Cisco Systems OL-16647-01 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Cisco Systems OL-16647-01. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Cisco Systems OL-16647-01 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Cisco Systems OL-16647-01 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Cisco Systems OL-16647-01 devrait contenir:
- informations sur les caractéristiques techniques du dispositif Cisco Systems OL-16647-01
- nom du fabricant et année de fabrication Cisco Systems OL-16647-01
- instructions d'utilisation, de réglage et d’entretien de l'équipement Cisco Systems OL-16647-01
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Cisco Systems OL-16647-01 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Cisco Systems OL-16647-01 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Cisco Systems en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Cisco Systems OL-16647-01, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Cisco Systems OL-16647-01, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Cisco Systems OL-16647-01. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 Cisco A SDM User Guide Ve r s i o n 6 . 1 Text Part Number: OL -16647-01[...]

  • Page 2

    THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPO NSIBILITY FOR THEIR APPLICATION OF ANY PRO[...]

  • Page 3

    iii Cisco ASDM User Guide OL-16647-01 CONTENTS Preface xxxix Related Documentation xxxix Document Conventions xxxix Obtaining Documentation and Submitting a Serv ice Request i-xl xl PART 1 Getting Started CHAPTER 1 Welcome to ASDM 1-1 ASDM Client Operating System and Browser Requirements 1-2 VPN Specifications 1-2 Supported Platforms and SSMs 1-2 N[...]

  • Page 4

    Contents iv Cisco ASDM User Guide OL-16647-01 Enabling Extended Screen Reader Suppo rt 1-16 Organizational Folder 1-16 About the Help Window 1-16 Header Buttons 1-16 Browser Window 1-17 Home Pane 1-17 Device Dashboard Tab 1-18 Firewall Dashboard Tab 1-20 Content Security Tab 1-21 Intrusion Prevention Tab 1-23 Connecting to IPS 1-23 System Home Pane[...]

  • Page 5

    Contents v Cisco ASDM User Guide OL-16647-01 CHAPTER 3 Defining Preferen ces and Using Configuration, Diagno stic, and File Man agement Tools 3-1 Preferences 3-1 Configuration Tools 3-3 Reset Device to the Factory Default Configuration 3-3 Save Running Configu ration to TFTP Serve r 3-4 Save Internal Log Buffer to Flash 3-5 Command Line Interface 3[...]

  • Page 6

    Contents vi Cisco ASDM User Guide OL-16647-01 PIX 515/515E Default Configuration 4-4 Configuring the Security Appliance for ASDM Access 4-4 Setting Transparent or Routed Firew all Mode at the CLI 4-4 Starting ASDM 4-6 Downloading the ASDM Launcher 4-6 Starting ASDM from the ASDM Launcher 4-6 Using ASDM in Demo Mode 4-7 Starting ASDM from a We b Bro[...]

  • Page 7

    Contents vii Cisco ASDM User Guide OL-16647-01 CHAPTER 6 Configuring Basic Device Settings 6-1 Management IP Address 6-1 System Time 6-2 Clock 6-2 NTP 6-3 Add/Edit NTP Server Configuration 6-4 Configuring Advanced Device Man agement Features 6-4 Configuring HTTP Redirect 6-4 Edit HTTP/HTTPS Settings 6-5 Configuring Maximum SSL VPN Sessions 6-5 Hist[...]

  • Page 8

    Contents viii Cisco ASDM User Guide OL-16647-01 Configuring an Interface (Single Mode) 7-5 Enabling Same Security Level Communication (Single Mode) 7-8 PPPoE IP Address and Route Se ttings 7-9 CHAPTER 8 Configuring Interfac es in Multiple Mode 8-1 Configuring Interfaces in the S ystem Configuration (Multi ple Mode) 8-1 Configuring Physical Interfac[...]

  • Page 9

    Contents ix Cisco ASDM User Guide OL-16647-01 Configuring Switch Ports 9-11 Interfaces > Switch Ports 9-11 Edit Switch Port 9-12 CHAPTER 10 Configuring Security Contexts 10-1 Security Context Overview 10-1 Common Uses for Security Contexts 10-2 Unsupported Features 10-2 Context Configuration Files 10-2 How the Security Appliance Classifie s Pack[...]

  • Page 10

    Contents x Cisco ASDM User Guide OL-16647-01 Interface 11-10 Redistribution 11-14 Static Neighbor 11-17 Summary Address 11-18 Virtual Link 11-19 RIP 11-22 Setup 11-23 Interface 11-24 Filter Rules 11-25 Redistribution 11-27 EIGRP 11-28 Configuring EIGRP 11-29 Field Information for the EIGRP Panes 11-30 Static Routes 11-40 Static Route Tracking 11-41[...]

  • Page 11

    Contents xi Cisco ASDM User Guide OL-16647-01 MForwarding 12-11 PIM 12-11 Protocol 12-12 Edit PIM Protocol 12-12 Neighbor Filter 12-13 Add/Edit/Insert Neighbor Filte r Entry 12-14 Bidirectional Neighbor Filter 12-14 Add/Edit/Insert Bidirectional Neighbor F ilter Entry 12-15 Rendezvous Points 12-16 Add/Edit Rendezvous Point 12-16 Request Filter 12-1[...]

  • Page 12

    Contents xii Cisco ASDM User Guide OL-16647-01 RADIUS Server Support 14-4 Authentication Methods 14-4 Attribute Support 14-4 RADIUS Authorization Functions 14-4 TACACS+ Server Support 14-4 SDI Server Support 14-5 SDI Version Support 14-5 Two-step Authentication Proce ss 14-5 SDI Primary and Replica Servers 14-5 NT Server Support 14-5 Kerberos Serve[...]

  • Page 13

    Contents xiii Cisco ASDM User Guide OL-16647-01 Active/Standby Failover 15-2 Active/Active Failover 15-2 Stateless (Regular) Failover 15-3 Stateful Failover 15-3 Configuring Failover with the High Availability and Scalability Wizard 15-4 Accessing and Using th e High Availability and Sc alability Wizard 15-4 Configuring Active/Active Failover with [...]

  • Page 14

    Contents xiv Cisco ASDM User Guide OL-16647-01 Configuring CLI Parameters 16-2 Adding a Banner 16-2 Customizing a CLI Prompt 16-3 Changing the Co nsole Timeout Period 16-4 Configuring File Access 16-4 Configuring the FTP Client Mode 16-4 Configuring the Security Appliance as a Secure Copy Se rver 16-5 Configuring the Security Appliance as a TFTP Cl[...]

  • Page 15

    Contents xv Cisco ASDM User Guide OL-16647-01 Configure Logging Flash Usage 17-4 Syslog Setup 17-4 Edit Syslog ID Settings 17-5 Advanced Syslog Configuratio n 17-6 E-Mail Setup 17-7 Add/Edit E-Mail Recipients 17-8 Event Lists 17-8 Add/Edit Event List 17-10 Add/Edit Syslog Message ID Filter 17-10 Logging Filters 17-10 Edit Logging Filters 17-11 Add/[...]

  • Page 16

    Contents xvi Cisco ASDM User Guide OL-16647-01 MAC Address vs. Route Lookups 18-8 Using the Transparent Firewall in Your Network 18-9 Transparent Firewall Guidelines 18-9 Unsupported Features in Transparent Mo de 18-10 How Data Moves Through the Transp arent Firewall 18-11 An Inside Us er Visits a We b Server 18-12 An Inside User Visits a Web Serve[...]

  • Page 17

    Contents xvii Cisco ASDM User Guide OL-16647-01 Add TLS Proxy Instance Wizard – Server Con figuration 19-21 Add TLS Proxy Instance Wizard – Client Configuration 19-22 Add TLS Proxy Instance Wizard – Other Steps 19-24 Phone Proxy 19-24 Configuring the Phone Proxy 19-25 Creating a Phone Proxy Instance 19-25 Add/Edit TFTP Server 19-27 CTL File 1[...]

  • Page 18

    Contents xviii Cisco ASDM User Guide OL-16647-01 Log Options 20-14 Configuring Ethertype Rules (Transparent Mode Only) 20-16 Add/Edit EtherType Rule 20-17 CHAPTER 21 Configuring NAT 21-1 NAT Overview 21-1 Introduction to NAT 21-1 NAT in Routed Mode 21-2 NAT in Transparent Mode 21-3 NAT Control 21-4 NAT Types 21-6 Dynamic NAT 21-6 PAT 21-8 Static NA[...]

  • Page 19

    Contents xix Cisco ASDM User Guide OL-16647-01 CHAPTER 22 Configuring Serv ice Policy Rules 22-1 Service Policy Overview 22-1 Supported F eatures 22-1 Service Policy Elements 22-2 Default Global Policy 22-2 Feature Directionality 22-3 Feature Matching Guidelines 22-3 Order in Which Multiple Feature Ac tions within a Rule are Applied 22-4 Incompatib[...]

  • Page 20

    Contents xx Cisco ASDM User Guide OL-16647-01 Configuring TACACS+ Authorization 23-9 Configuring RADIUS Authorization 23-10 Configuring a RADIUS Server to Se nd Downloadable Acce ss Control Lists 23-11 Configuring a RADIUS Server to Downl oad Per-User Ac cess Control List Names 23 -15 Configuring Accounting for Network Access 23-15 Using MAC Addres[...]

  • Page 21

    Contents xxi Cisco ASDM User Guide OL-16647-01 Configuring MMP Inspection for a TLS Proxy 24-18 NetBIOS Inspection 24-18 PPTP Inspectio n 24-19 RADIUS Accoun ting Inspecti on 24-19 RSH Inspection 24-19 RTSP Inspection 24-19 RTSP Inspection Overv iew 24-20 Using RealPlayer 24-20 Restrictions and Limitations 24-20 SIP Inspection 24-21 SIP Inspection [...]

  • Page 22

    Contents xxii Cisco ASDM User Guide OL-16647-01 Select RTSP Map 24-36 Select SCCP (Skinn y) Map 24-37 Select SIP Map 24-37 Select SNMP Map 24-38 Class Map Field Description s 24-39 DNS Class Map 24-39 Add/Edit DNS Traffic Class Map 24-40 Add/Edit DNS Match Criterion 24-40 Manage Regular Expressions 24-42 Manage Regular Expression Class Maps 24-42 F[...]

  • Page 23

    Contents xxiii Cisco ASDM User Guide OL-16647-01 Add/Edit FTP Policy Map (Security Level) 24-80 Add/Edit FTP Policy Map (Details) 24-81 Add/Edit FTP Map 24-82 GTP Inspect Map 24-84 IMSI Prefix Filtering 24-84 Add/Edit GTP Policy Map (Security Level) 24-85 Add/Edit GTP Policy Map (Details) 24-86 Add/Edit GTP Map 24-88 H.323 Inspect Map 24-89 Phone N[...]

  • Page 24

    Contents xxiv Cisco ASDM User Guide OL-16647-01 Add/Edit SIP Policy Map (Security Level) 24-121 Add/Edit SIP Policy Map (Deta ils) 24-12 2 Add/Edit SIP Inspect 24-124 SNMP Inspect Map 24-126 Add/Edit SNMP Map 24-127 CHAPTER 25 Configuring QoS 25-1 QoS Overview 25-1 Supported QoS Features 25-2 What is a Token Bucket? 25-2 Policing Overview 25-3 Prio[...]

  • Page 25

    Contents xxv Cisco ASDM User Guide OL-16647-01 Configuring Connection Settings 27-6 Connection Limit Overview 27-6 TCP Intercept Overview 27-6 Disabling TCP Intercept for Ma nagement Packets for Clientless SSL VPN Compatibility 27-6 Dead Connection Detection Overview 27-7 TCP Sequence Randomizatio n Overview 27-7 TCP Normalization Overview 27-7 Ena[...]

  • Page 26

    Contents xxvi Cisco ASDM User Guide OL-16647-01 Getting Started with the CSC SSM 29 -4 Determining What Traffic to Scan 29-6 Rule Actions for CSC Scanning 29-8 CSC SSM Setup 29 -9 Activation/License 29-10 IP Configuratio n 29-11 Host/Notification Settings 29-11 Management Access Host/Netwo rks 29-12 Password 29-13 Restoring the Default Password 29-[...]

  • Page 27

    Contents xxvii Cisco ASDM User Guide OL-16647-01 CHAPTER 31 SSL VPN Wizard 31-1 SSL VPN Feature 31-1 SSL VPN Interface 31-2 User Authentication 31-2 Group Policy 31-3 Bookmark Li st 31-3 IP Address Pools and Client Image 31-4 Summary 31-4 CHAPTER 32 VPN 32-1 VPN Wizard 32-1 VPN Tunnel Ty pe 32-2 Remote Site Peer 32-3 IKE Policy 32-4 Hosts and Netwo[...]

  • Page 28

    Contents xxviii Cisco ASDM User Guide OL-16647-01 Add/Edit IKE Policy 34-5 Assignment Policy 34-6 Address Pools 34-7 Add/Edit IP Pool 34- 8 IPsec 34-8 Crypto Maps 34-9 Create IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab 34-11 Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab 34-13 Create IPsec Rule/Traffic Selection Tab 34-13 Pre-Fra[...]

  • Page 29

    Contents xxix Cisco ASDM User Guide OL-16647-01 Browse ICMP 35-19 Add ICMP Group 35-20 Browse Other 35-21 Add Protocol Group 35-21 Add/Edit Intern al Group Policy > Servers 35-22 Add/Edit Internal Group Policy > IPSec Client 35-22 Client Access Rules 35-23 Add/Edit Client Access Rule 35-23 Add/Edit Internal Group Policy > Client Configurat[...]

  • Page 30

    Contents xxx Cisco ASDM User Guide OL-16647-01 IPSec Remote Access Connection Profiles 35-49 Add or Edit an IPSec Remote Access Connection Profile 35-50 Add or Edit IPSec Remote Access Connection Profile Bas ic 35-50 Mapping Certificates to IPSec or SSL VPN Connection Profiles 35-51 Configure Site-to-Site Tunnel Groups 35-54 Add/Edit Site-to-Site C[...]

  • Page 31

    Contents xxxi Cisco ASDM User Guide OL-16647-01 CHAPTER 36 Configuring Dynamic Access Policies 36-1 Understanding VPN Access Polic ies 36-1 DAP Support for Remote Access Connection Ty pes 36-3 DAP and AAA 36-3 DAP and Endpoint Security 36-4 DAP Connection Sequenc e 36-6 Test Dynamic Access Policies 36-6 Add/Edit Dynamic Access Policies 36-7 Add/Edi[...]

  • Page 32

    Contents xxxii Cisco ASDM User Guide OL-16647-01 Encoding 38-15 Web ACLs 38-17 Port Forwarding 38-19 Why Port Forwar ding? 38 -19 Requirements and Restrictions 38-20 Add/Edit Port Forwarding List 38-21 Add/Edit Port Forwarding Entry 38-21 Configuring the Use of External Proxy Servers 38-22 Configuring Proxy Bypass 38-23 DTLS Settings 38-25 SSL VPN [...]

  • Page 33

    Contents xxxiii Cisco ASDM User Guide OL-16647-01 Customization Example 38-48 Using the Customization Template 38-50 The Customization Template 38-50 Help Customization 38-63 Import/Export Application Help Content 38-65 Configuring Browser Access to Client-Se rver Plug-ins 38-66 About Installing Browser Plug-ins 38-67 Plug-in Requirements and Restr[...]

  • Page 34

    Contents xxxiv Cisco ASDM User Guide OL-16647-01 CHAPTER 40 Configuring SSL Settings 40-1 SSL 40-1 Edit SSL Certificate 40-2 SSL Certificates 40-3 PART 5 Monitoring the Se curity Appliance CHAPTER 41 Monitoring Interfaces 41-1 ARP Table 41-1 DHCP 41-1 DHCP Server Table 41-2 DHCP Client Lease Information 41-2 DHCP Statistics 41-3 MAC Address Table 4[...]

  • Page 35

    Contents xxxv Cisco ASDM User Guide OL-16647-01 SSO Statistics for Clientless SSL VPN Session 42-14 CHAPTER 43 Monitoring Routing 43-1 Monitoring OSPF LSAs 43-1 Type 1 43-1 Type 2 43-2 Type 3 43-3 Type 4 43-3 Type 5 43-4 Type 7 43-4 Monitoring OSPF Neighbors 43-5 Monitoring EIGRP Neighbors 43-7 Displaying Routes 43-8 CHAPTER 44 Monitoring Propertie[...]

