Cisco ASA 5545-X, ASA Services Module, ASA 5580, ASA 5585-X, ASA 5555-X User Manual

...
0 (0)
Cisco ASA 5545-X, ASA Services Module, ASA 5580, ASA 5585-X, ASA 5555-X User Manual

Cisco ASA Series Firewall ASDM

Configuration Guide

Software Version 7.1

For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module

Released: December 3, 2012

Updated: March 31, 2014

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Text Part Number: N/A, Online only

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco ASA Series Firewall ASDM Configuration Guide

Copyright © 2012-2014 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

About This Guide

21

 

Document Objectives

21

Related Documentation

21

Conventions

22

 

 

 

Obtaining Documentation and Submitting a Service Request

22

 

 

 

 

 

 

 

 

Configuring Service Policies

 

 

 

P A R T 1

 

 

 

 

 

Configuring a Service Policy

 

 

 

C H A P T E R 1

1-1

 

 

 

 

Information About Service Policies 1-1

 

 

 

 

Supported Features 1-1

 

 

 

 

Feature Directionality

1-2

 

 

 

 

Feature Matching Within a Service Policy

1-3

 

 

 

Order in Which Multiple Feature Actions are Applied

1-4

 

 

Incompatibility of Certain Feature Actions

1-5

 

 

 

Feature Matching for Multiple Service Policies 1-5

 

 

 

Licensing Requirements for Service Policies

1-5

 

 

 

Guidelines and Limitations

1-6

 

 

 

 

Default Settings 1-7

 

 

 

 

 

Default Configuration

1-7

 

 

 

 

Default Traffic Classes

1-8

 

 

 

Task Flows for Configuring Service Policies

1-8

 

 

Task Flow for Configuring a Service Policy Rule

1-8

 

Adding a Service Policy Rule for Through Traffic 1-8

 

 

Adding a Service Policy Rule for Management Traffic

1-13

 

Configuring a Service Policy Rule for Management Traffic 1-13

 

Managing the Order of Service Policy Rules

1-15

 

 

Feature History for Service Policies 1-17

 

 

 

Configuring Special Actions for Application Inspections (Inspection Policy Map) 2-1

C H A P T E R 2

 

Information About Inspection Policy Maps

2-1

 

 

Guidelines and Limitations 2-2

 

 

 

Default Inspection Policy Maps 2-2

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

1

Contents

Defining Actions in an Inspection Policy Map

2-3

Identifying Traffic in an Inspection Class Map

2-3

Where to Go Next 2-4

 

 

 

Feature History for Inspection Policy Maps

2-4

 

 

 

 

 

 

Configuring Network Address Translation

 

P A R T 2

 

 

 

Information About NAT (ASA 8.3 and Later)

 

C H A P T E R 3

3-1

 

 

Why Use NAT? 3-1

 

 

 

NAT Terminology 3-2

 

 

 

NAT Types 3-3

 

NAT Types Overview

3-3

 

 

 

 

Static NAT

 

3-3

 

 

 

 

 

Dynamic NAT

3-8

 

 

 

 

 

Dynamic PAT

3-10

 

 

 

 

 

Identity NAT

3-12

 

 

 

 

 

NAT in Routed and Transparent Mode

3-12

 

NAT in Routed Mode

3-13

 

 

 

 

NAT in Transparent Mode

3-13

 

 

NAT and IPv6

3-15

 

 

 

 

 

How NAT is Implemented

3-15

 

 

 

 

Main Differences Between Network Object NAT and Twice NAT

3-15

Information About Network Object NAT 3-16

 

Information About Twice NAT

3-16

 

NAT Rule Order

 

3-20

 

 

 

 

 

NAT Interfaces

3-21

 

 

 

 

 

Routing NAT Packets 3-21

 

 

 

 

 

Mapped Addresses and Routing

 

3-22

 

Transparent Mode Routing Requirements for Remote Networks

3-24

Determining the Egress Interface

3-24

 

NAT for VPN

3-24

 

 

 

 

 

NAT and Remote Access VPN

3-25

 

NAT and Site-to-Site VPN

3-26

 

 

 

NAT and VPN Management Access 3-28

 

Troubleshooting NAT and VPN

 

3-30

 

DNS and NAT

3-30

 

 

 

 

 

Where to Go Next

3-35

 

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

2

Contents

C H A P T E R 4

Configuring Network Object NAT (ASA 8.3 and Later) 4-1

 

Information About Network Object NAT

4-1

 

Licensing Requirements for Network Object NAT 4-2

 

Prerequisites for Network Object NAT

4-2

 

Guidelines and Limitations 4-2

 

 

Default Settings 4-3

 

 

Configuring Network Object NAT

4-4

 

 

 

Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool

4-4

 

Configuring Dynamic PAT (Hide)

4-8

 

 

Configuring Static NAT or Static NAT-with-Port-Translation

4-11

 

Configuring Identity NAT

4-15

 

 

 

Configuring Per-Session PAT Rules

4-18

 

 

Monitoring Network Object NAT

4-19

 

 

 

Configuration Examples for Network Object NAT 4-20

 

 

Providing Access to an Inside Web Server (Static NAT) 4-21

 

 

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) 4-23

 

Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) 4-28

 

Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) 4-32

 

DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS

 

Modification)

4-35

 

 

 

 

 

 

DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS

 

Modification)

4-38

 

 

 

 

 

 

IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with

 

DNS64 Modification)

4-40

 

 

 

 

Feature History for Network Object NAT 4-45

 

 

Configuring Twice NAT (ASA 8.3 and Later) 5-1

 

C H A P T E R 5

 

 

Information About Twice NAT

 

5-1

 

 

 

Licensing Requirements for Twice NAT

5-2

 

 

Prerequisites for Twice NAT

 

5-2

 

 

 

Guidelines and Limitations

5-2

 

 

 

 

Default Settings

5-4

 

 

 

 

 

 

Configuring Twice NAT 5-4

 

 

 

 

 

Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool

5-4

 

Configuring Dynamic PAT (Hide)

5-12

 

 

Configuring Static NAT or Static NAT-with-Port-Translation

5-18

 

Configuring Identity NAT

5-24

 

 

 

Configuring Per-Session PAT Rules

5-29

 

Cisco ASA Series Firewall ASDM Configuration Guide

3

Contents

 

Monitoring Twice NAT

5-29

 

 

 

Configuration Examples for Twice NAT

5-30

 

Different Translation Depending on the Destination (Dynamic PAT) 5-30

 

Different Translation Depending on the Destination Address and Port (Dynamic PAT) 5-39

 

Feature History for Twice NAT

5-48

 

 

Configuring NAT (ASA 8.2 and Earlier)

 

C H A P T E R 6

6-1

 

NAT Overview

6-1

 

 

 

 

 

Introduction to NAT

6-1

 

 

 

NAT in Routed Mode

6-2

 

 

 

NAT in Transparent Mode

6-3

 

 

NAT Control

6-4

 

 

 

 

NAT Types

6-6

 

 

 

 

 

Policy NAT

6-11

 

