASA CX Module |
30-19 |
|
|
||
Managing the ASA CX Module |
30-23 |
|
|
|
|
Resetting the Password 30-23 |
|
|
|
|
|
Reloading or Resetting the Module |
30-24 |
|
|
||
Shutting Down the Module |
30-25 |
|
|
|
|
(ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image |
30-26 |
||||
(ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA |
30-26 |
||||
Monitoring the ASA CX Module |
30-27 |
|
|
|
|
Showing Module Status |
30-28 |
|
|
|
|
Showing Module Statistics |
30-28 |
|
|
|
|
Monitoring Module Connections |
30-28 |
|
|
|
|
Capturing Module Traffic |
30-32 |
|
|
|
|
Troubleshooting the ASA CX Module |
30-32 |
|
|
|
|
Problems with the Authentication Proxy |
30-32 |
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
18
Contents
|
Feature History for the ASA CX Module |
30-33 |
|
|
Configuring the ASA IPS Module 31-1 |
|
|
C H A P T E R 31 |
|
|
|
|
Information About the ASA IPS Module |
31-1 |
|
|
How the ASA IPS Module Works with the ASA |
31-2 |
|
|
Operating Modes 31-3 |
|
|
|
Using Virtual Sensors (ASA 5510 and Higher) |
31-3 |
|
|
Information About Management Access 31-4 |
|
|
|
Licensing Requirements for the ASA IPS module 31-5 |
||
|
Guidelines and Limitations 31-5 |
|
|
|
Default Settings 31-6 |
|
|
|
Configuring the ASA IPS module |
31-7 |
|
|
|
|
|
Task Flow for the ASA IPS Module |
31-7 |
|
|||
|
Connecting the ASA IPS Management Interface |
31-8 |
||||
|
Sessioning to the Module from the ASA (May Be Required) 31-11 |
|||||
|
(ASA 5512-X through ASA 5555-X) Booting the Software Module 31-12 |
|||||
|
Configuring Basic IPS Module Network Settings |
31-12 |
||||
|
Configuring the Security Policy on the ASA IPS Module 31-15 |
|||||
|
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) 31-17 |
|||||
|
Diverting Traffic to the ASA IPS module |
31-18 |
|
|||
|
Managing the ASA IPS module |
31-19 |
|
|
|
|
|
Installing and Booting an Image on the Module |
31-20 |
||||
|
Shutting Down the Module |
31-22 |
|
|
|
|
|
Uninstalling a Software Module Image |
31-22 |
|
|||
|
Resetting the Password |
31-23 |
|
|
|
|
|
Reloading or Resetting the Module |
31-24 |
|
|||
|
Monitoring the ASA IPS module |
31-24 |
|
|
|
|
|
Feature History for the ASA IPS module |
31-25 |
|
|||
|
Configuring the ASA CSC Module |
|
|
|
|
|
C H A P T E R 32 |
32-1 |
|
|
|
||
|
Information About the CSC SSM |
32-1 |
|
|
|
|
|
Determining What Traffic to Scan |
32-3 |
|
|||
|
Licensing Requirements for the CSC SSM |
32-5 |
|
|||
|
Prerequisites for the CSC SSM |
32-5 |
|
|
|
|
|
Guidelines and Limitations |
32-6 |
|
|
|
|
|
Default Settings 32-6 |
|
|
|
|
|
|
Configuring the CSC SSM |
32-7 |
|
|
|
|
|
Before Configuring the CSC SSM |
32-7 |
|
|
Cisco ASA Series Firewall ASDM Configuration Guide
19
Contents
Connecting to the CSC SSM |
32-8 |
|||||
Determining Service Policy Rule Actions for CSC Scanning 32-9 |
||||||
CSC SSM Setup Wizard |
32-10 |
|
||||
Activation/License |
|
32-11 |
|
|||
IP Configuration |
32-11 |
|
||||
Host/Notification Settings |
32-12 |
|||||
Management Access Host/Networks 32-13 |
||||||
Password |
32-13 |
|
|
|
||
Restoring the Default Password 32-14 |
||||||
Wizard Setup |
32-15 |
|
||||
Using the CSC SSM GUI |
32-20 |
|
||||
Web |
32-20 |
|
|
|
|
|
32-21 |
|
|
|
|
||
SMTP Tab |
32-21 |
|
|
|
||
POP3 Tab |
32-22 |
|
|
|
||
File Transfer |
32-22 |
|
|
|||
Updates |
32-23 |
|
|
|
||
Monitoring the CSC SSM |
32-24 |
|
||||
Threats |
|
32-24 |
|
|
|
|
Live Security Events |
32-25 |
|
||||
Live Security Events Log 32-25 |
||||||
Software Updates |
|
32-26 |
|
|||
Resource Graphs |
32-27 |
|
||||
Troubleshooting the CSC Module |
32-27 |
|||||
Additional References |
|
32-31 |
|
|||
Feature History for the CSC SSM |
32-31 |
I N D E X
Cisco ASA Series Firewall ASDM Configuration Guide
20
This preface introduces Cisco ASA Series Firewall ASDM Configuration Guide and includes the following sections:
•Document Objectives, page 3
•Related Documentation, page 3
•Conventions, page 4
•Obtaining Documentation and Submitting a Service Request, page 4
Document Objectives
The purpose of this guide is to help you configure the firewall features for ASA using ASDM. This guide does not cover every feature, but describes only the most common configuration scenarios.