  • Page 36

    Contents xxxvi Cisco ASDM User Guide OL-16647-01 Blocks 44-17 CPU 44-17 Memory 44-18 WCCP 44-18 Service Groups 44-19 Redirection 44-19 CHAPTER 45 Monitoring Logging 45-1 About Log Viewing 45-1 Log Buffer 45-1 Log Buffer Viewer 45-2 Real-Time Log Viewer 45-3 Real-Time Log Viewer 45-3 CHAPTER 46 Monitoring Failover 46-1 Monitoring Failover in Single [...]

  • Page 37

    Contents xxxvii Cisco ASDM User Guide OL-16647-01 ASA 5540 Feature Licenses A-4 ASA 5550 Feature Licenses A-4 ASA 5580 Feature Licenses A-5 PIX 515/515E Feature Licens es A-6 PIX 525 Feature Licenses A-7 PIX 535 Feature Licenses A-7 APPENDIX B Troubleshooting B-1 Testing Yo ur Configur ation B-1 Enabling ICMP Debug Messag es and System Log Messa ge[...]

  • Page 38

    Contents xxxviii Cisco ASDM User Guide OL-16647-01 Login DN Example for Active Directory C-5 Defining the Security Appliance LDAP Configuration C-5 Supported Cisco Attributes for LDAP Authorization C-6 Cisco-AV-Pai r Attribute Synt ax C-12 Additional Information for us ing ASDM to Configure LDA P C-14 Configuring an External RADIUS Server C-15 Revi[...]

  • Page 39

    xxxix Cisco ASDM User Guide OL-16647-01 Preface The ASDM User Guide contains th e information that is a v aila ble in the ASDM onli ne help system. This preface contai ns the follo wing topics: • Related Documentati on, page xxxi x • Document Con v entions, page xxx ix • Obtaining Documentati on and Submitting a Service Requ est, page xl Rela[...]

  • Page 40

    xl Cisco ASDM User Guide OL-16647-01 Preface Obtaining Documenta tion and Submitting a Se rvice Request • Information you need to enter in examp les is shown in boldface screen font. • V ariables for which you must supply a va lue are shown in italic screen font. Note Means reader take note . Notes contain helpful suggestions or references to m[...]

  • Page 41

    P ART 1 Get ting Started[...]

  • Page 42

    [...]

  • Page 43

    CH A P T E R 1-1 Cisco ASDM User Guide OL-16647-01 1 Welcome to ASDM Cisco Adapti ve Security Device Manager (ASDM) deli vers wo rld-class security management an d monitoring services for se curity appliances thro ugh an intuiti v e , easy-to-use, management interface. Bundled with supported security appliances, the device manage r accelerates sec [...]

  • Page 44

    1-2 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM ASDM Client Oper ating System and Browse r Requirements ASDM Client Operating System and Browser Requirements Ta b l e 1-1 lists the support ed and recommended client operating systems and Ja v a for ASDM. VPN Specifications See the Cisco ASA 5500 Series VPN Compatibility Refer ence a[...]

  • Page 45

    1-3 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Supported Platforms and SSMs • Adva nced Inspection and Pre ven tion (AIP) SSM, software V ersion 5.0, 5.1, and 6.0 • Content Security and Cont rol (CSC) SSM, software V ersion 6.1 and 6.2 Ta b l e 1-2 sho ws the SSMs supported by each platform: Ta b l e 1 -2 SSM Support Platform S[...]

  • Page 46

    1-4 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM New ASDM Feat ures New ASDM Features Note For supported platform features, see the “Ne w Features by Platform Release” section on page 2-1 . Ta b l e 1-3 lists the ne w features for ASDM V ersion 6.1(5). Multiple ASDM Session Support ASDM allo ws multiple PCs or wor kstations to e[...]

  • Page 47

    1-5 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Unsupported Commands Effects of Unsupported Commands • If ASDM loads an e xisting runni ng conf iguration and f inds IPv6-related commands, A SDM displays a dialog box informi ng you that it does not support IPv6. Y ou cannot configure an y IPv6 commands in ASDM, b ut all other conf [...]

  • Page 48

    1-6 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Unsupported Comma nds T o exit Monitor-only mode , use the CLI tool or access the security applia nce console, and remove the alia s command. Y ou can use outside NA T instead of the alias command. See the Cisco Security Appliance Command Refer ence for more informat ion. Note Y ou mi[...]

  • Page 49

    1-7 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface About the ASDM Interface The ASDM interface is designed to pr ovide easy access to the many feat ures that the adaptiv e security appliance supports. The ASDM interfac e includes the follo wing components: • Menu Bar—Provides quick access to files, tools, w[...]

  • Page 50

    1-8 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface • Refresh ASDM with the Runnin g Configurati on on the De vice—Loads a copy of the run ning config uration to ASDM. Click Refresh to make sure ASDM has a current copy of the ru nning configuration. • Reset De vice to the Factory D efault Conf iguration?[...]

  • Page 51

    1-9 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface • T ime Ranges—Sho ws and hides the display of the Time Ranges pane. Th e T ime Ranges pane is only av ailabl e for the Access Rules, Service Polic y Rules, AAA Rules, an d Filter Rules panes in the configuration vie w . • Global Pools—Sho ws and hid es[...]

  • Page 52

    1-10 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface • Administrator’ s Alerts to Clientless SS L VPN User s—Lets an administrator send an alert message to clientless S SL VPN users. Se e the Administrator’ s Alert to Clientless SSL VPN Users dialog box for more information. • Preferences—Changes th[...]

  • Page 53

    1-11 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface • About Cisco Adapti v e Security Appliance (ASA)—Di splays information about the adapti ve security appliance, including the soft ware v ersion, hardware set, conf iguration f ile loaded at startup, and software image load ed at startup. This information [...]

  • Page 54

    1-12 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface How Do I? Tab Fields • Sho w tasks—Choose the type of informat ion you want from the drop-d own list. The a v ailable type s are Security Polic y , ASDM, Administration, and All. Search Tab Fields • For—Enter th e term about which y ou want more info [...]

  • Page 55

    1-13 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface Connection to Device ASDM maintai ns a constant connection to t he adapti v e security appliance to maintain up-to-date monitoring and home p ane data. This dialog box sho ws the stat us of the connection. When you mak e a configuration change, ASDM opens a se[...]

  • Page 56

    1-14 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface • Reset —Discards change s and re verts to the informatio n displayed before changes were made or the last time you click ed Refresh or A pply . After you click Reset , click Refr esh to make sure that information fro m the current runn ing conf iguration[...]

  • Page 57

    1-15 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface Ta b l e 1-7 lists t he keyboard sh ortcuts you can use with the Log V iewer s. Ta b l e 1-8 lists the k eyboard shortcuts yo u can use to access menu items. Ta b l e 1 -6 Mov ing the Focus T o move the focus to the Press next f ield Ta b pre vious f ield Shif[...]

  • Page 58

    1-16 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the He lp Window Enabling Extended Screen Reader Support By default, labels and descriptions are not includ ed in tab order when you press the T ab ke y to na vigate a pane. Some screen readers, such as J A WS, only read screen objects th at ha ve th e focus. Y ou can include t[...]

  • Page 59

    1-17 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane Browser Window When you open help and a help page i s already open, the ne w help page will appear in the same bro wser windo w . If no help page is open, then the help page w ill appear in a ne w bro wser windo w . When you open help and Netscape Communicator is the def aul[...]

  • Page 60

    1-18 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane Device Dashboard Tab The De vice Dashboard tab lets you view , at a glance, important information abo ut your adapti ve secur ity appliance, such as the status of your interfaces, th e v ersion you are runn ing, licensing info rmation, and performance. Fields • Device Inf[...]

  • Page 61

    1-19 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane VPN Peers— Display only . Shows the number of VPN peers allo wed. This entry is blank if no VPN peers are supported. Clientless SSL VPN Peers— Display only . Shows the number o f clientless SSL VPN peers allowed. • VPN T unn els Status—Routed, single mode onl y . Sho[...]

  • Page 62

    1-20 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane Firewall Dashboard Tab The Firew all Dash board tab lets you view important information abou t the traff ic passing throug h your security applia nce, including the number of connecti ons, N A T translations, d ropped packets, attacks, and top usag e statistics . The T raff[...]

  • Page 63

    1-21 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane – Hits—Sho ws the number of packet hits that occurred. – Source—Sho ws the source IP address. – Dest—Sho ws the destination IP address. – Service—Sho ws the service (proto col or port) for the conn ection. – Action—Sho ws whether the rule is a p ermit or [...]

  • Page 64

    1-22 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane – Last Update— Display only . Shows the date of the last softw are update obtained from T rend Micro. – Daily Node #— Display only . Shows the numb er of network de vices for wh ich the CSC SSM provided services in the preceding 24 hour s. ASDM updates this field at[...]

  • Page 65

    1-23 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane – Subject/File/URL— Display only . Sho ws the subject of e-mails that contai n a threat, the names of FTP files that contain a threat , or blocked or filtered URLs. – Receiv er/Host— Display only . Shows the recipient of e-mails th at contain a threat or the IP addre[...]

  • Page 66

    1-24 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane – IPS V ersion— Disp lay only . Shows the IPS software v ersion. – IDM V ersion— Display only . Shows t he IDM software versi on. – Bypass Mode— Display onl y . Shows the bypass mode, which can be set to O n or Off . – Missed Packets Percentage— Disp lay onl[...]

  • Page 67

    1-25 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM System Home Pane System Home Pane The ASDM system home pane lets you vie w impo rtant status information about yo ur adapti ve security appliance. Many of th e details av ailabl e on the AS DM system home pane are av ailable elsewhere in ASDM, but th is pane shows at- a-glance how yo [...]

  • Page 68

    1-26 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM System Home Pane Firewall Mode Security Context Routed T ra nspar ent Single Multiple Context Sy stem • • • • •[...]

  • Page 69

    CH A P T E R 2-1 Cisco ASDM User Guide OL-16647-01 2 Introduction to the Security Appliance The security appliance combines advanced stateful f ire wall and VPN concent rator functional ity in one de vice, and for some models, an in tegrated intrusion pre venti on module called the AIP SSM or an integrated content security and c ontrol module call [...]

  • Page 70

    2-2 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release T able 2-1 lists the ne w features for V ersion 8.1(2). Note V ersion 8.1(x) is only suppo rted on the Cisco ASA 5580 adapti v e security appliance. T able 2-1 New F eatur e s for A SA V ersion 8.1(2) Feature Description Remote Ac[...]

  • Page 71

    2-3 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Sho w Activ e Directory Groups The CLI command sho w ad-groups w as added to list the active directory groups. ASD M Dynamic Access Policy uses this command to present the ad ministrator with a list of MS AD groups that can be [...]

  • Page 72

    2-4 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release New Features in Version 8.1(1) T able 2-2 lists the ne w features for V ersion 8.1(1). Note V ersion 8.1(x) is only suppo rted on the Cisco ASA 5580 adapti v e security appliance. TCP Normalization Enhancemen ts Y ou can no w conf[...]

  • Page 73

    2-5 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release New Features in Version 8.0(4) Note These features are not av ailable in V ersion 8.1(1). See the “New Features in V ersion 8.1(2)” section on page 2-1 for many , but not all, of these features. For example, Unified Comm un[...]

  • Page 74

    2-6 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release T able 2-3 lists the ne w features for V ersion 8.0(4). T able 2- 3 New F eat ur es f or A SA and PIX V ersion 8.0(4) Feature Description Unified Communications Features 1 Phone Proxy Phone Proxy functionali ty is supported. ASA P[...]

  • Page 75

    2-7 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Auto Sign-On wit h Smart T unnels for IE 1 This feature lets you enable the repl acement of logon creden tials for WININET connecti ons. Most Microsoft appli cations use W ININET , in cluding Inte rnet Explorer . Mozilla Firefo[...]

  • Page 76

    2-8 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release Smart T unnel o ver Mac OS 1 Smart tunnels now support Mac OS. In ASDM, see Conf iguration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart T unnels. Firewall Features QoS T raf fi c Shaping If you ha v[...]

  • Page 77

    2-9 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release New Features in Version 8.0(3) T able 2-4 lists t he new f eatures for V ersion 8.0(3). T imeout for SIP Provisional M edia Y o u can no w conf igure the timeout fo r SIP provisional m edia using the timeout sip-pr ovisional-me[...]

  • Page 78

    2-10 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release New Features in Version 8.0(2) T able 2-5 lists the ne w features for V ersion 8.0(2). Note There was no ASA or PIX 8.0(1) release. Fully Qu alified Domain N ame Support Enhanc ement Added option in the r edir ect-fqdn command to[...]

  • Page 79

    2-11 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release High A v ailability Remote command ex ecution in Fa ilov er pairs Y ou can execute commands on the peer unit in a f ailov er pair witho ut havi ng to connect directly to the peer . This works for both Acti v e/Standby and Acti[...]

  • Page 80

    2-12 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release Cisco Secure Desktop Host Scan As a condition for the compl etion of a Cisco AnyConnect o r clientless SSL VPN connection, the remot e comput er scans for a greatly expanded collection of antivirus and antispyw ar e applic ations[...]

  • Page 81

    2-13 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Platform Enhancemen ts VLAN support for remote access VPN connections Provides supp ort for mapping (tagging) of client traff ic at the group o r user le vel. This feature is comp atible with clientless as well as IPsec and SS[...]

  • Page 82

    2-14 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release Bro wser -based SSL VPN Features (continued) Personal bookmark support Users can def ine their o wn bookmarks. These bookmark s are stored on a fil e server . T ransformation enhancements Adds support for se v eral comple x forms[...]

  • Page 83

    2-15 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Firewall Features Application Inspection Modular policy framew ork inspect class map T raf fi c can match one of mul tiple matc h commands in an inspect class map; formerly , traf fi c had to match all match comman ds in a cla[...]

  • Page 84

    2-16 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Firewall Functional Overview Firew alls protect inside networks from unauthorized access by users on an outside network. A fi rew all can also protect inside networks from each other , for example, by keeping a human resources networ[...]

  • Page 85

    2-17 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance Firewall Functional Overview • Applying Appl ication Inspection , page 2-17 • Sending T r af fic t o the Adv anced Insp ection and Pre v ention Security Services Modul e, page 2-18 • Sending T raf fic to the Content Security and Control Security Servic e[...]

  • Page 86

    2-18 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Sending Traffic to the Adv anced Inspection and Prevention Security Services Module If your model support s the AIP SSM for intrusion pre v ention, then you can send traf f ic to the AIP SSM for inspecti on. The AIP SSM is an intru s[...]

  • Page 87

    2-19 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance Firewall Functional Overview Firewall Mode Overview The security appliance runs in tw o dif ferent fi rew all modes: • Routed • T ransparent In routed mode, the security appliance is considered to be a router hop in the netw ork. In transp arent mode, the [...]

  • Page 88

    2-20 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance VPN Functional Overview – Session lookup – TCP sequence number check – N A T translations based on existing sessions – Layer 3 and Layer 4 header adjustments For UDP or oth er connectionless protocols, t h e security appliance cr eates connection s tate [...]

  • Page 89

    2-21 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance Security Context Overview which, like a single mode conf igurat ion, is the startup conf iguration. The system conf iguration identif ies basic settings for the secur ity appliance. The system conf iguration d oes not include any netw ork interfaces or netw or[...]

  • Page 90

    2-22 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance Security Context Overview[...]

  • Page 91

    CH A P T E R 3-1 Cisco ASDM User Guide OL-16647-01 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools This chapter describes the preferences and tools av aila ble f or configu ration, problem diagnosi s, and fi le management, and includes t he follo wing sections: • Preferences, page 3-1 • Config uration T ool[...]

  • Page 92

    3-2 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Preferences “You are not allowed to modify the ASA configuration, because you do not have sufficient privileges.” f. Check the E na b le s c ree n rea d er s u pp o rt ( req u ire s AS D M res t a rt ) check box[...]

  • Page 93

    3-3 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Configuration Tools Step 6 After you ha ve specif ied settings on these three tabs, click OK to sav e your settings and clo se the Preferences dialog box. Note Each time that y ou check or un check a prefer ences se[...]

  • Page 94

    3-4 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Configuration Tools Step 2 Enter the Management IP address of the ma nagement interface, instead of using the d efault address, 192.168.1.1. F or an adapti ve security appliance with a dedicated management interf ac[...]

  • Page 95

    3-5 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Configuration Tools Save Internal Log Buffer to Flash This feature lets you sa ve the internal log b uf fer to flash memory . T o sav e the internal log b uf fer to flash memory , perform the follo wing steps: Step [...]