 

 

 

NAT and Same Security Level Interfaces 6-13

 

Order of NAT Rules Used to Match Real Addresses 6-14

 

Mapped Address Guidelines

6-14

 

 

DNS and NAT

6-14

 

 

 

 

Configuring NAT Control

6-16

 

 

 

Using Dynamic NAT

6-17

 

 

 

 

Dynamic NAT Implementation

6-17

 

 

 

 

Managing Global Pools

6-22

 

 

 

 

 

 

Configuring Dynamic NAT, PAT, or Identity NAT

6-23

 

 

Configuring Dynamic Policy NAT or PAT

6-25

 

 

 

Using Static NAT 6-27

 

 

 

 

 

 

 

 

Configuring Static NAT, PAT, or Identity NAT

6-28

 

 

Configuring Static Policy NAT, PAT, or Identity NAT 6-31

 

 

Using NAT Exemption

6-33

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Access Control

 

 

 

 

 

P A R T 3

 

 

 

 

 

 

 

Configuring Access Rules

 

 

 

 

 

C H A P T E R 7

7-1

 

 

 

 

 

 

Information About Access Rules

7-1

 

 

 

 

 

General Information About Rules

7-2

 

 

 

 

Information About Access Rules

7-5

 

 

 

 

Information About EtherType Rules

7-6

 

 

 

Licensing Requirements for Access Rules

7-7

 

 

 

Guidelines and Limitations

7-7

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

4

Contents

 

 

 

Default Settings

7-7

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Access Rules

7-8

 

 

 

 

 

 

 

 

 

Adding an Access Rule

 

7-8

 

 

 

 

 

 

 

 

 

Adding an EtherType Rule (Transparent Mode Only)

7-9

 

 

 

 

 

Configuring Management Access Rules

 

7-10

 

 

 

 

 

 

Advanced Access Rule Configuration

7-11

 

 

 

 

 

 

 

Configuring HTTP Redirect

 

7-12

 

 

 

 

 

 

 

 

 

Feature History for Access Rules

 

7-14

 

 

 

 

 

 

 

 

 

Configuring AAA Rules for Network Access

 

 

 

 

C H A P T E R

8

8-1

 

 

 

 

 

 

AAA Performance

8-1

 

 

 

 

 

 

 

 

 

 

 

 

Licensing Requirements for AAA Rules

8-1

 

 

 

 

 

 

 

Guidelines and Limitations

8-2

 

 

 

 

 

 

 

 

 

 

 

Configuring Authentication for Network Access

8-2

 

 

 

 

 

 

Information About Authentication

8-2

 

 

 

 

 

 

 

 

Configuring Network Access Authentication

8-6

 

 

 

 

 

 

Enabling the Redirection Method of Authentication for HTTP and HTTPS

8-7

 

 

 

Enabling Secure Authentication of Web Clients 8-8

 

 

 

 

 

 

Authenticating Directly with the ASA

8-9

 

 

 

 

 

 

 

Configuring the Authentication Proxy Limit

8-11

 

 

 

 

 

 

Configuring Authorization for Network Access

8-12

 

 

 

 

 

 

Configuring TACACS+ Authorization

8-12

 

 

 

 

 

 

 

Configuring RADIUS Authorization

8-13

 

 

 

 

 

 

 

Configuring Accounting for Network Access

8-17

 

 

 

 

 

 

Using MAC Addresses to Exempt Traffic from Authentication and Authorization

8-19

 

 

 

Feature History for AAA Rules

8-20

 

 

 

 

 

 

 

 

 

Configuring Public Servers

 

 

 

 

 

 

 

 

 

C H A P T E R

9

9-1

 

 

 

 

 

 

 

 

 

 

 

Information About Public Servers

 

9-1

 

 

 

 

 

 

 

 

 

Licensing Requirements for Public Servers

9-1

 

 

 

 

 

 

 

Guidelines and Limitations

9-1

 

 

 

 

 

 

 

 

 

 

 

Adding a Public Server that Enables Static NAT

9-2

 

 

 

 

 

 

Adding a Public Server that Enables Static NAT with PAT

9-2

 

 

 

 

 

Editing Settings for a Public Server

9-3

 

 

 

 

 

 

 

 

 

Feature History for Public Servers

9-4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Application Inspection

 

 

 

 

 

 

 

P A R T 4

 

 

 

 

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

5

Contents

C H A P T E R

10

Getting Started with Application Layer Protocol Inspection 10-1

 

 

Information about Application Layer Protocol Inspection 10-1

 

 

How Inspection Engines Work

10-1

 

 

 

 

When to Use Application Protocol Inspection

10-2

 

 

Guidelines and Limitations

10-3

 

 

 

 

 

 

 

Default Settings and NAT Limitations

10-4

 

 

 

 

Configuring Application Layer Protocol Inspection

10-7

 

 

Configuring Inspection of Basic Internet Protocols

 

C H A P T E R

11

11-1

 

 

DNS Inspection

11-1

 

 

 

 

 

 

 

 

 

Information About DNS Inspection

11-2

 

 

 

 

Default Settings for DNS Inspection

11-2

 

 

 

 

(Optional) Configuring a DNS Inspection Policy Map and Class Map 11-3

 

 

Configuring DNS Inspection

11-16

 

 

 

 

 

FTP Inspection

11-17

 

 

 

 

 

 

 

 

 

FTP Inspection Overview

11-17

 

 

 

 

 

 

Using Strict FTP

11-17

 

 

 

 

 

 

 

 

Select FTP Map

11-18

 

 

 

 

 

 

 

 

FTP Class Map 11-19

 

 

 

 

 

 

 

 

Add/Edit FTP Traffic Class Map

11-19

 

 

 

 

Add/Edit FTP Match Criterion

 

11-20

 

 

 

 

FTP Inspect Map

11-21

 

 

 

 

 

 

 

 

File Type Filtering

11-22

 

 

 

 

 

 

 

Add/Edit FTP Policy Map (Security Level)

11-22

 

 

Add/Edit FTP Policy Map (Details)

11-23

 

 

 

 

Add/Edit FTP Map

11-24

 

 

 

 

 

 

 

Verifying and Monitoring FTP Inspection

11-25

 

 

HTTP Inspection

11-26

 

 

 

 

 

 

 

 

HTTP Inspection Overview

11-26

 

 

 

 

 

Select HTTP Map

11-26

 

 

 

 

 

 

 

HTTP Class Map

11-27

 

 

 

 

 

 

 

 

Add/Edit HTTP Traffic Class Map

11-27

 

 

 

 

Add/Edit HTTP Match Criterion

11-28

 

 

 

 

HTTP Inspect Map

11-32

 

 

 

 

 

 

 

URI Filtering

11-33

 

 

 

 

 

 

 

 

Add/Edit HTTP Policy Map (Security Level)

11-33

 

 

Add/Edit HTTP Policy Map (Details)

11-34

 

 

 

 

Add/Edit HTTP Map 11-35

 

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

6

Contents

ICMP Inspection

11-39

 

 

 

 