This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.
Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the feature history table for each chapter to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Series Compatibility.
Related Documentation
For more information, see Navigating the Cisco ASA Series Documentation at
http://www.cisco.com/go/asadocs.
Cisco ASA Series Firewall ASDM Configuration Guide
3
Conventions
This document uses the following conventions:
Convention |
Indication |
|
|
|
|
bold font |
Commands and keywords and user-entered text appear in bold font. |
|
|
|
|
italic font |
Document titles, new or emphasized terms, and arguments for which you supply |
|
|
|
values are in italic font. |
|
|
|
[ |
] |
Elements in square brackets are optional. |
|
|
|
{x | y | z } |
Required alternative keywords are grouped in braces and separated by |
|
|
|
vertical bars. |
|
|
|
[ x | y | z ] |
Optional alternative keywords are grouped in brackets and separated by |
|
|
|
vertical bars. |
|
|
|
string |
A nonquoted set of characters. Do not use quotation marks around the string or |
|
|
|
the string will include the quotation marks. |
|
|
|
courier font |
Terminal sessions and information the system displays appear in courier font. |
|
|
|
|
courier bold font |
Commands and keywords and user-entered text appear in bold courier font. |
|
|
|
|
courier italic font |
Arguments for which you supply values are in courier italic font. |
|
|
|
|
< |
> |
Nonprinting characters such as passwords are in angle brackets. |
|
|
|
[ |
] |
Default responses to system prompts are in square brackets. |
|
|
|
!, # |
An exclamation point (!) or a pound sign (#) at the beginning of a line of code |
|
|
|
indicates a comment line. |
|
|
|
Note Means reader take note.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised
Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco ASA Series Firewall ASDM Configuration Guide
4
P A R T 1
C H A P T E R 1
Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple service policy rules applied to an interface or applied globally.
This chapter includes the following sections:
•Information About Service Policies, page 1-1
•Licensing Requirements for Service Policies, page 1-5
•Guidelines and Limitations, page 1-6
•Default Settings, page 1-7
•Task Flows for Configuring Service Policies, page 1-8
•Adding a Service Policy Rule for Through Traffic, page 1-8
•Adding a Service Policy Rule for Management Traffic, page 1-13
•Managing the Order of Service Policy Rules, page 1-15
•Feature History for Service Policies, page 1-17
This section describes how service policies work and includes the following topics:
•Supported Features, page 1-1
•Feature Directionality, page 1-2
•Feature Matching Within a Service Policy, page 1-3
•Order in Which Multiple Feature Actions are Applied, page 1-4
•Incompatibility of Certain Feature Actions, page 1-5
•Feature Matching for Multiple Service Policies, page 1-5
Table 1-1 lists the features supported by service policy rules.
Cisco ASA Series Firewall ASDM Configuration Guide
1-1
Chapter 1 Configuring a Service Policy
Information About Service Policies
Table 1-1 |
Service Policy Rule Features |
|
|
|
|
|
|
|
|
|
|
For Through |
For Management |
|
Feature |
|
Traffic? |
Traffic? |
See: |
|
|
|
|
|
Application inspection (multiple |
All except |
RADIUS |
• Chapter 10, “Getting Started with Application |
|
types) |
|
RADIUS |
accounting only |
Layer Protocol Inspection.” |
|
|
accounting |
|
• Chapter 11, “Configuring Inspection of Basic |
|
|
|
|
|
|
|
|
|
Internet Protocols.” |
|
|
|
|
• Chapter 12, “Configuring Inspection for Voice |
|
|
|
|
and Video Protocols.” |
|
|
|
|
• Chapter 13, “Configuring Inspection of Database |
|
|
|
|
and Directory Protocols.” |
|
|
|
|
• Chapter 14, “Configuring Inspection for |
|
|
|
|
Management Application Protocols.” |
|
|
|
|
• Chapter 25, “Configuring the ASA for Cisco |
|
|
|
|
Cloud Web Security.” |
|
|
|
|
|
ASA CSC |
|
Yes |
No |
Chapter 32, “Configuring the ASA CSC Module.” |
|
|
|
|
|
ASA IPS |
|
Yes |
No |
Chapter 31, “Configuring the ASA IPS Module.” |
|
|
|
|
|
ASA CX |
|
Yes |
No |
Chapter 30, “Configuring the ASA CX Module.” |
|
|
|
|
|
NetFlow Secure Event Logging |
Yes |
Yes |
Chapter 43, “Configuring NetFlow Secure Event |
|
filtering |
|
|
|
Logging (NSEL),” in the general operations |
|
|
|
|
configuration guide. |
|
|
|
|
|
QoS input and output policing |
Yes |
No |
Chapter 23, “Configuring QoS.” |
|
|
|
|
|
|
QoS standard priority queue |
Yes |
No |
Chapter 23, “Configuring QoS.” |
|
|
|
|
|
|
QoS traffic shaping, hierarchical |
Yes |
Yes |
Chapter 23, “Configuring QoS.” |
|
priority queue |
|
|
|
|
|
|
|
|
|
TCP and UDP connection limits |
Yes |
Yes |
Chapter 22, “Configuring Connection Settings.” |
|
and timeouts, and TCP sequence |
|
|
|
|
number randomization |
|
|
|
|
|
|
|
|
|
TCP normalization |
Yes |
No |
Chapter 22, “Configuring Connection Settings.” |
|
|
|
|
|
|
TCP state bypass |
|
Yes |
No |
Chapter 22, “Configuring Connection Settings.” |
|
|
|
|
|
User statistics for Identity |
Yes |
Yes |
See the user-statistics command in the command |
|
Firewall |
|
|
|
reference. |
|
|
|
|
|
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions.