  • Page 96

    3-6 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Configuration Tools Step 6 After you ha v e closed the Command Line Interface di alog box , if you changed the conf iguration, click Refresh to vie w the changes in ASDM. Modes The follo wing table sho ws the modes [...]

  • Page 97

    3-7 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Step 1 In the main ASDM application windo w , choose T ools > Show Commands Ignor ed by ASDM on Device . Step 2 Click OK when you are done. Modes The follo wing table sho ws the modes in which th[...]

  • Page 98

    3-8 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools • Debug all packet drops in a pro duction network. • V erify the configurat ion is working as in tended. • Show all rules applicable to a pack et, along w ith the CLI lines that caused the rul[...]

  • Page 99

    3-9 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools T o use the Ping tool, perform the follow ing steps: Step 1 In the main ASDM application windo w , choose To o l s > P i n g . The Ping dialog box appears. Step 2 Enter the destinatio n IP addr e[...]

  • Page 100

    3-10 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools • Loopback testing of tw o interfaces—A ping may be init iated from one interface to an other on the same security appliance, as an ex ternal loopback test to ve rify basic “up” status and [...]

  • Page 101

    3-11 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Pinging to a Security Appliance Interface When you try to ping t o an adaptiv e security appliance interface, verif y that the pinging response (ICMP echo reply ) is enabled for that interface b y [...]

  • Page 102

    3-12 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools Step 6 Specify the minimum and ma ximum TTL v alues for the first probes. The minimum default is one, bu t it can be set to a higher v alue to suppress the display of known hops. The maximum defaul[...]

  • Page 103

    3-13 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools ASDM Java Console Y ou can use the ASDM Ja v a console to vi e w and copy lo gged entries in a text forma t, which can help you troubleshoot ASDM error s. T o access this tool, in the main ASDM app[...]

  • Page 104

    3-14 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools Step 3 Choose t he ingress interface (in side or outside) from the drop -down list . Step 4 Enter the source host IP add ress and choose th e network IP address from the drop-down list. Step 5 Choo[...]

  • Page 105

    3-15 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Modes The follo wing table sho ws the modes in which this featur e is av ailable: Field Information for t he Packet Capture Wizard This section includes the following topics: • Ingress T raf f ic[...]

  • Page 106

    3-16 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools Modes The follo wing table sho ws the modes in which this featur e is av ailable: Egress Traffic Selector The Egress T raff ic Selector dialog box lets you conf igure the egress interface, source a[...]

  • Page 107

    3-17 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Summary The Summary dialog box sho ws the traf fic selectors and the buf fer parameters for the packet capture. Fields • T raff ic Selectors—Show s the capture and ac cess list configuration sp[...]

  • Page 108

    3-18 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls Save Captures The Sav e Captures dialog box lets you sa ve the i ngress and e gress packet captures to ASCII or PCAP file format for fur ther packet analysis. Fields • ASCII—Sp ecifies to[...]

  • Page 109

    3-19 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools File Management The File Management tool lets you view , move, cop y , and delete files sto red in flash memory , transfer files, and to manage files on remote storage de vices (mount points)[...]

  • Page 110

    3-20 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls Manage Mount Points This feature lets you configure r emote storage (mount points) for network f ile systems usin g a CIFS or FTP connection. The dialog box li sts the mount-point na me, con [...]

  • Page 111

    3-21 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Step 2 Mak e the changes to the remaining settings, and click OK when you are done. T o edit an FTP mount poin t, perform the follo wing steps: Step 1 Choose t he FTP mount-point you w ant to[...]

  • Page 112

    3-22 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls File Transfer The File T ransfer too l lets you transfer f iles from either a local or remo te location. Y ou can transfer a local file on your computer or a flash fi le system to and from th[...]

  • Page 113

    3-23 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Step 9 T o transfer a file to a remote server , choose the Remote server op tion. a. Enter the pa th to the loca tion of th e file. b. For FTP transfers, enter the type. V alid types are the [...]

  • Page 114

    3-24 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls Step 1 In the main ASDM application windo w , choose T ools > Up grade Software from Cisco.com . The Upgrade Software from Cisco.com W izard appears. The Overvie w screen de scribes the st[...]

  • Page 115

    3-25 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools ASDM Assistant The ASDM Assistan t tool lets you search and view useful ASDM procedural help about certain tasks. T o access information, choose V iew > ASDM Assistant > How Do I? or en[...]

  • Page 116

    3-26 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls b. For the Relo ad Start T ime, you can select from th e follo wing options: – Click Now t o perform an immediate reload. – Click Delay by to delay the reload by a specif ied amount of ti[...]

  • Page 117

    3-27 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Step 1 Create a fol der or on your computer to store backup f iles so they will be easy to f ind if you ha ve to rest ore later . Step 2 Choose T ools > Backup Configurations . ASDM opens [...]

  • Page 118

    3-28 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls ASDM displays a status windo w . When the backup completes, ASDM closes it and opens the Ba ckup Statistics windo w . T h is w i n d ow s h ow s t h e status of each backup. Note Backup “fa[...]

  • Page 119

    3-29 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Restoring Configurations Y o u can specify conf igurations and images to restore fr om a zip file on your l ocal computer . Before proceeding, please not e the follo wing restrictions: • Th[...]

  • Page 120

    3-30 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls By default, all f iles are checked; ASDM restores them if they are av ailable. Step 4 Use the default options, or u ncheck them an d check the specific conf igurations and imag es you want to[...]

  • Page 121

    CH A P T E R 4-1 Cisco ASDM User Guide OL-16647-01 4 Before You Start This section descri bes the tasks you must perform before you use ASDM, and in cludes the follo wing topics: • Factory Default Configurations, pag e 4-1 • Config uring the Security Appl iance for ASDM Access, page 4-4 • Setting T ransparent o r Routed Fire wall Mo de at the[...]

  • Page 122

    4-2 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Factory Defau lt Configurations Step 1 Choose File > Reset De vice to the F actory Default Configuration . Step 2 T o change the defa ult IP address, do one of the fo llowi ng: • For the ASA 5500 series, check the Use this address f or the Management 0/0 interface that will be na[...]

  • Page 123

    4-3 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Factory Default Configurations interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interf[...]

  • Page 124

    4-4 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuring the Security Appliance for ASDM Acce ss PIX 515/515E Default Configuration The default f actory conf iguration for th e PIX 515/515E security applian ce provides the fol lowin g: • The inside Ethernet1 interface. If you did not set the IP address in the configur e factor[...]

  • Page 125

    4-5 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Setting Transparen t or Routed Firewall Mod e at the CLI For multi ple context mode, the sy stem configurat ion is erased, which remo ves any contexts. If yo u again add a context that has an e xisti ng configuration that w as created for the wrong mode, the contex t configuration wi [...]

  • Page 126

    4-6 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Starting ASDM This command also appears in each context conf iguration for i nformation only; you cannot enter th is command in a conte xt. • T o set the mode to routed, enter t he follo wing command: hostname(config)# no firewall transparent Starting ASDM This section descri bes ho[...]

  • Page 127

    4-7 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Starting ASDM Step 2 Enter or choose the adaptiv e security appliance IP ad dress or hostname to which you want to connect. T o clear the list of IP addresses, click the trash can icon next to the Device/IP Address/Name f ield. Step 3 Enter your username and your passw ord, and then c[...]

  • Page 128

    4-8 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Starting ASDM – Configuration > Interf ace > Edit Interface > Renew DHCP Lease – Config uring a standby de vice aft er failo ver • Operations that cause a rereading of the configur ation, in which the GUI re v erts to the original configuration: – Switching conte xts [...]

  • Page 129

    4-9 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview Configuration Overview T o configure and monitor the adapti v e securi ty applianc e, perform th e following steps: Step 1 For init ial configurat ion Using the Startup W izard , choose Wizards > Startup W izard . Step 2 T o use the IPSec VPN Wizard to conf i[...]

  • Page 130

    4-10 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview – Filter Rules pre vent outbound access to specif ic websites or FTP servers. The security appliance works with a sep arate server runni ng either W ebs ense Enterprise or Sentian b y N2H2. Choose Confi guration > Properties > URL Filtering to con figur[...]

  • Page 131

    4-11 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview – The CLI. – SNMP and ICMP . – Logging, including e-mail, e v ent lists, f ilters, rate limit, syslog serv ers, and SMTP . For more information, see Config uring Logging . – User and AAA authentication. – High a vailabili ty , the Scalability W izard,[...]

  • Page 132

    4-12 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview[...]

  • Page 133

    P ART 2 De vice S etup and Management[...]

  • Page 134

    [...]

  • Page 135

    CH A P T E R 5-1 Cisco ASDM User Guide OL-16647-01 5 Using the Startup Wizard The ASDM Startup W izard guides you through the in itial conf iguratio n of the adapti ve security appliance, and helps you def ine the follo wing settings f or the adapti ve securi ty appliance: • The hostname • The domain name • A password to restrict admin istrat[...]

  • Page 136

    5-2 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for ASA 5500 Seri es and PIX 50 0 Series Security Appliances Startup Wizard Screens for ASA 5500 Series and PIX 500 Series Security Appliances T able 5-1 lists all of the required Startup Wizard screen s for configuring the ASA 5500 series adapti ve secu[...]

  • Page 137

    5-3 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 1 - Starting Point or Welcome T o access this feature from the main ASDM appli cation window (e xcept in multip le mode), choose File > Reset Device to the F actory Default Conf iguration . Fields • [...]

  • Page 138

    5-4 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Note If you reset the conf iguration to factory defaults, you cannot undo these changes b y clicking Cancel or by closing th is screen. For More Information See the Cisco ASA 5500 Series Adaptive Security Ap[...]

  • Page 139

    5-5 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance For More Information See the Cisco ASA 5500 Series Adaptive Security Appli ance Getting Started Guide and the Cisco ASA 5505 Getting Sta rted Guide . Modes The follo wing table sho ws the modes in which this f[...]

  • Page 140

    5-6 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Step 4 - Management IP Address Configuration This screen lets you conf igure the management IP address of the h ost for this context. T o access this feature from the main ASDM appl ication windo w , choose [...]

  • Page 141

    5-7 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Do not conf igure—Check this check box to disabl e confi guration of this VLAN . For More Information See the Cisco ASA 5505 Getting Started Gu ide . Modes The follo wing table sho ws the modes in which [...]

  • Page 142

    5-8 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Step 7 - Interface IP Address Configuration This screen allo ws you to confi gur e the interface by obtaining an IP address from a PPPoE serv er or a DHCP server , or by specifying an IP address and subnet m[...]

  • Page 143

    5-9 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 8 - Internet Interface Configuration - PPPoE This screen lets you configure th e specif ied outside inte rf ace by obtaining an IP address from a PPPoE server . T o acce ss this feature from the main ASDM[...]

  • Page 144

    5-10 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Modes The follo wing table sho ws the modes in which this featur e is av ailable: Step 9 - Business Interface Configuration - PPPoE This screen lets you conf igure the inside interface b y obtaining an IP a[...]

  • Page 145

    5-11 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance For More Information See the Cisco ASA 5505 Getting Started Gu ide . Modes The follo wing table sho ws the modes in which this featur e is av ailable: Step 10 - Home Interface Configuration - PPPoE This scree[...]

  • Page 146

    5-12 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance • Obtain default route using PPPoE—Ch eck t his check box to set the default routing using the PPPoE server . For More Information See the Cisco ASA 5505 Getting Started G uide . Modes The follo wing ta[...]

  • Page 147

    5-13 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 12 - Static Routes This screen lets you create, edit, and remo ve static routes that will access networ ks connected to a router on any interf ace. For More Information • Static Routes, page 11-40 • [...]

  • Page 148

    5-14 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance • Enable auto-conf iguration—Check th is check box to allo w automatic conf iguration of t he DNS server , WINS serv er , lease length, and p ing timeout settings. • DNS Server 1—Specif ies the IP a[...]

  • Page 149

    5-15 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • A DNS server on a higher le vel security interf ace cannot use P A T . Fields • Use Network Address T ranslation (N A T)—Choose to en able NA T and a range of IP addresses to be used for translation. [...]

  • Page 150

    5-16 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance • Interface—Displays t he host or networ k name. • IP Address—Displa ys the IP address of the ho st or network. • Mask—Displays the subn et mask of the host or net work. • Enable HTTP server f[...]

  • Page 151

    5-17 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Interface Name—Choose from a list of predetermined interfaces. • IP Address—Specifies an IP address for the interface. • Subnet Mask—Specif ies a subnet mask for the interf ace from a selection [...]

  • Page 152

    5-18 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Fields • Enable Easy VPN remote—Check this check box to enable the adaptive security appliance to act as an Easy VPN remote device. If you do not enable this feature, any host that has a ccess to the ad[...]

  • Page 153

    5-19 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 17 - Startup Wizard Summary This screen summarizes all of t he settings you ha ve made for the securi ty appliance. • T o change any of the settings in pre vious screens, click Back . • If you starte[...]

  • Page 154

    5-20 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Edit Interface T o access this feature from the main ASD M application window , choose Configuration > Interfaces . Fields • Interface — Displays the name of the selected interface to edit. • Inter[...]

  • Page 155

    5-21 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Enable traf fic between t wo or more interfaces with the same secu rity lev el—Che ck this che ck box to enable traf f ic between two or more interf aces with the same security le v el. Note IP address-[...]

  • Page 156

    5-22 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance – Specify an IP address—Click to spec ify an IP add ress for an in terface: IP Address—Lets you enter an IP address for an interface. Subnet Mask—Lets you enter or choose a subnet mask for an interf[...]

  • Page 157

    5-23 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Use the follo wing IP address—Choose this opt ion to specify an IP address manuall y for the interface. This f ield is not v isible in transparent mode. • IP Address—Spe cifi es an IP addr ess for a[...]

  • Page 158

    5-24 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance[...]

  • Page 159

    CH A P T E R 6-1 Cisco ASDM User Guide OL-16647-01 6 Configuring Basic Device Settings This section contains the following topics: • Management IP Ad dress, page 6-1 • System T ime, page 6-2 • Config uring Adv anced De vice Managemen t Features, page 6-4 • System Image/Conf iguration, pag e 6-6 • Dev ice Name/Password, page 6-12 • Syste[...]

  • Page 160

    6-2 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Time System Time Y o u can manually set the system d ate or time or ha ve the secu rity appliance dynamically set the system date and tim e using an NTP server . See the follo wing topics for more information: • Clock, page 6-2 • NTP , page 6-3 Clock The Cl[...]

  • Page 161

    6-3 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Time NTP The NTP pane lets you def ine NTP servers to dynamic ally set the time on the security appliance. Th e time displays in the status bar at the bot tom of the main ASDM pane. T ime deri ved from an NTP server o verrides an y time set manually in the Cloc[...]

  • Page 162

    6-4 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings Configuring Advanced D evice Management Features Add/Edit NTP Server Configuration The Add/Edit NTP Serv er Conf iguration dialog box lets you add or edit an NTP server . Fields • IP Address—Sets the NTP server IP address. • Preferred—Sets this server as a pre[...]

  • Page 163

    6-5 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings Configuring Advanc ed Device Management Feature s Note T o redirect HTTP , the interface requires an acce ss list that permits HTTP . Otherwise, the interface cannot listen to the HTTP port. T o change the HTTP redirect sett ing of an interface or th e port from which[...]

  • Page 164

    6-6 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configurat ion History Metrics The History Metrics pane lets you con figure t he adaptiv e security appl iance to keep a history of va rious statistics, which ASDM can displ ay on any Graph/T abl e. If yo u do not enable history metrics, you can only moni[...]

  • Page 165

    6-7 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configuration Features of temporary and permanen t licenses combine to form the ru nning license. When you activ ate a temporary license, it overrides an y pre viously-act iv ated temporary license and combines with the permanent lic ense to create a ne w[...]

  • Page 166

    6-8 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configurat ion Important Notes • If the security appliance co nfigu ration is updated from an Auto Update serv er , ASDM is not notif ied. Y ou must choo se Refr esh or File > Refresh ASDM with the Run ning Conf iguration on the Device to get the lat[...]

  • Page 167

    6-9 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configuration Set Polling Schedule The Set Polling Schedule d ialog box lets you conf igure specif ic days, and the time-of-day f or the security appliance to poll th e Auto Update server . Fields The Set Polling Schedule d ialog box contains the follo wi[...]