 

 

 

ICMP Error Inspection

11-39

 

 

 

 

 

 

Instant Messaging Inspection

11-39

 

 

 

 

IM Inspection Overview

11-40

 

 

 

 

Adding a Class Map for IM Inspection

11-40

 

 

Select IM Map

11-41

 

 

 

 

 

 

IP Options Inspection

11-41

 

 

 

 

 

 

IP Options Inspection Overview

11-41

 

 

 

Configuring IP Options Inspection

11-42

 

 

Select IP Options Inspect Map

11-43

 

 

 

IP Options Inspect Map

11-44

 

 

 

 

 

Add/Edit IP Options Inspect Map

11-44

 

 

IPsec Pass Through Inspection

11-45

 

 

 

 

IPsec Pass Through Inspection Overview

11-45

 

Select IPsec-Pass-Thru Map

11-46

 

 

 

IPsec Pass Through Inspect Map

11-46

 

 

 

Add/Edit IPsec Pass Thru Policy Map (Security Level)

11-47

Add/Edit IPsec Pass Thru Policy Map (Details)

11-47

 

IPv6 Inspection

11-48

 

 

 

 

 

 

 

Information about IPv6 Inspection

11-48

 

 

Default Settings for IPv6 Inspection

11-48

 

 

(Optional) Configuring an IPv6 Inspection Policy Map

11-48

Configuring IPv6 Inspection 11-49

 

 

 

 

NetBIOS Inspection

11-50

 

 

 

 

 

 

NetBIOS Inspection Overview

11-50

 

 

 

Select NETBIOS Map

11-50

 

 

 

 

 

NetBIOS Inspect Map

11-51

 

 

 

 

 

Add/Edit NetBIOS Policy Map

11-51

 

 

 

PPTP Inspection

11-51

 

 

 

 

 

 

 

SMTP and Extended SMTP Inspection

11-52

 

 

SMTP and ESMTP Inspection Overview

11-52

 

 

Select ESMTP Map

11-53

 

 

 

 

 

ESMTP Inspect Map

11-54

 

 

 

 

 

MIME File Type Filtering

11-55

 

 

 

 

Add/Edit ESMTP Policy Map (Security Level)

11-55

 

Add/Edit ESMTP Policy Map (Details)

11-56

 

 

Add/Edit ESMTP Inspect

11-57

 

 

 

 

TFTP Inspection

11-60

 

 

 

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

7

Contents

C H A P T E R 12

Configuring Inspection for Voice and Video Protocols 12-1

 

CTIQBE Inspection

12-1

 

 

 

 

CTIQBE Inspection Overview

12-1

 

 

Limitations and Restrictions

12-2

 

 

H.323 Inspection

12-2

 

 

 

 

 

H.323 Inspection Overview

12-3

 

 

How H.323 Works

12-3

 

 

 

 

H.239 Support in H.245 Messages

12-4

 

Limitations and Restrictions

12-4

 

 

Select H.323 Map

12-5

 

 

 

 

H.323 Class Map

12-5

 

 

 

 

Add/Edit H.323 Traffic Class Map

12-6

 

Add/Edit H.323 Match Criterion 12-6

 

H.323 Inspect Map

12-7

 

 

 

Phone Number Filtering

12-8

 

 

Add/Edit H.323 Policy Map (Security Level) 12-8

 

Add/Edit H.323 Policy Map (Details)

12-9

 

Add/Edit HSI Group

12-11

 

 

 

Add/Edit H.323 Map 12-11

 

 

 

MGCP Inspection

 

12-12

 

 

 

 

MGCP Inspection Overview

12-12

 

 

Select MGCP Map

12-14

 

 

 

MGCP Inspect Map

12-14

 

 

 

Gateways and Call Agents

12-15

 

 

Add/Edit MGCP Policy Map

12-15

 

 

Add/Edit MGCP Group

12-16

 

 

RTSP Inspection

12-16

 

 

 

 

 

RTSP Inspection Overview

12-17

 

 

Using RealPlayer

12-17

 

 

 

 

Restrictions and Limitations

12-18

 

 

Select RTSP Map

12-18

 

 

 

 

RTSP Inspect Map

12-18

 

 

 

Add/Edit RTSP Policy Map

12-19

 

 

RTSP Class Map

12-19

 

 

 

 

Add/Edit RTSP Traffic Class Map

12-20

 

SIP Inspection

12-20

 

 

 

 

 

SIP Inspection Overview

12-21

 

 

SIP Instant Messaging

12-22

 

 

Select SIP Map

12-22

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

8

Contents

 

 

SIP Class Map

12-23

 

 

 

 

 

 

 

Add/Edit SIP Traffic Class Map

12-24

 

 

 

 

Add/Edit SIP Match Criterion

 

12-24

 

 

 

 

SIP Inspect Map

12-26

 

 

 

 

 

 

 

Add/Edit SIP Policy Map (Security Level)

12-27

 

 

 

Add/Edit SIP Policy Map (Details)

12-28

 

 

 

 

Add/Edit SIP Inspect

12-30

 

 

 

 

 

 

 

Skinny (SCCP) Inspection

12-32

 

 

 

 

 

 

 

SCCP Inspection Overview

 

12-32

 

 

 

 

Supporting Cisco IP Phones

 

12-33

 

 

 

 

Restrictions and Limitations

 

12-33

 

 

 

 

Select SCCP (Skinny) Map

12-34

 

 

 

 

 

SCCP (Skinny) Inspect Map

 

12-34

 

 

 

 

Message ID Filtering

12-35

 

 

 

 

 

 

 

Add/Edit SCCP (Skinny) Policy Map (Security Level) 12-36

 

 

 

Add/Edit SCCP (Skinny) Policy Map (Details) 12-37

 

 

 

Add/Edit Message ID Filter

 

12-38

 

 

 

 

Configuring Inspection of Database and Directory Protocols

 

C H A P T E R

13

13-1

 

 

ILS Inspection

13-1

 

 

 

 

 

 

 

 

 

SQL*Net Inspection

13-2

 

 

 

 

 

 

 

Sun RPC Inspection

13-3

 

 

 

 

 

 

 

Sun RPC Inspection Overview

13-3

 

 

 

 

SUNRPC Server

13-3

 

 

 

 

 

 

 

Add/Edit SUNRPC Service

13-4

 

 

 

 

 

Configuring Inspection for Management Application Protocols

 

C H A P T E R

14

14-1

 

 

DCERPC Inspection

14-1

 

 

 

 

 

 

 

DCERPC Overview

14-1

 

 

 

 

 

 

 

Select DCERPC Map

14-2

 

 

 

 

 

 

 

DCERPC Inspect Map

14-2

 

 

 

 

 

 

 

Add/Edit DCERPC Policy Map

14-3

 

 

 

 

GTP Inspection

14-4

 

 

 

 

 

 

 

 

 

GTP Inspection Overview 14-5

 

 

 

 

 

Select GTP Map

14-5

 

 

 

 

 

 

 

GTP Inspect Map

14-6

 

 

 

 