Cisco ASA Series Firewall ASDM Configuration Guide
1-2
Chapter 1 Configuring a Service Policy
Information About Service Policies
Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or exits, depending on the feature) the interface to which you apply the policy map is affected. See
Table 1-2 for the directionality of each feature.
Table 1-2 |
Feature Directionality |
|
|
|
|
|
|
Feature |
|
Single Interface Direction |
Global Direction |
|
|
|
|
Application inspection (multiple types) |
Bidirectional |
Ingress |
|
|
|
|
|
ASA CSC |
|
Bidirectional |
Ingress |
|
|
|
|
ASA CX |
|
Bidirectional |
Ingress |
|
|
|
|
ASA CX authentication proxy |
Ingress |
Ingress |
|
|
|
|
|
ASA IPS |
|
Bidirectional |
Ingress |
|
|
|
|
NetFlow Secure Event Logging filtering |
N/A |
Ingress |
|
|
|
|
|
QoS input policing |
Ingress |
Ingress |
|
|
|
|
|
QoS output policing |
Egress |
Egress |
|
|
|
|
|
QoS standard priority queue |
Egress |
Egress |
|
|
|
|
|
QoS traffic shaping, hierarchical priority |
Egress |
Egress |
|
queue |
|
|
|
|
|
|
|
TCP and UDP connection limits and timeouts, |
Bidirectional |
Ingress |
|
and TCP sequence number randomization |
|
|
|
|
|
|
|
TCP normalization |
Bidirectional |
Ingress |
|
|
|
|
|
TCP state bypass |
Bidirectional |
Ingress |
|
|
|
|
|
User statistics for Identity Firewall |
Bidirectional |
Ingress |
|
|
|
|
|
See the following information for how a packet matches rules in a policy for a given interface:
1.A packet can match only one rule for an interface for each feature type.
2.When the packet matches a rule for a feature type, the ASA does not attempt to match it to any subsequent rules for that feature type.
3.If the packet matches a subsequent rule for a different feature type, however, then the ASA also applies the actions for the subsequent rule, if supported. See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information about unsupported combinations.
Note Application inspection includes multiple inspection types, and most are mutually exclusive. For inspections that can be combined, each inspection is considered to be a separate feature.
Cisco ASA Series Firewall ASDM Configuration Guide
1-3
Chapter 1 Configuring a Service Policy
Information About Service Policies
For example, if a packet matches a rule for connection limits, and also matches a rule for an application inspection, then both actions are applied.
If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP inspection, then the second rule actions are not applied.
If a packet matches a rulefor HTTP inspection, but also matches another rule that includes FTP inspection, then the second rule actions are not applied because HTTP and FTP inspections cannpt be combined.
If a packet matches a rule for HTTP inspection, but also matches another rule that includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any other type of inspection.
The order in which different types of actions in a service policy are performed is independent of the order in which the actions appear in the table.
Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.
Actions are performed in the following order:
1.QoS input policing
2.TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number randomization, and TCP state bypass.
Note When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and after the proxy or payload modifying service.
3.ASA CSC
4.Application inspections that can be combined with other inspections:
a.IPv6
b.IP options
c.WAAS
5.Application inspections that cannot be combined with other inspections. See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information.
6.ASA IPS
7.ASA CX
8.QoS output policing
9.QoS standard priority queue
10. QoS traffic shaping, hierarchical priority queue
Cisco ASA Series Firewall ASDM Configuration Guide
1-4