  • Page 168

    6-10 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configurat ion Modes The follo wing table sho ws the modes in which this featur e is av ailable: Advanced Auto Update Settings Fields • Use Device ID to uniquely identify the ASA—Enab les authentication using a Device ID. The De vice ID is used to un[...]

  • Page 169

    6-11 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configuration Fields • Boot Order—Displays th e order in which bi nary image f iles will be used to boo t. • Boot Image Location—Displays t he physical location an d path of the boot f ile. • Boot Conf iguration File P ath—Displays the locati[...]

  • Page 170

    6-12 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings Device Name/Password Modes The follo wing table sho ws the modes in which this featur e is av ailable: Device Name/Password The De vice Name/Passwor d pane lets you set the ho stname and domain name for the securit y appliance and set the enable and telnet passwords.[...]

  • Page 171

    6-13 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software The T elnet Password area cont ains the follo wing f ields. In multip le context mode, the T elnet Password area only appears in contexts; it does no t appear in the syst em ex ecution space. • Change the password to access the platform console—Le[...]

  • Page 172

    6-14 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software – Client Re vision—Specif ies the re vision number(s) of th e software component . Double-clicking an y of the ro ws in the Client Images table opens the Edit Client Update Entry dialog box, in which you can mo dify the client parameters. These ch[...]

  • Page 173

    6-15 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software Modes The follo wing table sho ws the modes in which this featur e is av ailable: Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • • • ——[...]

  • Page 174

    6-16 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software[...]

  • Page 175

    CH A P T E R 7-1 Cisco ASDM User Guide OL-16647-01 7 Configuring Interfaces in Single Mode This chapter describes ho w to conf igure and enable ph ysical Ethernet interfaces, ho w to create redundant interface pairs, an d how to add subinterfaces. If you hav e both f iber and copper Ethernet po rts (for exam ple, on the 4GE SSM for the ASA 551 0 an[...]

  • Page 176

    7-2 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Interface Over view • Default Phy sical Interface Set tings, page 7-2 • Connector T ypes, page 7-2 • Auto-MDI/MDIX Feature, page 7-2 Default Physical Interface Settings By default, th e speed and duple x for copper (RJ-45) interf aces are set to auto-ne got[...]

  • Page 177

    7-3 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode Interface Overview • If you use a redundant interface for the f ailov er or state link, you must put a switch or hub between the two units; yo u cannot connect them directly . Withou t the switch or hub, you could ha v e the activ e port on the primary un it co[...]

  • Page 178

    7-4 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Interface Over view Maximum Subinterfaces T o determine ho w many subinter faces are allo wed for your platform, see Appendi x A, “Feature Licenses. ” Preventing Untagged Packets on the Physical Interface If you use subinterf aces, you typically do not also w[...]

  • Page 179

    7-5 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode Configuring an Interface (Sin gle Mode) • Filtering—HTTP(S) and FTP f iltering applies only f or outbound connections (from a higher le v el to a lo wer le vel). For same security interfaces, you can filter traf f ic in either direction. • N A T control—W[...]

  • Page 180

    7-6 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Configuring an Inter face (Single Mode) a. Click Add > Redundant Interface . The Add Redundant Interf ace dialog box appears with the General tab select ed. b. In the Redundant ID field, enter an inte ger between 1 and 8. c. From the Primary Interf ace drop-do[...]

  • Page 181

    7-7 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode Configuring an Interface (Sin gle Mode) Note Route tracking is only a vail able in single, routed mode. SLA ID—A unique identif ier for t he SLA monitoring process. V alid v alues are from 1 to 2147483647. Monitor Options—Click this b utton to open the Route [...]

  • Page 182

    7-8 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Enabling Same Secur ity Leve l Communication (Single Mode) parameters. For RJ-45 interfaces on the ASA 5500 se ries adaptiv e security appliance, the default auto-nego tiation setting also includes the Au to-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for[...]

  • Page 183

    7-9 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode PPPoE IP Address and Route Settings If you enable same security i nterface communication , you can still conf igure interf aces at dif ferent security le vels as usual. Y ou can also enable communication between hosts connected to the same interface. • T o enab[...]

  • Page 184

    7-10 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e PPPoE IP Address and Route Settings – Monitor Options—Click this b utton to open the Route Monitoring Opti ons dialog box. In the Route Monitoring O ptions dialog box you can configure the parameter s of the tracked object monitoring process. – Secondary T[...]

  • Page 185

    CH A P T E R 8-1 Cisco ASDM User Guide OL-16647-01 8 Configuring Interfaces in Multiple Mode This chapter describes ho w to conf igure and enable ph ysical Ethernet interfaces, ho w to create redundant interface pairs, an d how to add subinterfaces in th e system conf iguration. If you ha ve both f iber and copper Ethernet ports (for exam ple, on t[...]

  • Page 186

    8-2 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the Sy stem Configuration (Mult iple Mode) Note If you use failo ver , you need to assign a dedicated interface as th e failo ver link an d an optional interf ace for Stateful Failo ver on the Fail over : S et u p tab . (Y ou can use th[...]

  • Page 187

    8-3 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the S yst em Configuration (Multiple Mode) Configuring and Enabling Physical Interfaces in the System Configuration (Multiple Mode) T o configure and enable a physical in terface, perform the follo wing steps: Step 1 In the Configuratio[...]

  • Page 188

    8-4 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the Sy stem Configuration (Mult iple Mode) Redundant Interface Overview This section includes overvie w informatio n about redundant interf aces, and includes the follo wing topics: • Default State of Redu ndant Interfaces, page 8-4 ?[...]

  • Page 189

    8-5 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the S yst em Configuration (Multiple Mode) • If you shut do wn the acti v e interface, then the standby interf ace becomes activ e. Adding a Redundant Interface in the Sy stem Configuration (Multiple Mode) Y o u can conf igure up to 8[...]

  • Page 190

    8-6 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the Sy stem Configuration (Mult iple Mode) • Maximum Subin terfaces, page 8-6 Default State of Subinterfaces When you add a subinterface, it is enabled by default. Ho we v er , the physical or redundant in terface must also be enabled[...]

  • Page 191

    8-7 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Allocating Inte rfaces to Contexts Enabling Jumbo Frame Support for the ASA 5580 in the System Configuration (Multiple Mode) A jumbo frame is an Eth ernet packet lar ger than the standard maximu n of 1518 byt es (including Layer 2 header and FCS), up to 9216 byt[...]

  • Page 192

    8-8 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Default State of Interfaces In multiple conte xt mode, all allocated interfaces are enabled b y default, no matter w hat the state o f the interface is in the system ex ecution space. Howe ver [...]

  • Page 193

    8-9 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) W ithout N A T control, or for same secu rity inte rfaces, you can choo se to use N A T between any interface, or yo u can choose not to use N A T . Keep in mind that conf iguring N A T for an [...]

  • Page 194

    8-10 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) The description can be up to 240 characters on a single line, with out carriage returns. T he system description is independent of t he context de scription. In the case of a fa ilov er or sta[...]

  • Page 195

    8-11 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Y ou can also enable communication between hosts connected to the same interface. • T o enable interfaces on the same security le vel to communi cate with each other , from th e Configuratio[...]

  • Page 196

    8-12 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode)[...]

  • Page 197

    CH A P T E R 9-1 Cisco ASDM User Guide OL-16647-01 9 Configuring Switch Port s and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to conf igure the switch ports and VLAN interf aces of the ASA 5505 adapti v e security appliance. Note T o configu re interfaces of other models, see Chapter 7, “Conf igu[...]

  • Page 198

    9-2 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Over view Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptiv e security appliance su pports a built-in switch. Th ere are two kinds of p orts and interfaces that you need to conf ig[...]

  • Page 199

    9-3 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Interface Overview W ith the Base license, the th ird VLAN can only be conf igured to initiate t raf fic t o one other VLAN. See Figure 9-1 for an e xample network where the Home VL AN can communicate w[...]

  • Page 200

    9-4 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Over view Default Interface Configuration If your adapti ve security appliance includes the default factory conf iguration, your interfaces are configured as follo ws: • The outside interface ([...]

  • Page 201

    9-5 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring VLAN Interfaces Y o u can only enable SP AN monitoring using the Command Line I nterface tool b y entering the switchport monitor command. See the switchport monitor command in the Cisco Sec[...]

  • Page 202

    9-6 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you enabled Easy VPN, y ou cannot add or delete VLAN interfaces, no r can you edit the security le vel or interface name. W e suggest that you finalize y our interface conf i[...]

  • Page 203

    9-7 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring VLAN Interfaces The backup interface does not pass through tra ff ic unless the default route th rough the primary interface f ails. This option is useful for Easy VP N; when the back up int[...]

  • Page 204

    9-8 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Add/Edit Interface > General The Add/Edit I nterface > Ge neral tab le ts you add or edit a VLAN interface. If you intend to use an i nterface for fa ilov er , do not co n[...]

  • Page 205

    9-9 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring VLAN Interfaces Retry Count—Sets the number of times between 4 and 16 t hat the security appliance resends a DHCP request if it does not recei v e a reply after the f irst attempt. The tot[...]

  • Page 206

    9-10 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit Interface > Advanced The Add/Edit Interf ace > Adv anced tab lets you set the M[...]

  • Page 207

    9-11 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring Switch Ports – Block T raff ic from this Interface to—Choose a VLAN ID in the list . • Select Backup Interface—Shows the backup ISP interf ace for this interface. If this i nterface[...]

  • Page 208

    9-12 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports • Mode—The mode, Access or T runk. Access ports can be assign ed to one VLAN. T runk ports can carry multiple VLANs using 802 .1Q tagging. T runk mode is a v ailable only with[...]

  • Page 209

    9-13 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring Switch Ports Interfaces > Interfaces t ab and specify the switch port in t he Add/Edit Interface > General tab rather than speci fying it in this dialog b ox; in either case, you need[...]

  • Page 210

    9-14 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports[...]

  • Page 211

    CH A P T E R 10-1 Cisco ASDM User Guide OL-16647-01 10 Configuring Security Contexts This chapter describe s how to use security contexts and enable multiple co ntext mode. Thi s chapter includes th e following sections: • Security Contex t Overvie w , page 10-1 • Enabling or Disabling Multiple Conte xt Mode, page 10-9 • Config uring Resource[...]

  • Page 212

    10-2 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview Common Uses for Security Contexts Y o u might wa nt to use multiple securi ty contexts in th e follo wing situations : • Y ou are a service provider and want to sell secu rity services to many custo mers. By enabling multiple security conte [...]

  • Page 213

    10-3 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Security Context Overview • In v alid Classif ier Criteria, page 10 -4 • Classification Examples, page 10-4 Note If the destination MA C address is a multicast or br oadcast MAC address, the packet is duplicated and deliv ered to each context. Valid Classifier Crit[...]

  • Page 214

    10-4 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0 Note For management traf fic destined for an interf ace, the interface IP address is used for classification. Invalid Classifier Criteria The follo wing conf igurations are not[...]

  • Page 215

    10-5 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Security Context Overview Figure 10-2 sho ws mult iple contexts sh aring an outside interf ace without MA C addresses assigned. The classifier assigns the packet to Conte xt B becaus e Context B includes the address translation that matches the destination address. Fig[...]

  • Page 216

    10-6 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview Figur e 1 0-3 Incoming T r af fic fr om Inside Netw or ks Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Classifier Conte xt A Conte xt B GE 0/1.3 GE 0/1.2 GE 0/0.1 Admin Conte xt GE 0/1.1 Inside Customer A Inside Customer B Internet Admin Netwo[...]

  • Page 217

    10-7 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Security Context Overview For transparent fire w alls, you must use unique i nterfaces. Figur e 10-4 sho ws a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabi t Ethernet [...]

  • Page 218

    10-8 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview Figure 10-5 sho ws a gateway context with two contexts behind the gateway . Figur e 1 0-5 Cascading Cont exts Management Access to Security Contexts The security appliance provides sy stem administrator access in multip le context mode as well[...]

  • Page 219

    10-9 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Enabling or Disabling Multiple Con text Mode log in with a username, enter th e login command. F or e xample, you log in to the admin conte xt with the username “admin. ” The admin context does not hav e any command authorization conf igurati on, but all other cont[...]

  • Page 220

    10-10 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Resource Classes original running co nfigu ration is sa ved as old_r unning.cfg (in the root di rectory of the internal Fl ash memory). The original startup conf iguration is not sa ved. The security appliance automatically adds an entry for the admin con [...]

  • Page 221

    10-11 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Reso urce Classes Classes and Class Members Overview The security appliance manages res ources by assigning contexts to resource classes. Each context uses the resource limits set b y the class. This section includes the f ollowing topics: • Resource Lim[...]

  • Page 222

    10-12 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Resource Classes Figure 1 0-7 Unlimited Resources Default Class All contex ts belong to the default cl ass if they are not assigned to another class; you do not ha v e to activ ely assign a context to the def ault class. If a conte xt belongs to a class ot[...]

  • Page 223

    10-13 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Reso urce Classes Figure 10-8 sho ws the relationshi p between t he default class and o ther classes. Con texts A and C belong to classes with some limits set; o ther limits are inhe rited from the defa ult class. Context B in herits no limits from defa ul[...]

  • Page 224

    10-14 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Resource Classes For resources that do not ha ve a system l imit, you cannot set the percentage; you can only set an absolute v alue. If you do not set a limit, the limit is inherited from th e default class. If the default class does not set a limit, then[...]

  • Page 225

    10-15 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Reso urce Classes • Inspects/sec—Sets the limit f or application inspections per second. Select the check box to enable this limit. If you set t he limit to 0, it is unlimited. Step 6 Click OK . Monitoring Context Resource Usage T o monitor resource us[...]

  • Page 226

    10-16 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Security Contex ts – Peak (#)—Sho ws the peak number of xlates since the statistics we re last cleared, either using the clear r esour ce usage command or because the de vice rebooted. • NA T s— Shows the number o f N A T rules. – Context—Sho w[...]

  • Page 227

    10-17 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Security Contexts Step 5 From the Interf aces > Physical Interface drop-down list, choose an interf ace. Y ou can assign the main interface, in which case you lea ve the subinterf ace ID blank, or you can assign a subinterface or a range of subint erfac[...]

  • Page 228

    10-18 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Security Contex ts • Enabling Automatic MA C Address Assignment, page 10-18 MAC Address Overview T o allo w conte xts to share interf aces, we suggest that yo u assign unique MA C addr esses to each conte xt interface. The MA C address is used to classif[...]

  • Page 229

    CH A P T E R 11-1 Cisco ASDM User Guide OL-16647-01 11 Configuring Dynamic And Static Routing T o conf igure static routes and dynamic routing protocols, go to Configuration > De vice Setup > Routing area of the ASDM interface. Y o u can conf igure up to two OSPF , one EIGRP , and one RIP routing process on the security ap pliance at the same[...]

  • Page 230

    11-2 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing If N A T is used, if OSPF is operating on public and pr iv ate areas, and if address filteri ng is required, then you need to run tw o OSPF processes—one process for th e public areas and one for the p riv ate areas. A router that has inter[...]

  • Page 231

    11-3 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Setup > Process Instances Tab Y o u can enable up to two OSPF pro cess instances. Each OSPF process has its own associ ated areas and networks. Fields • OSPF Process 1 and 2 areas—Each area contains the settings for a speci fic OSPF proc[...]

  • Page 232

    11-4 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • RFC 1583 Compatible—Check this check box to calculate summary route co sts per RFC 1583. Uncheck this check box to calculate summary rout e costs per RFC 2328. T o minimize the chance of routing loops, all OSPF de vices in an OSPF rou t[...]

  • Page 233

    11-5 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Setup > Area/Networks Tab The Area/Networks tab displays the areas, and the networks the y contai n, for each OSPF process on the security appliance. Fields • Area/Networks—Displays i nformation about the area s and the area networks con[...]

  • Page 234

    11-6 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Fields • OSPF Process—When adding a ne w area, choose the OSPF process ID for the OSPF process for which the area is being. If there is only one OSPF process enabled on the s ecurity appliance, then that process is selected by def ault. W[...]

  • Page 235

    11-7 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g – None—Choose this option to di sable OSPF area authentication. This is the def ault setting. – Passw ord—Choose this option to use a cl ear text passw ord for area authentication. This optio n is not recommended where security is a con[...]

  • Page 236

    11-8 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Add/Edit Route Summarization Use the Add Route Summari zation dialog box to add a ne w entry to the Route Summarizat ion table. Use the Edit Rout e Summariza tion dialog box to change a n existing entry . Fields • OSPF Process—Choose the [...]