 

 

 

IMSI Prefix Filtering

14-7

 

 

 

 

 

 

 

Add/Edit GTP Policy Map (Security Level)

14-7

 

 

 

Add/Edit GTP Policy Map (Details)

14-8

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

9

16-14

Contents

Add/Edit GTP Map

14-9

 

RADIUS Accounting Inspection

14-10

RADIUS Accounting Inspection Overview 14-11

Select RADIUS Accounting Map 14-11

Add RADIUS Accounting Policy Map 14-11

RADIUS Inspect Map

14-12

 

RADIUS Inspect Map Host

14-12

RADIUS Inspect Map Other

14-13

RSH Inspection

14-13

 

 

SNMP Inspection

14-13

 

 

SNMP Inspection Overview

14-14

Select SNMP Map

14-14

 

SNMP Inspect Map

14-14

 

 

 

 

XDMCP Inspection 14-15

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Unified Communications

 

 

 

 

 

P A R T 5

 

 

 

 

 

 

 

 

 

Information About Cisco Unified Communications Proxy Features

 

 

 

C H A P T E R

15

15-1

 

 

 

 

Information About the Adaptive Security Appliance in Cisco Unified Communications

15-1

 

 

 

TLS Proxy Applications in Cisco Unified Communications

15-3

 

 

 

 

 

 

Licensing for Cisco Unified Communications Proxy Features

15-4

 

 

 

 

 

 

Using the Cisco Unified Communication Wizard 16-1

 

 

 

 

C H A P T E R

16

 

 

 

 

 

 

 

Information about the Cisco Unified Communication Wizard

16-1

 

 

 

 

 

 

Licensing Requirements for the Unified Communication Wizard 16-3

 

 

 

 

 

 

Guidelines and Limitations 16-4

 

 

 

 

 

 

 

 

Configuring the Phone Proxy by using the Unified Communication Wizard 16-4

 

 

 

 

Configuring the Private Network for the Phone Proxy

16-5

 

 

 

 

 

 

Configuring Servers for the Phone Proxy

16-6

 

 

 

 

 

 

 

Enabling Certificate Authority Proxy Function (CAPF) for IP Phones

16-8

 

 

 

 

Configuring the Public IP Phone Network

16-9

 

 

 

 

 

 

 

Configuring the Media Termination Address for Unified Communication Proxies

16-10

 

 

 

Configuring the Mobility Advantage by using the Unified Communication Wizard 16-11

 

 

 

Configuring the Topology for the Cisco Mobility Advantage Proxy

16-12

 

 

 

 

Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy

16-12

 

 

 

Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy

16-13

Configuring the Presence Federation Proxy by using the Unified Communication Wizard 16-14

Configuring the Topology for the Cisco Presence Federation Proxy

Cisco ASA Series Firewall ASDM Configuration Guide

10

Contents

 

Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy

16-15

 

 

Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy

16-15

 

 

Configuring the UC-IME by using the Unified Communication Wizard 16-16

 

 

 

 

Configuring the Topology for the Cisco Intercompany Media Engine Proxy

16-17

 

 

 

Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy

16-18

 

Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy

16-20

 

 

Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy

16-20

 

Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy

16-21

 

Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy

16-22

 

Working with Certificates in the Unified Communication Wizard

16-23

 

 

 

 

Exporting an Identity Certificate

16-23

 

 

 

 

 

 

Installing a Certificate

16-23

 

 

 

 

 

 

 

 

 

Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy 16-24

 

Saving the Identity Certificate Request

16-25

 

 

 

 

 

Installing the ASA Identity Certificate on the Mobility Advantage Server

16-26

 

 

 

Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media

 

Engine Servers 16-26

 

 

 

 

 

 

 

 

 

 

 

Configuring the Cisco Phone Proxy

 

 

 

 

 

 

 

C H A P T E R 17

17-1

 

 

 

 

 

 

 

Information About the Cisco Phone Proxy

17-1

 

 

 

 

 

 

Phone Proxy Functionality

17-1

 

 

 

 

 

 

 

 

 

Supported Cisco UCM and IP Phones for the Phone Proxy

17-3

 

 

 

 

Licensing Requirements for the Phone Proxy

17-4

 

 

 

 

 

Prerequisites for the Phone Proxy

17-6

 

 

 

 

 

 

 

 

Media Termination Instance Prerequisites

17-6

 

 

 

 

 

Certificates from the Cisco UCM

 

17-7

 

 

 

 

 

 

 

DNS Lookup Prerequisites

17-7

 

 

 

 

 

 

 

 

 

Cisco Unified Communications Manager Prerequisites 17-7

 

 

 

 

ACL Rules 17-7

 

 

 

 

 

 

 

 

 

 

 

NAT and PAT Prerequisites

17-8

 

 

 

 

 

 

 

 

Prerequisites for IP Phones on Multiple Interfaces 17-9

 

 

 

 

 

7960 and 7940 IP Phones Support

17-9

 

 

 

 

 

 

Cisco IP Communicator Prerequisites

17-10

 

 

 

 

 

 

Prerequisites for Rate Limiting TFTP Requests 17-10

 

 

 

 

 

End-User Phone Provisioning

17-11

 

 

 

 

 

 

 

Phone Proxy Guidelines and Limitations

17-12

 

 

 

 

 

 

Configuring the Phone Proxy

17-14

 

 

 

 

 

 

 

 

 

Task Flow for Configuring the Phone Proxy

17-14

 

 

 

 

 

Creating the CTL File

17-15

 

 

 

 

 

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

11

Contents

Adding or Editing a Record Entry in a CTL File 17-16

Creating the Media Termination Instance 17-17

Creating the Phone Proxy Instance 17-18

 

Adding or Editing the TFTP Server for a Phone Proxy

17-20

 

 

Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy

17-21

 

Feature History for the Phone Proxy 17-22

 

 

 

 

Configuring the TLS Proxy for Encrypted Voice Inspection

 

 

C H A P T E R 18

18-1

 

 

Information about the TLS Proxy for Encrypted Voice Inspection 18-1

 

 

Decryption and Inspection of Unified Communications Encrypted Signaling

18-2

 

Supported Cisco UCM and IP Phones for the TLS Proxy

 

18-3

 

 

Licensing for the TLS Proxy 18-4

 

 

 

 

Prerequisites for the TLS Proxy for Encrypted Voice Inspection

18-6

 

 

Configuring the TLS Proxy for Encrypted Voice Inspection

18-6

 

 

CTL Provider 18-6

 

 

 

 

 

Add/Edit CTL Provider 18-7

 

 

 

 

 

 

Configure TLS Proxy Pane

18-8

 

 

 

 

 

 

Adding a TLS Proxy Instance

18-9

 

 

 

 

 

Add TLS Proxy Instance Wizard – Server Configuration

18-9

 

 

Add TLS Proxy Instance Wizard – Client Configuration

18-10

 

 

Add TLS Proxy Instance Wizard – Other Steps

18-12

 

 

 

 

Edit TLS Proxy Instance – Server Configuration

18-13

 

 

 

 

Edit TLS Proxy Instance – Client Configuration

18-14

 

 

 

 

TLS Proxy 18-16

 

 

 

 

 

 

 

Feature History for the TLS Proxy for Encrypted Voice Inspection

18-17

 

 

Configuring Cisco Mobility Advantage

 

 

 

 

C H A P T E R

19

19-1

 

 

 

 

 

Information about the Cisco Mobility Advantage Proxy Feature

19-1

 

 

Cisco Mobility Advantage Proxy Functionality

19-1

 

 

 

 

Mobility Advantage Proxy Deployment Scenarios 19-2

 

 

 

Trust Relationships for Cisco UMA Deployments

19-4

 

 

 

Licensing for the Cisco Mobility Advantage Proxy Feature

19-6

 

 

 

Configuring Cisco Mobility Advantage

19-6

 

 

 

 

 

Task Flow for Configuring Cisco Mobility Advantage

19-7

 

 

 

Feature History for Cisco Mobility Advantage 19-7

 

 

 

 

 

Configuring Cisco Unified Presence

 

 

 

 

C H A P T E R

20

20-1

 

 

 

 

 

Information About Cisco Unified Presence 20-1

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

12

Contents

 

Architecture for Cisco Unified Presence for SIP Federation Deployments 20-1

 

 

Trust Relationship in the Presence Federation

20-4

 

 

 

Security Certificate Exchange Between Cisco UP and the Security Appliance

20-5

 

XMPP Federation Deployments

20-5

 

 

 

 

 

Configuration Requirements for XMPP Federation

20-6

 

 

 

Licensing for Cisco Unified Presence

20-7

 

 

 

 

 

Configuring Cisco Unified Presence Proxy for SIP Federation

20-8

 

 

Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 20-9

 

Feature History for Cisco Unified Presence 20-9

 

 

 

 

 

Configuring Cisco Intercompany Media Engine Proxy

 

 

 

C H A P T E R 21

21-1

 

 

 

Information About Cisco Intercompany Media Engine Proxy

21-1

 

 

Features of Cisco Intercompany Media Engine Proxy

21-1

 

 

How the UC-IME Works with the PSTN and the Internet

21-2

 

 

Tickets and Passwords

21-3

 

 

 

 

 

 

Call Fallback to the PSTN 21-5

 

 

 

 

 

 

Architecture and Deployment Scenarios for Cisco Intercompany Media Engine

21-5

 

Licensing for Cisco Intercompany Media Engine

21-8

 

 

 

 

Guidelines and Limitations

21-9

 

 

 

 

 

Configuring Cisco Intercompany Media Engine Proxy

21-11

 

 

Task Flow for Configuring Cisco Intercompany Media Engine

21-11

Configuring NAT for Cisco Intercompany Media Engine Proxy

21-12

Configuring PAT for the Cisco UCM Server

21-14

 

 

 

Creating ACLs for Cisco Intercompany Media Engine Proxy

21-16

Creating the Media Termination Instance

21-17

 

 

 

Creating the Cisco Intercompany Media Engine Proxy

21-18

 

Creating Trustpoints and Generating Certificates

21-21

 

Creating the TLS Proxy 21-24

 

 

 

 

Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy 21-25

(Optional) Configuring TLS within the Local Enterprise

21-27

(Optional) Configuring Off Path Signaling

21-30

 

 

 

 

 

Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 21-31

 

 

Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 21-33

 

 

Feature History for Cisco Intercompany Media Engine Proxy 21-37

 

 

 

 

 

Configuring Connection Settings and QoS

 

P A R T 6

Cisco ASA Series Firewall ASDM Configuration Guide

13

Contents

C H A P T E R 22

Configuring Connection Settings

22-1

 

 

Information About Connection Settings

22-1

 

TCP Intercept and Limiting Embryonic Connections 22-2

 

Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 22-2

 

Dead Connection Detection (DCD)

22-2

 

TCP Sequence Randomization

22-3

 

 

TCP Normalization

22-3

 

 

 

TCP State Bypass

22-3

 

 

 

Licensing Requirements for Connection Settings 22-4

 

Guidelines and Limitations 22-5

 

 

 

Default Settings 22-5

 

 

 

 

Configuring Connection Settings

22-6

 

 

 

Task Flow For Configuring Connection Settings

22-6

 

Customizing the TCP Normalizer with a TCP Map

22-6

 

Configuring Connection Settings

22-8

 

 

Configuring Global Timeouts

22-9

 

 

Feature History for Connection Settings 22-11

 

 

Configuring QoS

 

 

 

 

 

C H A P T E R 23

23-1

 

 

 

 

 

Information About QoS 23-1

 

 

 

 

Supported QoS Features

23-2

 

 

 

What is a Token Bucket?

23-2

 

 

 

Information About Policing

23-3

 

 

 

Information About Priority Queuing

23-3

 

 

Information About Traffic Shaping

23-4

 

 

How QoS Features Interact

23-4

 

 

 

DSCP and DiffServ Preservation

23-5

 

 

Licensing Requirements for QoS

23-5

 

 

 

Guidelines and Limitations

23-5

 

 

 

 

Configuring QoS

23-6

 

 

 

 

 

Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7

 

Configuring the Standard Priority Queue for an Interface 23-8

 

Configuring a Service Rule for Standard Priority Queuing and Policing 23-9

 

Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing 23-10

 

Monitoring QoS

23-11

 

 

 

 

 

Viewing QoS Police Statistics

23-12

 

 

Viewing QoS Standard Priority Statistics 23-12

 

 

Viewing QoS Shaping Statistics

23-13

 

Cisco ASA Series Firewall ASDM Configuration Guide

14

25-23
25-10

Contents

 

 

 

Viewing QoS Standard Priority Queue Statistics

23-13

 

 

 

 

Feature History for QoS

23-14

 

 

 

 

 

 

 

 

 

Troubleshooting Connections and Resources

 

 

 

C H A P T E R

24

24-1

 

 

 

 

 

Testing Your Configuration

24-1

 

 

 

 

 

 

 

 

 

Pinging ASA Interfaces

24-1

 

 

 

 

 

 

 

 

 

Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping 24-3

 

 

 

Determining Packet Routing with Traceroute

24-6

 

 

 

 

 

Tracing Packets with Packet Tracer

24-7

 

 

 

 

 

 

 

Monitoring Performance

 

24-8

 

 

 

 

 

 

 

 

 

Monitoring System Resources

24-9

 

 

 

 

 

 

 

 

Blocks

24-9

 

 

 

 

 

 

 

 

 

 

 

 

CPU 24-10

 

 

 

 

 

 

 

 

 

 

 

 

Memory

24-10

 

 

 

 

 

 

 

 

 

 

 

 

Monitoring Connections

 

24-11

 

 

 

 

 

 

 

 

 

Monitoring Per-Process CPU Usage

24-12

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Advanced Network Protection

 

 

 

 

P A R T 7

 

 

 

 

 

 

 

 

Configuring the ASA for Cisco Cloud Web Security

 

 

C H A P T E R

25

25-1

 