  • Page 237

    11-9 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Fields The Filtering table display s the follow ing information. Double-clicking a table entry opens the Add /Edit Filtering Entry dialog box for the selected entry . • OSPF Process—Displays the OSPF process associated with the f ilter entr[...]

  • Page 238

    11-10 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • Sequence #—Enter a sequence number for the filter . V alid values range from 1 to 4294967294. When multiple f ilters apply to an LSA, the fil ter with the lo west sequence number is used. • Action—Choose “Permit” to allow the L[...]

  • Page 239

    11-11 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g – Interface—Displays t he interface name. – Authentication T ype—Displ ays the type of OSPF authentication enabled on t he interface. The authentication type can be one of the following v alues: None—OSPF authentication i s disabled.[...]

  • Page 240

    11-12 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • MD5 IDs and K eys—Contain s the settings for ente ring the MD5 k eys and param eters when MD5 authentication is enabled. Al l devices on t he in terface using OSPF authenti cation must use the same MD5 key and ID. – Enter MD5 ID and [...]

  • Page 241

    11-13 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Edit OSPF Interface Properties Fields • Interface—Displays the name of the interface for which you are configuring OSPF properties. Y ou cannot edit this f ield. • Broadcast—Check this check box to specify that th e interface is a broa[...]

  • Page 242

    11-14 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Edit OSPF Interface Advanced Prope rties The Edit OSPF Interface Adva nced Properties dialog box lets you change the values for the OSPF hello interv al, retransmit i nterv al, transmit delay , and dead interv al. T ypically , you only need [...]

  • Page 243

    11-15 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Fields The Redistrib ution table displays the follo wing i nformation. Double-clicki ng a table entry opens the Add/Edit OSPF Redistrib ution Entry dial og box for the sel ected entry . • OSPF Process—Displays the OSPF process associated w[...]

  • Page 244

    11-16 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Add/Edit OSPF Redistribution Entry The Add/Edit OSPF Redistrib ution Entry dialog box lets you add a new redistrib ution rule to or edit an existi ng redistribu tion rule in the Redistrib ution tabl e. Some of th e redistributi on rule infor[...]

  • Page 245

    11-17 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Modes The follo wing table sho ws the modes in which this featur e is av ailable: Static Neighbor The Static Neighbor pa ne displays ma nually defined neighbo rs; it does not displa y discovered neighbors. Y o u need to def ine a static neig h[...]

  • Page 246

    11-18 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Fields • OSPF Process—Choose the OSPF process associated wi th the static neighbor . If you are editing an existi ng static neighbor , you cannot change this v alue. • Neighbor—Enter the I P address of the static neighbor . • Inter[...]

  • Page 247

    11-19 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Add/Edit OSPF Summary Address Entry The Add/Edit OSPF Summary Ad dress Entry dialog box lets you add new entr ies to or modify existing entries in the Summary Address table. So me of th e summary address informa tion cannot be changed when edi[...]

  • Page 248

    11-20 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • Authentication—Displ ays the type of authen tication used by the virtual link: – None—No authentication i s used. – Passwo rd—Clear text passwor d authentication is used. – MD5—MD5 authenti cation is used. Y o u can perform[...]

  • Page 249

    11-21 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Advanced OSPF Virtual Link Properties The Advanced OSPF V irtual Link Properties dial og box lets you configure OSPF authentication and packet interv als. Fields • Authentication—Contains t he OSPF authentication options. – None—Choose[...]

  • Page 250

    11-22 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – Dead Interval—Specif ies the interv al, in sec onds, in which no hello packets are receiv ed, causing neighbors to declare a ro uter do wn. V alid v alues range from 1 t o 65535. The default v alue of this field is four times the inter[...]

  • Page 251

    11-23 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Setup Use the Setup pane to enab le RIP on the security appl iance and to conf igure global RIP protocol parameters. Y ou can only enable a single RIP process on the security appliance. Fields • Enable RIP Routi ng—Check this ch eck box to[...]

  • Page 252

    11-24 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Interface The Interface pane allows you to c onf igure interface-specif ic RIP settings , such as the version of RIP the interface sends and recei ves and the authentication metho d, if any , used for the RIP broad casts. Fields • Interfac[...]

  • Page 253

    11-25 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • Enable Authenticati on—Check this check box to en able RIP authentication . Uncheck this check box to disable RIP broadcast authentication. – K ey—The ke y used b y the authentication method. Can con tain up to 16 characters. – K e[...]

  • Page 254

    11-26 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – In—Filters netwo rks on incoming RIP upd ates. – Out—Filters network s from outgoing RIP updates. • Interface—Y ou can select a specific interface for the f ilter rule, or you can select the All In terfaces option to apply the [...]

  • Page 255

    11-27 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Redistribution The Redistrib ution pane displays the routes that are being redistrib uted from other routin g processes into the RIP routing proc ess. Fields • Protocol—( Display only ) Displays the routing protocol being r edistribu ted i[...]

  • Page 256

    11-28 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – OSPF and OSPF ID—Routes discov ered by the O SPF routing process. If you choose OSPF , you must also enter the OSPF pro cess ID. Additiona lly , you can select the specific types of OSPF routes to redistribute from the Match area. – [...]

  • Page 257

    11-29 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Configuring EIGRP T o conf igure EIGRP routing on the Secur ity Applianc e, perform the f ollowing steps: Step 1 Go to the Conf iguration > De vice Setup > Routing > EIGRP area of the ASDM interface. Step 2 Enable the EIG RP routing p[...]

  • Page 258

    11-30 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Step 10 (Optional) Cont rol the sending and recei ving of def ault route information i n EIGRP updates on the Default Inf ormation pane. By default, def ault routes are sent and accepted. See Def ault Information, page 11-39 for more informa[...]

  • Page 259

    11-31 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • Adva nced—Click this b utton to conf igure the EI GRP process settings, such as the router ID, def ault metrics, stub rout ing settings, neighbor change an d warning loggin g, and the administrati ve distances for the EIGRP routes. Modes[...]

  • Page 260

    11-32 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – Stub Connected—Adv ertises connected r outes. – Stub Static—Adv ertises static routes. – Stub Redistrib uted—Adve rtises redistrib uted routes. – Stub Summary—Adv ertises summary routes. • Adjacency Chang es—Lets you co[...]

  • Page 261

    11-33 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • EIGRP AS—Displays the autonomous system number of the EIGRP routing proce ss. • IP Address—Enter the IP address of t he networks to participate in the EIGRP routing process. • Network Mask—Select or en ter a network mask to apply[...]

  • Page 262

    11-34 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing For More Information • Config uring EIGRP , page 11-29 Filter Rules The Filter Rules pane displays the route f iltering rule s conf igured for the EIG RP routing process. Filter rules let you control which r outes are accepted or adv ertis[...]

  • Page 263

    11-35 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information • Config uring EIGRP , page 11-29 Interface The Interface pane displays the EIGRP interf ace conf igurations. The Interf ace Pa rameters t[...]

  • Page 264

    11-36 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing For More Information • Config uring EIGRP , page 11-29 Redistribution The Redistribution pane displays the rules fo r redist ributin g routes from other routin g protocols into the EIGRP routing process. Each ro w of the Redistrib ution pa[...]

  • Page 265

    11-37 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • Optional OSPF Redistrib ution—these opt ions let you further specify which OSPF routes are redistrib uted into the EIGRP routing process. – Match Internal—Match routes intern al to the specified OSPF process. – Match External 1—M[...]

  • Page 266

    11-38 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing For More Information • Config uring EIGRP , page 11-29 Summary Address The Summary Address pane displays a table of the statically-def ined EIGRP summary addresses. By default, EIGRP summari zes subnet routes to the netw ork lev el. Y ou c[...]

  • Page 267

    11-39 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Default Information The Default Informati on pane displays a table of rules f or controlling the sending and receivin g of default ro ute information in EIGRP updates. Y ou can hav e one “in” and one “out” rule for each EIGRP routing p[...]

  • Page 268

    11-40 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Static Routes • IP Address—T ype IP address of the network being p ermitted or denied. T o permit or deny all addresses, use the IP address 0.0.0. 0 with a network mask of 0.0.0 .0. • Netmask—Specify the netwo rk mask applied to the netw ork IP addr[...]

  • Page 269

    11-41 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Static Routes The default route identifies the gate way IP address to which the security appliance sends all IP pack ets for which it does not ha v e a learned or static route. A def ault route is simply a static route with 0.0 .0.0/0 as the destination IP add[...]

  • Page 270

    11-42 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Static Routes Configuring Static Route Tracking This procedure pr ovides an o vervie w of conf iguring static route tracking. F or specif ic information about the various f ields used to configure this feature, se e Field Information for Stat ic Routes, pag[...]

  • Page 271

    11-43 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Static Routes • Interface—( Display only ) Lists the internal or e xternal network interface name enabled in Interfaces. • IP Address—( Display only ) List s the internal or extern al network IP address. Use 0.0.0.0 to specify a default route. The 0.0.[...]

  • Page 272

    11-44 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Static Routes • None—No options are specif ied for the static ro ute. • T unnel ed—Used only for def ault route. Onl y one defaul t tunneled ga tew ay is allo wed per securit y appliance. T unneled opt ion is not supported under transparent mode. ?[...]

  • Page 273

    11-45 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing ASR Group Modes The follo wing table sho ws the modes in which this featur e is av ailable: ASR Group Use the ASR Group screen to assign asynch ronous routing group ID nu mbers to interfaces. In some situations, return tr af fic f or a session may be routed th[...]

  • Page 274

    11-46 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Proxy ARPs Modes The follo wing table sho ws the modes in which this featur e is av ailable: Proxy ARPs In rare circumstances, you might w ant to disable proxy A RP for global addresses. When a host sends IP traf f ic to another de vice on the same Et herne[...]

  • Page 275

    CH A P T E R 12-1 Cisco ASDM User Guide OL-16647-01 12 Configuring Multicast Routing Multicast routing i s supported in single, r outed mode only . This section contains the follo wing topi cs: • Multicast, page 12-1 —enable or disable multi cast routing on the security appl iance. • IGMP , page 12-2 —configure IGMP on the securit y applian[...]

  • Page 276

    12-2 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting IGMP For More Information Config uring Multicast Routing, page 12-1 IGMP , page 12-2 Multicast Rou te, page 12-7 MBoundary , page 12-9 MForw arding, page 12-11 PIM, page 12-11 IGMP IP hosts use IGMP to report their group memb erships to directly connected multic ast r[...]

  • Page 277

    12-3 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing IGMP • Add—Opens the Add/Edit Acce ss Group dialog box. Use thi s butto n to add a ne w access group en try at the bottom of the table. • Edit—Opens the Add/Edit Acce ss Group dialog box. Use this b utton to change the infor mation for the selected access group[...]

  • Page 278

    12-4 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting IGMP Note If you simply want to forw ard multicast packet s for a specific group to an inte rface without the security appliance accepting those packet s as part of the group, see Static Group . Fields • Join Group—Displays the mul ticast gr oup membership for eac[...]

  • Page 279

    12-5 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing IGMP Protocol The Protocol pan e displays the IGM P parameters for each interface on the security appliance . Fields • Protocol—D isplays the IGMP paramete rs set on eac h interface. Doub le-clicking a ro w in the table opens the Configure IGMP Paramet ers dialog b[...]

  • Page 280

    12-6 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting IGMP • Query Interv al—Enter the interv al, in seconds, at which the designated rout er sends IGMP host-query messages. V alid values range fro m 1 to 3600 seconds. The default v alue is 125 seconds. • Query T imeout—Enter the peri od of time, in second s, bef[...]

  • Page 281

    12-7 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing Multicast Route Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit IGMP Static Group Use the Add IGMP Static Group dialog box to static ally assign a mu lticast grou p to an inter face. Use the Edit IGMP Static Group dial og box [...]

  • Page 282

    12-8 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting Multicast Route • Edit—Opens the Add/Edit Multicast Route dialog box. Use this b utton to change the selected static multicast route. • Delete— Use this button to remove the select ed static rout e. Modes The follo wing table sho ws the modes in which this fea[...]

  • Page 283

    12-9 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing MBoundary MBoundary The MBoundary pane let s you conf igure a multicast bou ndary for administrati v ely-scoped multicast addresses. A multicast boundary restricts multicast data packet flo ws a nd enables reus e of the same multicast group address i n dif ferent admin[...]

  • Page 284

    12-10 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting MBoundary • Action—The action for the f ilter entry . Permit allows the specif ied traf fic to pass. Deny pre vents the specified traf f ic from passing throug h the interf ace. When a multicast boundary filter is con figured on an interface, multi cast traf fic [...]

  • Page 285

    12-11 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing MForwarding MForwarding The MForw arding pane lets you disable an d reenable multicast forwarding on a p er interface basis. By default, mul ticast forwarding is en abled on all interfaces. When multicast forwarding is disabl ed on an interface, the interface does not[...]

  • Page 286

    12-12 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Protocol The Protocol pan e displays th e interface-specif ic PIM properties. Fields • Protocol—Displays the PIM setti ngs for each interface. Doub le-clicking an entry in th e table opens the Edit PIM Protocol dialog box for that entry . – Interface—Disp[...]

  • Page 287

    12-13 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM Neighbor Filter The Neighbor Filter pane disp lays the PIM neighbor f ilters, if an y , that are configured on th e security appliance. A PIM neighbor f ilter is an A CL that def ine s the neighbor de vices that can parti cipate in PIM. If a neighbor f ilter is no[...]

  • Page 288

    12-14 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Add/Edit/Insert Ne ighbor Filter Entry The Add/Edit/Inser t Neighbor Filter Entr y lets you create A C L entries for the PIM neighbor f ilter A CL. Fields • Interface—Select the na me of the interface the PIM neigh bor filter ent ry applies to from the list. [...]

  • Page 289

    12-15 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM Fields The PIM Bidirectional Neighbo r Filter table contains the follo wi ng entries. Double-click an en try to open the Edit Bidirectional Nei ghbor Filter Entry dialog box for that entry . • Interface—Displays t he interface the bidi rectional neighbor f ilt[...]

  • Page 290

    12-16 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Rendezvous Points When you confi gure PIM, you must choose one or more routers to operate as th e RP . An RP is a single, common root of a shared distribution tree and is statically configured on each router . First hop routers use the RP to sen d register packet[...]

  • Page 291

    12-17 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM Restrictions • Y o u cannot use the same RP address twice. • Y ou cannot specify All Groups for more th an one RP . Fields • Rendezvous Point IP Address—Enter the IP address of the RP . This is a unicast address. When editing an ex isting RP entry , you ca[...]

  • Page 292

    12-18 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Multicast Group Multicast groups are lists of access ru les that define which mul ticast addresses are part of the group. A multicast group can cont ain a single multicast addres s or a range of multicast addresses. Use the Add Multicast G roup dialog bo x to cre[...]

  • Page 293

    12-19 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM – Destination—Displays th e multicast destination address. • Insert Before—Opens the Request Filt er Entry dialog box. Use this b utton to add a ne w multicast group entry before t he selected entry in the table. • Insert After—Opens the Request Filter[...]

  • Page 294

    12-20 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Route Tree By default, PIM leaf routers join th e shortest-path tree immediately after the f irst packet arri v es from a new sour ce. This reduces delay , but requires more memory t han shared tree. Y ou can configure wheth er the security appliance shoul d join[...]

  • Page 295

    CH A P T E R 13-1 Cisco ASDM User Guide OL-16647-01 13 DHCP, DNS and WCCP Services A DHCP server provides netwo rk conf iguration parameters, such as IP addresses, to DHCP clients. The security appliance can provide DHCP server or DHC P relay services to DHCP clients attached to security appliance interfaces. The DHCP server pro vid es network conf[...]

  • Page 296

    13-2 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Relay Prerequisites Before you can enable a DHCP relay agent on an inte rf ace, you must ha ve at least one DHCP relay gl obal server in the conf iguration or DHCP relay interface server . Fields • DHCP Relay Agent— Display only . Contains the fields for configu [...]

  • Page 297

    13-3 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DHCP Relay Edit DHCP Relay Agent Settings Y ou can enable the DH CP relay agen t and configure the relay a gent para meters for the selected interface in the Edit DHCP Relay Agent Setti ngs dialog box. Restrictions • Y o u cannot enab le a DHCP relay agent on an in ter[...]

  • Page 298

    13-4 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Server Modes The follo wing table sho ws the modes in which this featur e is av ailable: DHCP Server The DHCP Server pane lets you configure the securi ty appliance interfaces as DHCP servers. Y ou can configure one DHCP serv er per interf ace on the security applian[...]