 

 

 

Information About Cisco Cloud Web Security

25-2

 

 

 

 

 

 

Redirection of Web Traffic to Cloud Web Security

25-2

 

 

 

 

User Authentication and Cloud Web Security

25-2

 

 

 

 

 

Authentication Keys

 

25-3

 

 

 

 

 

 

 

 

 

ScanCenter Policy

25-4

 

 

 

 

 

 

 

 

 

 

Cloud Web Security Actions

25-5

 

 

 

 

 

 

 

 

Bypassing Scanning with Whitelists 25-6

 

 

 

 

 

 

 

IPv4 and IPv6 Support

25-6

 

 

 

 

 

 

 

 

 

Failover from Primary to Backup Proxy Server

25-6

 

 

 

 

 

Licensing Requirements for Cisco Cloud Web Security

25-6

 

 

 

 

Prerequisites for Cloud Web Security

25-7

 

 

 

 

 

 

 

Guidelines and Limitations

25-7

 

 

 

 

 

 

 

 

 

Default Settings 25-8

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Cisco Cloud Web Security

25-8

 

 

 

 

Configuring Communication with the Cloud Web Security Proxy Server 25-8

(Multiple Context Mode) Allowing Cloud Web Security Per Security Context 25-10

Configuring a Service Policy to Send Traffic to Cloud Web Security (Optional) Configuring Whitelisted Traffic

Cisco ASA Series Firewall ASDM Configuration Guide

15

26-6
26-6

Contents

(Optional) Configuring the User Identity Monitor 25-25

Configuring the Cloud Web Security Policy

25-26

Monitoring Cloud Web Security 25-26

 

Related Documents 25-27

 

Feature History for Cisco Cloud Web Security

25-27

C H A P T E R 26

Configuring the Botnet Traffic Filter

26-1

 

 

Information About the Botnet Traffic Filter

26-1

 

Botnet Traffic Filter Address Types

26-2

 

Botnet Traffic Filter Actions for Known Addresses 26-2

 

Botnet Traffic Filter Databases

26-2

 

How the Botnet Traffic Filter Works 26-5

Licensing Requirements for the Botnet Traffic Filter 26-6

Prerequisites for the Botnet Traffic Filter

Guidelines and Limitations

Default Settings 26-6

 

Configuring the Botnet Traffic Filter

26-7

 

 

 

 

Task Flow for Configuring the Botnet Traffic Filter

26-7

 

Configuring the Dynamic Database

26-8

 

 

Adding Entries to the Static Database

 

26-9

 

 

Enabling DNS Snooping

26-9

 

 

 

 

 

Enabling Traffic Classification and Actions for the Botnet Traffic Filter 26-10

 

Blocking Botnet Traffic Manually

26-12

 

 

 

Searching the Dynamic Database

26-13

 

 

Monitoring the Botnet Traffic Filter

26-14

 

 

 

Botnet Traffic Filter Syslog Messaging

26-14

 

 

Botnet Traffic Filter Monitor Panes

26-15

 

 

Where to Go Next

26-16

 

 

 

 

 

 

Feature History for the Botnet Traffic Filter

26-16

 

 

Configuring Threat Detection

 

 

 

 

 

C H A P T E R 27

27-1

 

 

 

 

 

Information About Threat Detection

27-1

 

 

 

 

Licensing Requirements for Threat Detection

27-1

 

 

Configuring Basic Threat Detection Statistics

27-2

 

 

Information About Basic Threat Detection Statistics

27-2

 

Guidelines and Limitations 27-3

 

 

 

 

 

Default Settings

27-3

 

 

 

 

 

 

Configuring Basic Threat Detection Statistics 27-4

 

Cisco ASA Series Firewall ASDM Configuration Guide

16

Contents

 

 

Monitoring Basic Threat Detection Statistics

27-4

 

 

 

 

Feature History for Basic Threat Detection Statistics

27-5

 

 

 

Configuring Advanced Threat Detection Statistics

27-5

 

 

 

 

Information About Advanced Threat Detection Statistics

27-5

 

 

Guidelines and Limitations

27-5

 

 

 

 

 

 

 

Default Settings

 

27-6

 

 

 

 

 

 

 

 

 

 

Configuring Advanced Threat Detection Statistics

27-6

 

 

 

Monitoring Advanced Threat Detection Statistics

27-7

 

 

 

Feature History for Advanced Threat Detection Statistics

27-8

 

 

Configuring Scanning Threat Detection

27-8

 

 

 

 

 

Information About Scanning Threat Detection

27-9

 

 

 

Guidelines and Limitations

27-9

 

 

 

 

 

 

 

Default Settings

 

27-10

 

 

 

 

 

 

 

 

 

 

Configuring Scanning Threat Detection

27-10

 

 

 

 

Feature History for Scanning Threat Detection

27-11

 

 

 

Using Protection Tools

 

 

 

 

 

 

 

 

 

 

C H A P T E R

28

 

28-1

 

 

 

 

 

 

 

 

 

 

Preventing IP Spoofing

28-1

 

 

 

 

 

 

 

 

 

 

Configuring the Fragment Size

28-2

 

 

 

 

 

 

 

 

Show Fragment

28-2

 

 

 

 

 

 

 

 

 

 

Configuring TCP Options 28-3

 

 

 

 

 

 

 

 

 

TCP Reset Settings

28-4

 

 

 

 

 

 

 

 

 

Configuring IP Audit for Basic IPS Support

 

28-5

 

 

 

 

 

IP Audit Policy

28-5

 

 

 

 

 

 

 

 

 

 

Add/Edit IP Audit Policy Configuration

28-5

 

 

 

 

 

IP Audit Signatures

28-6

 

 

 

 

 

 

 

 

 

IP Audit Signature List

28-6

 

 

 

 

 

 

 

 

Configuring Filtering Services

 

 

 

 

 

 

 

 

C H A P T E R

29

 

29-1

 

 

 

 

 

 

 

 

Information About Web Traffic Filtering

29-1

 

 

 

 

 

Filtering URLs and FTP Requests with an External Server

29-2

 

 

 

Information About URL Filtering

29-2

 

 

 

 

 

 

Licensing Requirements for URL Filtering 29-3

 

 

 

 

Guidelines and Limitations for URL Filtering

29-3

 

 

 

 

Identifying the Filtering Server

29-3

 

 

 

 

 

 

 

Configuring Additional URL Filtering Settings

29-4

 

 

 

 

Configuring Filtering Rules

29-6

 

 

 

 

 

 

 

 

Filtering the Rule Table

29-11

 

 

 

 

 

 

 

 

Defining Queries

 

29-12

 

 

 

 

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

17

Contents

 

 

Feature History for URL Filtering

29-12

 

 

 

 

 

 

 

 

 

 

 

Configuring Modules

 

 

 

 

P A R T 8

 

 

 

 

 

 

Configuring the ASA CX Module 30-1

 

 

 

C H A P T E R 30

 

 

 

 

 

Information About the ASA CX Module

30-1

 

 

 

 