  • Page 299

    13-5 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DHCP Server – Enable Auto-configuration from interface—Chec k this check box to enable DHCP auto config uration and select the interf ace from the menu. DHCP auto configuratio n causes the DH CP serv er to pro vide DHCP clients with DNS server , domain name, and WINS[...]

  • Page 300

    13-6 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Server Edit DHCP Server Y ou can enable DHCP and specify the D HCP address p ool for the selected interf ace in the Edit DHCP Server dial og box. Fields • Enable DHCP Server—Check this check box to enable the DHCP server on the selected interface. Uncheck this ch[...]

  • Page 301

    13-7 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DHCP Server Advanced DHCP Options The Adva nced DHCP Options dialog box lets yo u configure D HCP option parameters. Y ou use DHCP options to pro vide addition al information to DHCP clients. For e xample, DHCP opt ion 150 and DHCP option 66 provide TFTP server informati[...]

  • Page 302

    13-8 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Server Note The name of the associated IP Address fiel ds can change based on the D HCP option you chose. For e xample, if you choose DHCP Option 3 (Router), the fields change name to Router 1 and Router 2. – IP Address 1—An IP address in dotted-decimal notation.[...]

  • Page 303

    13-9 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DNS Client DNS Client The DNS Client pane sho ws the DNS server gro ups and DNS lookup in formation for the securit y appliance, so it can resolve server names to IP ad dresses in your Clientless SSL VPN con figur ation or certificate conf iguration. Other features that [...]

  • Page 304

    13-10 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Fields • Name—Specifies th e server name. Fo r the Edit function, thi s field is D isplay only . • DNS Servers—Manages the DNS serv er list. Y ou can specify up to six addresses to which DNS requests can be forwarded. The security appliance tries each[...]

  • Page 305

    13-11 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services Dynamic DNS Fields • Update Methods—Lists the DDNS up date methods that are configured on the security appliance. This table inclu des: – Method Name— Display only . Sho ws the user-def ined name for the DDNS update meth od. – Interv al— Display only . Shows[...]

  • Page 306

    13-12 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Add/Edit Dynamic DNS Update Methods The Add/Edit Dy namic DNS Update Met hods dialog b ox lets you add a ne w method or edit a prev iously added method. Y ou can specify the method name (if adding a method), specify the interv al between DDNS update attempts,[...]

  • Page 307

    13-13 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services WCCP • DHCP Client—Th is area allo ws you to specify that the DHCP client updates bot h the A and PTR DNS records or neither . This interface setting o ve rrides the global settin g at Config uration > Properties > DNS > Dynamic DNS • DCHP Client Updates [...]

  • Page 308

    13-14 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services WCCP Add or Edit WCCP Service Group The Add or Edit Service Grou p dialog box lets you ch an ge the service group parameters for a conf igured service group. Fields • Service—Speci fies the service gr oup. Y ou can specify the web c ache service, o r the identif icat[...]

  • Page 309

    13-15 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services WCCP Add or Edit WCCP Redirection The Redirection pane lets you add o r change packet redirection on the ingress of an interf ace using WCCP . Fields • Interface—Choose t he interface on which to enable WCCP redirection. • Service Group—Choose t he service group[...]

  • Page 310

    13-16 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services WCCP[...]

  • Page 311

    CH A P T E R 14-1 Cisco ASDM User Guide OL-16647-01 14 Configuring AAA Servers and the Local Database This chapter de scri bes support for AAA ( pronounced “triple A”) and ho w to conf igure AAA serv ers and the local database. This chapte r includes the fol lo wing sections: • AAA Ov ervie w , page 14-1 • AAA Server and Local Database Supp[...]

  • Page 312

    14-2 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Overview About Authentication Authentication controls access by re quiring v al id user cred entials, whi ch are typ ically a usern ame and password. Y ou can configur e the security appl iance to authenti cate the fo llowing items: • All adminis[...]

  • Page 313

    14-3 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database AAA Server and Local Da tabase Suppo rt AAA Server and Local Database Support The security appliance supports a variety of AAA serv er type s and a loca l databa se that is store d on the security appliance. This section describes support for each AA A[...]

  • Page 314

    14-4 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Server and Lo cal Database Supp ort RADIUS Server Support The security appliance supports RADIUS servers. This section contains the following topics: • Authentication Methods, page 14-4 • Attribute Support, page 14-4 • RADIUS Authorization Fu[...]

  • Page 315

    14-5 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database AAA Server and Local Da tabase Suppo rt SDI Server Support The RSA SecurID servers are also known as SDI servers. This section contains the following topics: • SDI V ersion Support, page 14-5 • T wo-step Authenticati on Process, page 14- 5 • SDI [...]

  • Page 316

    14-6 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Server and Lo cal Database Supp ort Note The security appliance does not support chang ing user passwords during tu nnel negotiat ion. T o av oid this situation happening i nadvertently , disable password e xpiration on the K erberos/Acti ve Direct[...]

  • Page 317

    14-7 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database AAA Server and Local Da tabase Suppo rt LDAP Server Types The security appliance supports LD AP version 3 and is compatible with the Su n Microsystems J A V A System Directory Serv er (formerly named the Sun O NE Directory Serv er), the Microsoft Acti [...]

  • Page 318

    14-8 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Server and Lo cal Database Supp ort Local Database Support The security appliance maintain s a local data base that you can populate with user profiles. This section contains the following topics: • User Profi les, page 14-8 • Fallback Suppo rt[...]

  • Page 319

    14-9 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups Configuring AAA Server Groups If you want to use an e xternal AAA serv er for authentication , authorization, or accounting, y ou must first create at least on e AAA server grou p per AAA protocol and ad d one or more serv[...]

  • Page 320

    14-10 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups In T imed mode, fai led servers are reacti v ated after 30 seconds o f down time. Note This option is not a v ailable for the HTTP F orm protocol. Step 6 If you chose Depletion reacti v ation mode, add a time in terval in[...]

  • Page 321

    14-11 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups • K erberos Server Fields, page 14-14 • LD AP Server Fields, page 14-15 • HTTP Form Server Fields, page 14-17 Step 7 Click OK . The dialog box closes and the AA A server is added t o the AAA server grou p. Step 8 In[...]

  • Page 322

    14-12 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups Common Passw ord A case-sensitiv e password th at is common among users who access this RADIUS authorization serv er through this secu rity appliance. Be sure to prov ide this information to yo ur RADIUS server administra[...]

  • Page 323

    14-13 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups TACACS+ Server Fields The follo wing table describes the uniqu e fields for configur ing T ACA CS+ servers, for use with the “ Adding a Serv er to a Group” section on pa ge 14-10 . SDI Server Fields The following tabl[...]

  • Page 324

    14-14 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups Kerberos Server Fields The follo wing table describes the uniqu e fields for con figur ing Kerb eros servers, for use wi th the “ Adding a Serv er to a Group” section on pa ge 14-10 . Field Description Server Port Ser[...]

  • Page 325

    14-15 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups LDAP Server Fields The follo wing table describes the unique f ields for conf iguring LD AP servers, for use with the “ Adding a Server to a Group” section on page 14-10 . Field Description Enable LD AP ov er SSL chec[...]

  • Page 326

    14-16 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups Login DN The secu rity appliance uses the Login Di stinguished Name (DN) and Login Passw ord to establish trust (b ind) with an LD AP serv er . The Login DN represents a user record in the LD AP serv er that the administr[...]

  • Page 327

    14-17 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups HTTP Form Server Fields This area appears only when the selected server grou p uses HTTP Form, and only the server group name and the protocol are visi ble. Other f ields are not a v ailable when using HTTP F orm. If you [...]

  • Page 328

    14-18 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Testing Server Auth en tication and Authorization Testing Server Authentication and Authorization T o determine whether the security appliance can cont act an AA A server and authenticate or authorize a user , perform the follo wing steps: Step 1 From[...]

  • Page 329

    14-19 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Adding a User Accoun t Note Although you can conf igure HTTP auth entication using the local dat abase, that functional ity is always enabl ed by def ault. Y ou should only conf igure HTTP authent ication if you w ant to use a RADIUS or T A CA CS+ ser[...]

  • Page 330

    14-20 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Adding a User Account • Full Access (ASDM, T elnet, SSH and console) —If you conf igure au thentication for management access using the local database, then this op tion lets the user use ASDM, SSH, T elnet, and the console port. If you also conf [...]

  • Page 331

    14-21 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Adding a User Accoun t – IPSec—IP Security Protocol. IPSec provides the most complete architecture for VPN tunnel s, and it is perceiv ed as the most secure protoc ol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can us[...]

  • Page 332

    14-22 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring LDAP Attribute Maps • Maximum Connect T ime—If the Inherit check box is not selected, this parameter specif ies the maximum user connection time in minu tes. At the end of this ti me, the system terminates the connection. The minimum i[...]

  • Page 333

    14-23 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Adding an Authenticatio n Prompt Step 2 In the Name f ield, add a name for the map. Step 3 In the Custo mer Name field, add the name of your org anization’ s corresponding attrib ute. Step 4 From th e Cisco Name drop-do wn list, choose an attrib ute[...]

  • Page 334

    14-24 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Adding an Authentic ation Prompt Step 2 In the Messages area, add messages in the User accepted message and U ser rejected message fields. If the user authentication occurs from T elnet, you can use the U ser accepted message and User rejected message[...]

  • Page 335

    CH A P T E R 15-1 Cisco ASDM User Guide OL-16647-01 15 High Availability This section contains the following topics: • Understanding F ailov er , page 15-1 • Config uring Failo v er with the High A vailability and Scalab ility W izard, page 15-4 • Field Information for the F ailov er Panes, page 15-14 Understanding Failover The Failo v er pan[...]

  • Page 336

    15-2 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Understanding Failover • Activ e/Activ e Failov er , page 15-2 • Stateless (Re gular) Failo ver , page 15-3 • Stateful F ailo ver , page 15-3 Active/Standby Failover In an Acti ve/Stand by conf iguration, the acti v e se curity appliance h andles all netwo rk traf fi c passin[...]

  • Page 337

    15-3 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Understanding Failover • Commands entered in the system ex ecution space are replicated fro m the unit on which fai lov er group 1 is in the active state to the unit on which failov er group 1 is in the standb y state. • Commands entered in the ad min context are replicated fro[...]

  • Page 338

    15-4 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard • The ISAKMP and IPSec SA table. The follo wing information i s not copied to t he standby unit when St ateful F ailov er is enabled: • HTTP connection table (unless H TTP replication is enabled). • The u[...]

  • Page 339

    15-5 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard See Choose the T ype of Failo ver Conf iguration, page 15-7 for more information about this screen. Step 2 Enter the IP address of the failo ver peer on t he Ch eck Failo ver Peer Connecti vi ty and Compatibilit[...]

  • Page 340

    15-6 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard Step 2 Enter the IP address of the failo ver peer on t he Ch eck Failo ver Peer Connecti vi ty and Compatibility screen. Click T est Compatibil ity . Y ou will not be able t o mov e to the ne xt screen until al[...]

  • Page 341

    15-7 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Field Information for the High Availability and Scalability Wizard The follo wing dialogs are a v ailable in the High A vailability and Scalability W izard. Y ou will not see e very dialog bo x when you run thro[...]

  • Page 342

    15-8 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard Check Failover Peer Connect ivity and Compatibility The Check Fai lov er Peer Connecti vity and Compatibility screen lets you verify that the selected failov er peer is reachable and comp atible with th e curre[...]

  • Page 343

    15-9 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Y o u need to con vert both the current secur ity appliance and the pe er security appliance to multip le context mod e before you can proceed. Fields • Change device T o Multiple Contex t—Causes the securit[...]

  • Page 344

    15-10 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard Although you can create security conte xts on this sc reen, you cannot assi gn interfaces to those contexts or conf igure any other properties for them. T o configure con text properties an d assign interfaces[...]

  • Page 345

    15-11 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard State Link Configuration The State Link Configuration scre en does not appear in the wizar d for ASDM running on the ASA 5505 platform. The State Link Conf igurat ion lets you enable Stateful F ailov er and con[...]

  • Page 346

    15-12 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard • Acti ve IP—Double-click this f ield to edit o r add an activ e IP address. Changes to this field also appear in the St andby IP field for the corresponding interface on t he peer unit. • Standb y IP—[...]

  • Page 347

    15-13 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Note Load balancing is ef fecti ve on ly on remote sessions in itiated with the Cisco VPN Client ( Release 3.0 and later), the Cisco VPN 3002 H ardware Client (Release 3.5 and later), or the ASA 5 505 operating[...]

  • Page 348

    15-14 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes • Pri vate Interface Of This De vice—Specifies the name or IP address of the pr iv ate interface for this device. • Send FQDN to client—Check t his check box to cause the VPN cluster master to send a fully qualif ied domain name us[...]

  • Page 349

    15-15 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover - Single Mode The Failo ver pane cont ains the tabs where you can conf igure Acti v e/Standby f ailo ver in single conte xt mode. For mor e information about fail over , see Understanding Failo ver . F or more information about co[...]

  • Page 350

    15-16 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Interface—Specif ies the interface used for fa ilov er communication. F ailov er requires a dedicated interface, howe ver you can share the interf ace with Stateful Failov er . Only unconf igured interf aces or subinterfaces are d is[...]

  • Page 351

    15-17 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Logical Name—Specifies the logi cal interface used for failov er communication. If you selected the Use Named option in th e Interface drop-do wn list, t his field disp lays a list of named interfaces. This f ield is dimmed if the LA[...]

  • Page 352

    15-18 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes For More Information For more information about failo ver in general, see Understandin g Failo ver . Edit Failover Interface Configuration (Routed Firewall Mode) Use the Edit Fail ov er Interface Conf iguration dialog bo x to define t he s[...]

  • Page 353

    15-19 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover: Interfaces (Transparent Firewall Mode) Use this tab t o define the standby managem ent IP address and to specify wh ether the status of the interfaces on the securit y appliance should be monitored. Fields • Interface—Lists t[...]

  • Page 354

    15-20 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – No Link—The physical link f or the interface is do wn. – Failed—No traf fic is recei ved on the interface, yet traf fi c is heard on the peer interface. Modes The follo wing table sho ws the modes in which this featur e is av ail[...]

  • Page 355

    15-21 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information For more information about failo ver in general, see Understandin g Failo ver . Failover: MAC Addresses The MA C Addresses tab lets you [...]

  • Page 356

    15-22 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes • Delete—Removes the currently selected interface from the MA C addresses table. There is no confir mation or undo. Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information For more informa[...]

  • Page 357

    15-23 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover-Multiple Mode, Security Context The field s displayed on the F ailov er pane in multipl e context mode change d epending upon whether the context is i n transparent or routed f ire wall mode. This section contains the following to[...]

  • Page 358

    15-24 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes • Subnet Mask—Identif ies the mask for this interf ace. Th is fi eld does not appear if an I P address has not been assigned to the interf ace. • Standby IP Address—Specif ies the IP address of th e corresponding interface on the s[...]

  • Page 359

    15-25 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information For more information about failo ver in general, see Understandin g Failo ver . Edit Failover Interface Configuration Use the Edit Failo[...]

  • Page 360

    15-26 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover-Multiple Mode, System This pane includes tabs for conf iguring the syst em-le vel f ailov er settings in the system co ntext of a security appliance in multipl e context mo de. In multiple mode, you can conf igure Acti v e/Standby[...]

  • Page 361

    15-27 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Only unconf igured interf aces or subinterfaces that hav e not been assigned to a con text are displayed in this list an d can be select ed as the LAN Failo v er interface. Once you sp ecify an interface as the LAN Failov er interface, you[...]

  • Page 362

    15-28 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover > Criteria Tab Use this tab to def ine criteria for failo ver , such as how many interfaces must fa il and ho w long to wait between polls. The ho ld time specif ies the interv al to w ait without recei ving a respon se to a po[...]

  • Page 363

    15-29 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover > Active/Active Tab Use this tab to enable Acti ve /Activ e failo ver on the security appliance by d efining f ailov er groups. In an Acti ve/Acti v e failo ver conf iguration, b oth security appliances p ass network traf f ic.[...]

  • Page 364

    15-30 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes For More Information For more information about failo ver in general, see Understandin g Failo ver . Add/Edit Failover Group Use the Add/Edit F ailov er Group dialog box to def ine failo v er groups for an Acti ve/Acti v e failo ver config[...]