How the ASA CX Module Works with the ASA

30-2

 

 

Monitor-Only Mode

30-3

 

 

 

 

 

Information About ASA CX Management

30-4

 

 

 

Information About Authentication Proxy

30-5

 

 

 

Information About VPN and the ASA CX Module

30-5

 

 

Compatibility with ASA Features

30-5

 

 

 

 

Licensing Requirements for the ASA CX Module 30-6

 

 

Prerequisites 30-6

 

 

 

 

 

 

Guidelines and Limitations

30-6

 

 

 

 

 

Default Settings 30-8

 

 

 

 

Configuring the ASA CX Module 30-8

Task Flow for the ASA CX Module 30-8

Connecting the ASA CX Management Interface 30-9

(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module 30-12

(ASA 5585-X) Changing the ASA CX Management IP Address 30-14

 

Configuring Basic ASA CX Settings at the ASA CX CLI

30-16

 

Configuring the Security Policy on the ASA CX Module Using PRSM 30-17

 

(Optional) Configuring the Authentication Proxy Port

30-18

 

Redirecting Traffic to the ASA CX Module

30-19

 

 

Managing the ASA CX Module

30-23

 

 

 

 

Resetting the Password 30-23

 

 

 

 

Reloading or Resetting the Module

30-24

 

 

Shutting Down the Module

30-25

 

 

 

 

(ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image

30-26

(ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA

30-26

Monitoring the ASA CX Module

30-27

 

 

 

 

Showing Module Status

30-28

 

 

 

 

Showing Module Statistics

30-28

 

 

 

 

Monitoring Module Connections

30-28

 

 

 

Capturing Module Traffic

30-32

 

 

 

 

Troubleshooting the ASA CX Module

30-32

 

 

 

Problems with the Authentication Proxy

30-32

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

18

Contents

 

Feature History for the ASA CX Module

30-33

 

 

Configuring the ASA IPS Module 31-1

 

 

C H A P T E R 31

 

 

 

Information About the ASA IPS Module

31-1

 

 

How the ASA IPS Module Works with the ASA

31-2

 

Operating Modes 31-3

 

 

 

Using Virtual Sensors (ASA 5510 and Higher)

31-3

 

Information About Management Access 31-4

 

 

Licensing Requirements for the ASA IPS module 31-5

 

Guidelines and Limitations 31-5

 

 

 

Default Settings 31-6

 

 

 

Configuring the ASA IPS module

31-7

 

 

 

 

Task Flow for the ASA IPS Module

31-7

 

 

Connecting the ASA IPS Management Interface

31-8

 

Sessioning to the Module from the ASA (May Be Required) 31-11

 

(ASA 5512-X through ASA 5555-X) Booting the Software Module 31-12

 

Configuring Basic IPS Module Network Settings

31-12

 

Configuring the Security Policy on the ASA IPS Module 31-15

 

Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) 31-17

 

Diverting Traffic to the ASA IPS module

31-18

 

 

Managing the ASA IPS module

31-19

 

 

 

 

Installing and Booting an Image on the Module

31-20

 

Shutting Down the Module

31-22

 

 

 

 

Uninstalling a Software Module Image

31-22

 

 

Resetting the Password

31-23

 

 

 

 

Reloading or Resetting the Module

31-24

 

 

Monitoring the ASA IPS module

31-24

 

 

 

 

Feature History for the ASA IPS module

31-25

 

 

Configuring the ASA CSC Module

 

 

 

 

C H A P T E R 32

32-1

 

 

 

 

Information About the CSC SSM

32-1

 

 

 

 

Determining What Traffic to Scan

32-3

 

 

Licensing Requirements for the CSC SSM

32-5

 

 

Prerequisites for the CSC SSM

32-5

 

 

 

 

Guidelines and Limitations

32-6

 

 

 

 

 

Default Settings 32-6

 

 

 

 

 

 

Configuring the CSC SSM

32-7

 

 

 

 

 

Before Configuring the CSC SSM

32-7

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

19

Contents

Connecting to the CSC SSM

32-8

Determining Service Policy Rule Actions for CSC Scanning 32-9

CSC SSM Setup Wizard

32-10

 

Activation/License

 

32-11

 

IP Configuration

32-11

 

Host/Notification Settings

32-12

Management Access Host/Networks 32-13

Password

32-13

 

 

 

Restoring the Default Password 32-14

Wizard Setup

32-15

 

Using the CSC SSM GUI

32-20

 

Web

32-20

 

 

 

 

Mail

32-21

 

 

 

 

SMTP Tab

32-21

 

 

 

POP3 Tab

32-22

 

 

 

File Transfer

32-22

 

 

Updates

32-23

 

 

 

Monitoring the CSC SSM

32-24

 

Threats

 

32-24

 

 

 

 

Live Security Events

32-25

 

Live Security Events Log 32-25

Software Updates

 

32-26

 

Resource Graphs

32-27

 

Troubleshooting the CSC Module

32-27

Additional References

 

32-31

 

Feature History for the CSC SSM

32-31

I N D E X

Cisco ASA Series Firewall ASDM Configuration Guide

20

About This Guide

This preface introduces Cisco ASA Series Firewall ASDM Configuration Guide and includes the following sections:

Document Objectives, page 3

Related Documentation, page 3

Conventions, page 4

Obtaining Documentation and Submitting a Service Request, page 4

Document Objectives

The purpose of this guide is to help you configure the firewall features for ASA using ASDM. This guide does not cover every feature, but describes only the most common configuration scenarios.

This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.

Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the feature history table for each chapter to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Series Compatibility.

Related Documentation

For more information, see Navigating the Cisco ASA Series Documentation at

http://www.cisco.com/go/asadocs.

Cisco ASA Series Firewall ASDM Configuration Guide

3

Conventions

This document uses the following conventions:

Convention

Indication

 

 

bold font

Commands and keywords and user-entered text appear in bold font.

 

 

italic font

Document titles, new or emphasized terms, and arguments for which you supply

 

 

values are in italic font.

 

 

 

[

]

Elements in square brackets are optional.

 

 

{x | y | z }

Required alternative keywords are grouped in braces and separated by

 

 

vertical bars.

 

 

[ x | y | z ]

Optional alternative keywords are grouped in brackets and separated by

 

 

vertical bars.

 

 

string

A nonquoted set of characters. Do not use quotation marks around the string or

 

 

the string will include the quotation marks.

 

 

courier font

Terminal sessions and information the system displays appear in courier font.

 

 

courier bold font

Commands and keywords and user-entered text appear in bold courier font.

 

 

courier italic font

Arguments for which you supply values are in courier italic font.

 

 

 

<

>

Nonprinting characters such as passwords are in angle brackets.

 

 

 

[

]

Default responses to system prompts are in square brackets.

 

 

!, #

An exclamation point (!) or a pound sign (#) at the beginning of a line of code

 

 

indicates a comment line.

 

 

 

Note Means reader take note.

Tip Means the following information will help you solve a problem.