  • Page 365

    15-31 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Acti ve MA C Ad dress—Displays the MA C address for the interf ace and failov er group on the unit where the failov er group is activ e. – Standb y MA C Address—Displays the MA C address for the interface and fai lov er group on [...]

  • Page 366

    15-32 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Activ e Interface—Specifies the MA C address fo r the interface and failover group on the unit where the failover group is acti v e. Each interface may ha v e up to two MA C addresses, one for each failo ver group, w hich ov erride t[...]

  • Page 367

    15-33 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Standby MA C Address—Identif ies the MA C address on the standb y security appliance (usually secondary ). • Add—Displays the Add/Edit Interface MA C Address dialog box. • Edit—Displays the Ad d/Edit Interface MA C Address di[...]

  • Page 368

    15-34 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes For More Information For more information about failo ver in general, see Understandin g Failo ver .[...]

  • Page 369

    CH A P T E R 16-1 Cisco ASDM User Guide OL-16647-01 16 Configuring Management Access This chapter contains the following topics: • Config uring De vice Access for ASDM, T elnet, or SSH, page 16-1 • Config uring CLI Parameters, page 16-2 • Config uring File Access, page 16-4 • Config uring Conf iguring ICMP Access, page 16- 7 • Config urin[...]

  • Page 370

    16-2 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring CLI Parameters Step 10 For SSH sessions, the def ault timeout v alue is 60 minutes. T o change this v alue, type a ne w one in the SSH T imeout f ield. Step 11 Click A pply . The changes are sav ed to the running configuration. Configuring CLI Parameters T[...]

  • Page 371

    16-3 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring CLI Parameters • Login Banner—T his banner appears w hen a user logs in to the CLI. • Message-of-the-day (motd) Bann er—This banner appears when a user first connect s to the CLI. • ASDM Banner—This banner appears wh en a user connects to ASD M,[...]

  • Page 372

    16-4 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring File Access The prompt is chan ged and displa ys in the CLI Prompt Pre view f ield. Step 2 Click A pply . The ne w prompt is sa ved to the runni ng configu ration. Changing the Console Timeout Period T o change the co nsole timeout peri od, o r the duratio[...]

  • Page 373

    16-5 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring File Access Configuring the Security Appliance as a Secure Copy Server Y ou can enable the secure copy server on the security appliance. Only clients that are allo wed to access the security appliance using SSH can establish a secure copy connection. This i[...]

  • Page 374

    16-6 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring File Access The changes are sav ed to the running conf iguration. This TFTP server will be used to save the secu rity appliance conf iguration f iles. For more information, see Sav e Running Conf iguration to TFTP Server , page 3-4 . Adding Mount Points Co[...]

  • Page 375

    16-7 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring Conf ig uring ICMP Access T o defi ne an FTP mount point, perform the follo wi ng steps: Step 1 From the Conf iguration > Device Management > Ma nagement Access > File A ccess > Mount-Points pane, clic k Add > FTP Mount P oint . The Add FTP M[...]

  • Page 376

    16-8 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring Configuring ICMP Access T o conf igure ICMP access rules, perform the follo wi ng steps: Step 1 From the Configuration > Device Managem ent > Management Access > ICMP pane, click Add . If you want t o insert a rule in the ICMP tabl e, click the ru[...]

  • Page 377

    16-9 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring a Management Inte rface Step 7 (Option al) T o set ICMP unreachable message limit s, set the follo wing opt ions. Increasing the rate limit, along with enabling th e “Decrement time to li ve for a conn ection” option on the Con figurati on > Fire wal[...]

  • Page 378

    16-10 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP Y o u can conf igure the security appl iance to send tr aps (e vent not ificatio ns) to a networ k management station (NMS), or you can use the NMS to bro wse th e MIBs on the security ap plia nce. Use Cisc oW orks for W indo ws or any other SNMP V1,[...]

  • Page 379

    16-11 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP Down load Cisco MIBs from the fo llowi ng location: http://www .cisco.com/public/sw-center/netmgmt/ cmtk/mibs.shtml . Download Cisco OIDs from the f ollowing location: ftp://ftp.cisco.com/pub /mibs/oid/oid.tar .gz. The follo wing table describes the S[...]

  • Page 380

    16-12 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP RFC1213-MIB Bro wsing of the follo wing tabl e: • ip.ipAddr T able • ifT able The follo wing objects are supported: RFC1213-MIB::ifNumber.0 = 1 RFC1213-MIB::ifIndex.1 = 1 RFC1213-MIB::ifDescr.1 = "Adaptive Security Appliance 'mgmt'[...]

  • Page 381

    16-13 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP ENTITY -MIB Bro wsing of the follo wing groups and tabl es: • entPhy sicalT able • entLogicalT able The follo wing objects are supported: ENTITY-MIB::entPhysicalDescr.1 = ASA 5580 Series SPE40 or SPE20 ENTITY-MIB::entPhysicalDescr.2 = ASA 5580 Ser[...]

  • Page 382

    16-14 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP ENTITY -MIB (continued) ENTITY-MIB::entPhysicalName.5 = 3 ENTITY-MIB::entPhysicalName.6 = slot 4 ENTITY-MIB::entPhysicalName.7 = slot 5 ENTITY-MIB::entPhysicalName.8 = slot 7 ENTITY-MIB::entPhysicalHardwareRev.1 = V01 ENTITY-MIB::entPhysicalHardwareR[...]

  • Page 383

    16-15 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP ENTITY -MIB (continued) ENTITY-MIB::entPhysicalAlias.8 = ENTITY-MIB::entPhysicalAssetID.1 = ENTITY-MIB::entPhysicalAssetID.2 = ENTITY-MIB::entPhysicalAssetID.3 = ENTITY-MIB::entPhysicalAssetID.8 = ENTITY-MIB::entPhysicalIsFRU.1 = false(2) ENTITY-MIB::[...]

  • Page 384

    16-16 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP CISCO-MEMOR Y -POOL-MIB Browsing o f the follo wing table: • ciscoMemoryPo olT able—The memory usage described in this tab le applies only to the security appliance general-purpose processor , and not to the network processors. The follo wing obj[...]

  • Page 385

    16-17 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP Configuring an SNMP Ag ent and Management Station This section includes the following topics: • Config uring the SNMP Agent, page 1 6-18 CISCO-PR OCESS- MIB Bro wsing of the follo wing table: • cpmCPUT otalT able The follo wing objects are support[...]

  • Page 386

    16-18 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP • Adding an SNMP Management Station, p age 16-18 Configuring the SNMP Agent T o configure an SNMP agent, perform the follo wing steps: Step 1 From the Configuration > Device Management > Manageme nt Access > SNM P pane, in the Community St[...]

  • Page 387

    16-19 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring Management Access Rules Step 9 Click A pply . The management station is conf igured an d changes are sav ed to the running configu ration. Configuring SNMP Traps T o designate which traps the SNMP agent generates and ho w they are collected and sent to net[...]

  • Page 388

    16-20 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Step 8 (Opti onal) T o conf igure adv anced options, click Mo re Options . Y ou can confi gure the follo wing settings: • If you want to turn o ff t his Management Access Rule, uncheck Enable Rule . • T o add a source ser[...]

  • Page 389

    16-21 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators If you conf igure enable authentication, the security appl iance prompts you for your username and password. If you do not configure enable authentication, enter the syst em enable password when you enter the enable command ([...]

  • Page 390

    16-22 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Limiting User CLI and ASDM Access with Management Authorization If you conf igure CLI or enable authenticatio n, you can limit a local u ser , RADIUS, T A CA CS+, or LD AP user (if you map LD AP attrib utes to RADIUS attribut[...]

  • Page 391

    16-23 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators • Local users—Conf igure the Access Restriction optio n. See “ Add/Edit User Accoun t > Identity” . By default, the access restriction is Full Access, whic h allo ws full access to any services specified by the Aut[...]

  • Page 392

    16-24 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators About Preserving User Credentials When a user logs into the security applian ce, they are require d to provide a username and password for authentica tion. The securit y appliance retain s these se ssion credentials in case f[...]

  • Page 393

    16-25 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators command accounting records may not readily id enti fy who was lo gged in as the enable_15 username. If you use dif ferent accounting serv ers for each conte xt, tracking who was usi ng the enable_15 username requires correl a[...]

  • Page 394

    16-26 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators – LD AP users—Conf igure the user with a p ri vilege le ve l between 0 and 15, and then map th e LD AP attri bute to Cisco V A S CVPN3000-Pri vile ge-Le vel according t o the “Conf iguring LD AP Attrib ute Maps” secti[...]

  • Page 395

    16-27 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators The V ariant column displays show , clear , or cmd. Y ou can set the privile ge only for the show , clear, or conf igure form of t he command. The con figu re form of the comman d is typicall y the form that causes a configur[...]

  • Page 396

    16-28 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Configuring Commands on the T ACACS+ Server Y ou can configure commands on a Cisco Secure Access Control Server (A CS) T ACA CS+ serv er as a shared prof ile component, for a gro up, or for indi vidual users. F or third-party[...]

  • Page 397

    16-29 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators Figur e 16-2 Per mit ting Single W ord Commands • T o disallo w some ar guments, enter the ar guments preceded b y deny . For e xample, to allo w enable , but not enable passw ord , enter enable in the commands box, and den[...]

  • Page 398

    16-30 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Figur e 16-4 Specifying Abbreviations • W e recommend that you allo w the follo wing b asic commands for all users: – show checksum – show cur priv – enable – help – show history – login – logout – pager –[...]

  • Page 399

    16-31 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators Step 4 Click A pply . Configuring Management Access Accounting T o enable ac counting for m anagement access, perform the following steps: Step 1 Y ou can only accoun t for users that first authenti cate w ith the security ap[...]

  • Page 400

    16-32 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Recovering from a Lockout In some circumstances, when you tu rn on command authorization or CLI authentication, you can be locked out of the security appliance CLI. Y ou can usually recover access by restarting the security a[...]

  • Page 401

    16-33 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators[...]

  • Page 402

    16-34 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators[...]

  • Page 403

    CH A P T E R 17-1 Cisco ASDM User Guide OL-16647-01 17 Configuring Logging The logging feature lets you enable logging and specify how lo g information is handled. Th e Log vie wing feature lets you vie w syslog messages in real-time. F or a description of the log vie wing feat ure, see Chapter 45, “Monitoring Log ging. ” About Logging The secu[...]

  • Page 404

    17-2 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Using Logging Using Logging After you ha ve def ined the securit y context, choose Conf iguration > De vice Management > Logging . Under Logging, you can d o the follow ing: • In the Logging Setup pane, enab le logging an d conf igure the logging parameters. F or more in[...]

  • Page 405

    17-3 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Logging Setup Step 4 Check the Send sysl ogs in EMBLEM f orma t check box to enable EMBLEM format so that it is used for all log destinat ions, except syslog serv ers. Step 5 In the Buf fer Size field, specify th e size of the internal log buffer to which syslog messages are sav [...]

  • Page 406

    17-4 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Syslog Setup Step 4 In the Username field, specify the u se r na me to l o g in to t h e F TP s er v e r . Step 5 In t he Pa ss wo r d fi el d , s pe c if y th e password associated with the username to log in to the FTP server . Step 6 In the Con firm P assword f ield, reenter [...]

  • Page 407

    17-5 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Syslog Setup Step 1 From th e Facilit y code to include in syslogs d rop-do wn list, choose a system log f acility for syslog servers to use as a basis to f ile messages. The defa ult is LOCAL(4)20, which is what mo st UNIX systems expect. Ho we ver , because your networ k device[...]

  • Page 408

    17-6 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Syslog Setup Step 1 Check the Disable Message(s) check box to disable messages for the syslog message ID(s) displayed in the Syslog ID(s) list. Step 2 From th e Logging Le vel dr op-dow n list, choose the se verity le v el of messages to be sent for the syslog message ID(s) di s[...]

  • Page 409

    17-7 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging E-Mail Setup In the User-Def ined ID field, specify an alphanumeric, us er-def ined string. Step 3 Click OK to cl ose this dialog box. Modes The follo wing table sho ws the modes in which this featur e is av ailable: E-Mail Setup The E-Mail Setup pane lets you set up a source e-m[...]

  • Page 410

    17-8 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Event Lists Add/Edit E-Mail Recipients The Add/Edit E-Mail Recipient dialog box lets you set up a destin ation e-mail address for a specif ied se verity of syslog messages to be sent as e-mail messages. The se verity le v el used to filter messages for th e destination e-mail ad[...]

  • Page 411

    17-9 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Event Lists • All—All e vent classes • auth—User Authenticati on • bridge—Transparent fire wall • ca—PKI Certificatio n Authority • config —Command Interface • ha —Fa il over • ips—Intrusion Protectio n Service • ip—IP Stack • np—Network Proces[...]

  • Page 412

    17-10 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Logging Filters Add/Edit Event List The Add/Edit Event List dialog box lets you create or edit an e v ent list that you can use to specify which messages shou ld be sent to a log de stination. Y ou ca n create event lists that fi lter messag es according to message class and se[...]

  • Page 413

    17-11 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Logging Filters T o apply message f ilters to a log destinati on, perform the follo wing steps: Step 1 Choose t he name of the logging dest ination to which you w ant to apply a f ilter . A vailable logging destinations are as follows: • Console • Security appliance • Sysl[...]

  • Page 414

    17-12 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Logging Filters Step 5 Choose t he ev ent class from the drop- down l ist . A vailable e vent classes include the follo wing: • All—All e vent classes • auth—User Authenticati on • bridge—Transparent fire wall • ca—PKI Certification Authority • config —Comma[...]

  • Page 415

    17-13 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Logging Filters Add/Edit Class and Severity Filter The Add/Edit Class and Severity Filter dialo g box lets you specify a message class and se verity le v el to be used to filter messages. T o add or edit a message class and severity le vel for f iltering messages, perform the fo[...]

  • Page 416

    17-14 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Rate Limit Add/Edit Syslog Message ID Filter The Add/Edit Syslog Message ID Filt er dialog box lets you speci fy indi vidual syslog message ID s or ranges of IDs to include in the ev ent list filter . T o add or edit a syslog message ID filter , see Event Li sts, page 17-8 . Mo[...]

  • Page 417

    17-15 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Rate Limit Step 2 The No of Messages field displays the numbe r of me ssages sent. The Interval (Seconds) field displays the interv al, in seconds, that is used to l imit ho w many messages at this logging le vel can be sent. Ch oose a logging le v el from the table and click Ed[...]

  • Page 418

    17-16 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Syslog Servers Add/Edit Rate Limit for Syslog Message The Add/Edit Rate Limit for Syslo g Message dialog box lets you assign rate limi ts to a specif ic syslog message. T o add or change the rate limi t for a specif ic syslog message, perform the f ollowing steps: Step 1 T o ad[...]

  • Page 419

    17-17 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Syslog Servers Note Y ou can set up a maximum of four syslog serv ers per secur ity conte xt (up to a total of 16). Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit Syslog Server The Add/Edit Syslog Serv er dialog box lets yo u add or ed[...]

  • Page 420

    17-18 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing SMTP SMTP The SMTP pane allows you to configure the remote SM TP server IP address to which e-mail alerts and notif ications are sent in respon se to spec if ic e vents. T o access this pane, choose Conf iguration > Device Setup > Logging > SMTP . T o conf igure the re[...]

  • Page 421

    17-19 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Using NetFlow Step 6 When NetFlo w is en abled, certain syslog messages be com e redundant. T o maintain system performance, we recommend that you d isable all redundant syslog messages, because the same informati on is exported through NetFlo w . T o disable all redundant syslo[...]

  • Page 422

    17-20 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Using NetFlow Step 10 Click OK to close the Manage NetFlo w Collectors dialog box an d return to the Add Flo w Ev ent dial og box. Click OK again to close the Add Flo w Event dialog box and return to the NetFlow tab . Step 11 T o change flo w e ven t entries, choose an entry fr[...]

  • Page 423

    P ART 3 Conf iguring the Fire w all[...]

  • Page 424

    [...]

  • Page 425

    CH A P T E R 18-1 Cisco ASDM User Guide OL-16647-01 18 Firewall Mode Overview This chapter describes how the f ire wa ll works in each f irew all mode. T o set the mode at the CLI, see the “Setting T ransparen t or Routed Fire wall Mo de at the CLI” section on page 4-4 . Note In multiple conte xt mode, you cannot set the f ire wall mode sepa ra[...]