Caution Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised

Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

Cisco ASA Series Firewall ASDM Configuration Guide

4

P A R T 1

Configuring Service Policies

C H A P T E R 1

Configuring a Service Policy

Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple service policy rules applied to an interface or applied globally.

This chapter includes the following sections:

Information About Service Policies, page 1-1

Licensing Requirements for Service Policies, page 1-5

Guidelines and Limitations, page 1-6

Default Settings, page 1-7

Task Flows for Configuring Service Policies, page 1-8

Adding a Service Policy Rule for Through Traffic, page 1-8

Adding a Service Policy Rule for Management Traffic, page 1-13

Managing the Order of Service Policy Rules, page 1-15

Feature History for Service Policies, page 1-17

Information About Service Policies

This section describes how service policies work and includes the following topics:

Supported Features, page 1-1

Feature Directionality, page 1-2

Feature Matching Within a Service Policy, page 1-3

Order in Which Multiple Feature Actions are Applied, page 1-4

Incompatibility of Certain Feature Actions, page 1-5

Feature Matching for Multiple Service Policies, page 1-5

Supported Features

Table 1-1 lists the features supported by service policy rules.

Cisco ASA Series Firewall ASDM Configuration Guide

1-1

Chapter 1 Configuring a Service Policy

Information About Service Policies

Table 1-1

Service Policy Rule Features

 

 

 

 

 

 

 

 

 

For Through

For Management

 

Feature

 

Traffic?

Traffic?

See:

 

 

 

 

Application inspection (multiple

All except

RADIUS

Chapter 10, “Getting Started with Application

types)

 

RADIUS

accounting only

Layer Protocol Inspection.”

 

 

accounting

 

Chapter 11, “Configuring Inspection of Basic

 

 

 

 

 

 

 

 

Internet Protocols.”

 

 

 

 

Chapter 12, “Configuring Inspection for Voice

 

 

 

 

and Video Protocols.”

 

 

 

 

Chapter 13, “Configuring Inspection of Database

 

 

 

 

and Directory Protocols.”

 

 

 

 

Chapter 14, “Configuring Inspection for

 

 

 

 

Management Application Protocols.”

 

 

 

 

Chapter 25, “Configuring the ASA for Cisco

 

 

 

 

Cloud Web Security.”

 

 

 

 

 

ASA CSC

 

Yes

No

Chapter 32, “Configuring the ASA CSC Module.”

 

 

 

 

 

ASA IPS

 

Yes

No

Chapter 31, “Configuring the ASA IPS Module.”

 

 

 

 

 

ASA CX

 

Yes

No

Chapter 30, “Configuring the ASA CX Module.”

 

 

 

 

NetFlow Secure Event Logging

Yes

Yes

Chapter 43, “Configuring NetFlow Secure Event

filtering

 

 

 

Logging (NSEL),” in the general operations

 

 

 

 

configuration guide.

 

 

 

 

QoS input and output policing

Yes

No

Chapter 23, “Configuring QoS.”

 

 

 

 

QoS standard priority queue

Yes

No

Chapter 23, “Configuring QoS.”

 

 

 

 

QoS traffic shaping, hierarchical

Yes

Yes

Chapter 23, “Configuring QoS.”

priority queue

 

 

 

 

 

 

 

 

TCP and UDP connection limits

Yes

Yes

Chapter 22, “Configuring Connection Settings.”

and timeouts, and TCP sequence

 

 

 

number randomization

 

 

 

 

 

 

 

TCP normalization

Yes

No

Chapter 22, “Configuring Connection Settings.”

 

 

 

 

 

TCP state bypass

 

Yes

No

Chapter 22, “Configuring Connection Settings.”

 

 

 

 

User statistics for Identity

Yes

Yes

See the user-statistics command in the command

Firewall

 

 

 

reference.

 

 

 

 

 

Feature Directionality

Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions.

Cisco ASA Series Firewall ASDM Configuration Guide

1-2

Chapter 1 Configuring a Service Policy

Information About Service Policies

Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.

For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or exits, depending on the feature) the interface to which you apply the policy map is affected. See

Table 1-2 for the directionality of each feature.

Table 1-2

Feature Directionality

 

 

 

 

 

 

Feature

 

Single Interface Direction

Global Direction

 

 

 

Application inspection (multiple types)

Bidirectional

Ingress

 

 

 

 

ASA CSC

 

Bidirectional

Ingress

 

 

 

 

ASA CX

 

Bidirectional

Ingress

 

 

 

ASA CX authentication proxy

Ingress

Ingress

 

 

 

 

ASA IPS

 

Bidirectional

Ingress

 

 

 

NetFlow Secure Event Logging filtering

N/A

Ingress

 

 

 

QoS input policing

Ingress

Ingress

 

 

 

QoS output policing

Egress

Egress

 

 

 

QoS standard priority queue

Egress

Egress

 

 

 

QoS traffic shaping, hierarchical priority

Egress

Egress

queue

 

 

 

 

 

 

TCP and UDP connection limits and timeouts,

Bidirectional

Ingress

and TCP sequence number randomization

 

 

 

 

 

TCP normalization

Bidirectional

Ingress

 

 

 

TCP state bypass

Bidirectional

Ingress

 

 

 

User statistics for Identity Firewall

Bidirectional

Ingress

 

 

 

 

Feature Matching Within a Service Policy

See the following information for how a packet matches rules in a policy for a given interface:

1.A packet can match only one rule for an interface for each feature type.

2.When the packet matches a rule for a feature type, the ASA does not attempt to match it to any subsequent rules for that feature type.

3.If the packet matches a subsequent rule for a different feature type, however, then the ASA also applies the actions for the subsequent rule, if supported. See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information about unsupported combinations.

Note Application inspection includes multiple inspection types, and most are mutually exclusive. For inspections that can be combined, each inspection is considered to be a separate feature.

Cisco ASA Series Firewall ASDM Configuration Guide

1-3

Chapter 1 Configuring a Service Policy

Information About Service Policies

For example, if a packet matches a rule for connection limits, and also matches a rule for an application inspection, then both actions are applied.

If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP inspection, then the second rule actions are not applied.

If a packet matches a rulefor HTTP inspection, but also matches another rule that includes FTP inspection, then the second rule actions are not applied because HTTP and FTP inspections cannpt be combined.

If a packet matches a rule for HTTP inspection, but also matches another rule that includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any other type of inspection.

Order in Which Multiple Feature Actions are Applied

The order in which different types of actions in a service policy are performed is independent of the order in which the actions appear in the table.

Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.

Actions are performed in the following order:

1.QoS input policing

2.TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number randomization, and TCP state bypass.

Note When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and after the proxy or payload modifying service.

3.ASA CSC

4.Application inspections that can be combined with other inspections:

a.IPv6

b.IP options

c.WAAS

5.Application inspections that cannot be combined with other inspections. See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information.

6.ASA IPS

7.ASA CX

8.QoS output policing

9.QoS standard priority queue

10. QoS traffic shaping, hierarchical priority queue

Cisco ASA Series Firewall ASDM Configuration Guide

1-4

Loading...
+ 724 hidden pages