  • Page 426

    18-2 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Routed Mode Over view • An Inside User V isits a W eb Server , page 18-2 • An Outside User V isits a W eb Server on the DMZ, page 18-3 • An Inside User V isits a W eb Server on the DMZ, page 18-4 • An Outside User Attempts to Access an In side Host, page 18-5 • A DMZ[...]

  • Page 427

    18-3 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Routed Mode Overview 3. The security appliance translat es the local so urce address (10 . 1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be o n any subnet, b ut routing is simpli fied when it i s on the outsid[...]

  • Page 428

    18-4 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Routed Mode Over view 2. The security appliance receiv es the packet and b ecause it is a new session, the security appliance verif ies that the packet is allowed according to th e terms of the security policy (access lists, f ilters, AAA). For multi ple context mo de, the sec[...]

  • Page 429

    18-5 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Routed Mode Overview The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 18-3 ): 1. A user on the inside netw ork requests a web page from the DMZ web serv er using the destinat ion address of 10.1.1.3. 2. The security appliance receiv [...]

  • Page 430

    18-6 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Routed Mode Over view The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 18-4 ): 1. A user on the outside netw ork attempts to reach an inside host ( assuming the host has a routable IP address). If the inside network uses pri vate addr[...]

  • Page 431

    18-7 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview Transparent Mode Ove rview T raditionally , a fire wall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparen t fire wa ll, on the other hand , is a Layer 2 fire w all that acts lik e a “b[...]

  • Page 432

    18-8 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview Passing Traffic Not Allowed in Routed Mode In routed mode, some types of traf fic cannot pass through the security appli ance ev en if you allo w it in an access list. The transparent fire wall, ho we ver , can allo w almost any traf f ic through usi[...]

  • Page 433

    18-9 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview Using the Transparent Firewall in Your Network Figure 18-6 sh ows a t ypical transparent f ire wall netw ork where the outside devices are on the same subnet as the inside devices. The in side router and hosts appe ar to be directly connected to the [...]

  • Page 434

    18-10 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview In single mode, you can only use tw o data interfaces (and the dedi cated management interface, if av ailable) e ven if your security applia nce includes more than two interfaces. • Each directly connected network must be on th e same subnet. • [...]

  • Page 435

    18-11 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview How Data Moves Through the Transparent Firewall Figure 18-7 sho ws a typi cal transparent f ire wall implemen tation with an inside netwo rk that contains a public web server . The security appliance has an acces s list so that the inside users can [...]

  • Page 436

    18-12 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview An Inside User Visits a Web Server Figure 18-8 sh ows an inside user accessing an outsid e web server . Figur e 18 -8 Inside t o Outside The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 18-8 ): 1. The user [...]

  • Page 437

    18-13 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview An Inside User Visits a Web Server Using NAT Figure 18-8 sh ows an inside user accessing an outsid e web server . Figur e 18-9 Inside t o Outside with NA T The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 1[...]

  • Page 438

    18-14 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview 7. The security appliance performs N A T by transla ting the mapped address to the real address, 10.1.2.27. An Outside User Visits a Web Server on the Inside Network Figure 18-10 sho ws an outside user accessing the inside web server . Figure 1 8-1 [...]

  • Page 439

    18-15 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview If the destinat ion MA C address i s not in the security ap pliance table, the security applia nce attempts to disco ver the MA C address by sending an ARP request and a pin g. The first pack et is dropped. 5. The web server responds t o the request[...]

  • Page 440

    18-16 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview[...]

  • Page 441

    CH A P T E R 19-1 Cisco ASDM User Guide OL-16647-01 19 Adding Global Objects The Objects pane provides a single location where you can configure, vie w , and modify the reusable components that you need to implement your polic y on the security appliance. For example, once you def ine the hosts and networks that are co vered b y your securit y poli[...]

  • Page 442

    19-2 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Using Network Obje cts and Groups Network Object Overview Network obj ects let you predef ine host and network IP addresses so t hat you can streamline subsequent confi guration. When you conf igure the security policy , such as an access rule or a AAA rule, you can choose the[...]

  • Page 443

    19-3 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Using Network Objec ts and Groups Modes The follo wing table sho ws the modes in which this featur e is av ailable: Configuring a Network Object Group T o conf igure a network object gro up, perform the follo wing steps: Step 1 In t he Configurati on > Fire wall > Object[...]

  • Page 444

    19-4 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Using Network Obje cts and Groups Modes The follo wing table sho ws the modes in which this featur e is av ailable: Using Network Objects and Groups in a Rule When you create a rule, you can enter an IP address manuall y , or you can browse for a network object or group to use[...]

  • Page 445

    19-5 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Service Groups The Usages dialog box appears list ing all the rules currently using t he network object or group. This dialog box also lists an y network object groups that cont ain the object. Modes The follo wing table sho ws the modes in which this featur e is a[...]

  • Page 446

    19-6 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Ser vice Groups – Filter f ield—Enter the name of the service g rou p. The wildcard ch aracters asteris k (*) and question mark (?) are allowed. – Filter—Runs the f ilter . – Clear—Clea rs the Filter f iel d. • Name—Lists the service group names. Cl[...]

  • Page 447

    19-7 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Service Groups – Source Port/Range—Lets you en ter the source port or range for th e new TCP , UDP , or TCP-UDP service group member . – ICMP T ype—Lets you enter the ICMP typ e for the ne w ICMP service group member . – Protocol—Lets y ou enter the pro[...]

  • Page 448

    19-8 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Class Maps Configuring Class Maps For information about class maps, see the “Class Map Field Descripti ons” section on page 24-39 . Configuring Inspect Maps For information about inspect maps, see the “Inspect Map Field Descript ions” section on page 24-59 [...]

  • Page 449

    19-9 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Regular Expressions – Name—Shows the regular expression class map nam e. – Match Conditions—Sh ows the match t ype and regular e xpressions in the class map. Match T ype—Shows the match type, which for reg ular expressio ns is always a positi v e match ty[...]

  • Page 450

    19-10 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Regular Expressions T able 1 9-1 re gex Me tach ara cters Character Description Notes . Dot Matches an y single ch aracter . For ex ample, d.g matches dog, dag, dtg, and an y word that cont ains those characters, s uch as doggonn it. ( exp ) Subexpression A subexp[...]

  • Page 451

    19-11 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Regular Expressions • Build—Helps you b uild a re gular e xpression using the Build Re gular Expression dialog box. • T est—T ests a regular expression against some samp le text. Modes The follo wing table sho ws the modes in which this featur e is av aila[...]

  • Page 452

    19-12 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Regular Expressions – Character String—Enter a te xt string. – Escape Special Characters—If you entered any meta characters in you r text string th at you want to be used literally , check this box to add th e backslash () escape char acter befo re them. [...]

  • Page 453

    19-13 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Regular Expressions – One or more times (+)—A quantif ier that indicates that there is at least 1 of t he previous expression. F or ex ample, lo+se matches lose and loose, b ut not lse. – Any number of times (*)—A quantif ier that indicates that th ere are[...]

  • Page 454

    19-14 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring TCP Maps Add/Edit Regular Expression Class Map The Add/Edit Re gular Expression Class Map dial og box groups reg ular expressions together . A regular expression class map can be used by i nspec tion class maps and inspect ion polic y maps. Fields • Name—Enter[...]

  • Page 455

    19-15 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Time Ra nges Configuring Time Ranges Use the T ime Ranges option to create a reusable component that defi nes starting and ending times that can be applied to various security features. Once you have def ined a time rang e, you can select the time range and apply [...]

  • Page 456

    19-16 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Time Range s • Start at—Specifies when the time range begins. – Month—Specif ies the month, in the ran ge of January through December . – Day—Specifies the day , in the range o f 01 through 3 1. – Y ear—Specifies the year , in t he range of 1993 th[...]

  • Page 457

    19-17 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Encrypted T raffic Inspection – On these days of the week—Lets y ou choose specif ic days of the week. – Daily Start T ime—Specif ies the hour and th e minute that the time ran ge begins. – Daily End T ime (inclusi ve) area—Specif ies the ho ur and the minut e tha[...]

  • Page 458

    19-18 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy Wizard Use the TLS Proxy to enable inspection of SSL en crypted V oIP signaling, na mely Skinny and SIP , interacting with Cisco Call Manager . Additionally , c onfig ure the TLS Proxy on the security ap pliance to use the follo wing Cisco Unif ied Communications fe[...]

  • Page 459

    19-19 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy Wizard Configure TLS Proxy Pane Note This feature is not su pported for ASDM v ersion 6.1.5 o r the Adapti ve Security Appliance v ersion 8.1.2. Y ou can configure the TLS Pro xy from the Configuratio n > Firew all > Advanced > Encrypte d T raff ic Inspecti[...]

  • Page 460

    19-20 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy Wizard Adding a TLS Proxy Instance Note This feature is not su pported for ASDM v ersion 6.1.5 or t he Adapti ve Security Appliance v ersion 8.1.2. Use the Add TLS Proxy Inst ance Wizard to add a TLS Proxy to enable inspection of SSL encrypted V oIP signaling, namel[...]

  • Page 461

    19-21 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy Wizard Add TLS Proxy Instance Wizard – Server Configuration Note This feature is not su pported for ASDM v ersion 6.1.5 o r the Adapti ve Security Appliance v ersion 8.1.2. Use the Add TLS Proxy Inst ance Wizard to add a TLS Proxy to enable inspection of SSL encry[...]

  • Page 462

    19-22 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy Wizard See TLS Proxy W izard, pag e 19-17 to determine which TLS clients used b y the Cisco Unif ied Communication features are capable of client authentication. Step 5 Click Ne xt . The Add TLS Proxy Instance W izard – Client Conf igurati on dialog box opens. In [...]

  • Page 463

    19-23 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy Wizard Step 3 T o specify an LDC Is suer to use for the TLS Pr oxy , perform the follo wing. When you select and configure the LDC Issuer option, th e security appliance acts as the certificate autho rity and issues certificates to TLS clients. a. Click the Specify [...]

  • Page 464

    19-24 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Phone Proxy Add TLS Proxy Instance Wizard – Other Steps Note This feature is not su pported for ASDM v ersion 6.1.5 or t he Adapti ve Security Appliance v ersion 8.1.2. The last dialog box of the A dd TLS Proxy Instance W izard specif ies the addition al steps required to m[...]

  • Page 465

    19-25 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Phone Proxy Configuring the Phone Proxy Note This feature is not su pported for ASDM v ersion 6.1.5 o r the Adapti ve Security Appliance v ersion 8.1.2. Config uring the Phone Proxy requires the f ollow ing steps: Step 1: Create the CTL file. See Creating a CTL File, page 19-[...]

  • Page 466

    19-26 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Phone Proxy Step 5 In the TFTP Serv er Settings list, do one of t he following: • T o add a new TFTP ser ver for the Phone Proxy , click Add . The Add TFTP Serv er dialog box opens. See Add/Edit TFTP Server , page 19-27 . • T o select an existi ng TFTP server , select one[...]

  • Page 467

    19-27 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Phone Proxy The IP address you enter should be the g lobal IP address based on where the IP phone and HTTP proxy server is located. Y o u can enter a hostname in the IP Address field when that hostname can be resolved to an IP address by t he security appliance (for e xample,[...]

  • Page 468

    19-28 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects CTL File Interface—Specif ies the interface on which the TFTP server resides. The TFTP server must r eside on the same interface as the Cisco Unif ied Call Manage r (CUCM). Modes The follo wing table sho ws the modes in which this featur e is av ailable: CTL File Note This [...]

  • Page 469

    19-29 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects CTL File The Create a Certificate T rust List (CTL) File pane is used to config ure the attributes for generati ng the CTL file. The name of the CTL f ile instance is generated b y the ASDM. When the user tries to edit the CTL file instance con figuration, the ASDM automatic [...]

  • Page 470

    19-30 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy • capf: Specif ies the role of this trustpoint to be CAPF . Only one CAPF trustpoint can be conf igured. Address—Specifies the IP address of the trustpo int. The IP address you specify must be the gl obal address of the TFTP serv er or CUCM if N A T is configure[...]

  • Page 471

    19-31 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy • Add—Adds a TLS Proxy . • Edit—Edits a TLS Proxy . • Delete—Deletes a TLS Proxy . • Maximum Sessions—Lets you specify th e maximum number of TLS Proxy sessions to su pport. – Specify the maximum number of TLS Proxy sessions th at the ASA needs to [...]

  • Page 472

    19-32 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects CTL Provider – A vailable Al gorithms—Lists the a vailable algo rithms to be announced or matched during t he TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and nu ll-sha1. Add—Adds the sele cted algorithm to the activ e list. Remov e—Removes the select[...]

  • Page 473

    19-33 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects CTL Provider Add/Edit CTL Provider The Add/Edit CTL Pro vider dialog box lets you def ine the parameters for the CTL Pr ovider . Fields • CTL Provid er Name—Specif ies the CTL Prov ider name. • Certif icate to be Exported—Specif ies the certif icate to be e xported to[...]

  • Page 474

    19-34 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects CTL Provider Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • • • • —[...]

  • Page 475

    CH A P T E R 20-1 Cisco ASDM User Guide OL-16647-01 20 Configuring Access Rule s and EtherType Rules This chapter describes how to conf igure access rules a nd EtherT ype rules, and includes the following topics: • Information Ab out Access Rules and EtherT ype Rules, page 20-1 • Config uring Access Rules, page 20 -7 • Config uring Ethertype [...]

  • Page 476

    20-2 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Information About Both Access Rules and EtherType Rules This section descri bes information f or both access rules an d EtherT ype rules, and includes the fo llo wing topics: • Using Access Rules and E[...]

  • Page 477

    20-3 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Information About Access Rules and EtherType Rules Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traf fic entering the security appliance on an interface or traf f ic exit ing the s ecurity ap[...]

  • Page 478

    20-4 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Information About Access Rules and EtherType Rules IP Addresses Used for Acces s Rules When You Use NAT When you use N A T , the IP addresses you specify for an access rule depend on the interface to which the access rule is attached; you need to use add[...]

  • Page 479

    20-5 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Information About Access Rules and EtherType Rules If you want to allo w an outside host to access an inside host, you c an apply an inbound access rule on the outside interface. Y ou nee d to specify the transl ated address of the inside host in the acc[...]

  • Page 480

    20-6 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Access Rules for Returning Traffic For TCP and UDP connect ions for both routed an d transparent mode, yo u do not need an access list to allow returning traf f ic, because th e sec urity appliance allo [...]

  • Page 481

    20-7 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s 802.3-forma tted frames are not handle d by the rule because they use a length field as opposed to a type fie l d . BPDUs, which are handled b y the rule, are the only e xception: the y are SN AP-encapsulated, and the security a[...]

  • Page 482

    20-8 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules For more informati on about access rules, see the “Information About Access Rules and EtherT ype Rules” sectio n on page 20-1 . Fields Note: Y o u can adjust the table column widths b y movi ng your cursor o ver a column line[...]

  • Page 483

    20-9 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s • Packet T race—Provides detailed in formation about packet pr ocessing with the adapti v e security appliance, as well as information for pa cket snif f ing and network f ault isolation. The follo wing description summari z[...]

  • Page 484

    20-10 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules Modes The follo wing table sho ws the modes in which this featur e is av ailable: Rule Queries The Rule Queries dialog box lets yo u manage named rule queries that you can u se in the Filter field when searching for Rules. Field[...]

  • Page 485

    20-11 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s – Remov e—Remov es the selected criteria. • Defin e New Cr iteria—This area lets you def ine ne w criteria to add t o the match criteria. – Field—Choose a type of cri teria, including Interf ace, Source, Destination[...]

  • Page 486

    20-12 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules • Description—(Optional) Enter a description of the access rule. • Enable Logging—Enables lo gging for the access rule. – Logging Le vel—Specif ies default , emergencies, alerts, criti cal, errors, warnings, notif ic[...]

  • Page 487

    20-13 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s Fields • TCP—Select this opt ion to add TCP services or port numbers to an object group. • UDP—Select this option to add UDP servic es or port numbers to an object gro up. • TCP-UDP—Select this option to add serv ic[...]

  • Page 488

    20-14 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules total number of hits during th e interv al. At the end of each interv al, the security ap pliance resets the hit count to 0. If no packets match the access rule during an interv al, the security a ppliance delet es the flow entr[...]

  • Page 489

    20-15 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s The Log option consumes a certain amount of memory when enabled. T o help control the risk of a potential Denial of Service attack, you can conf igure th e Maximum Deny- flo w setting by choo sing Advanced in the Access Rules w[...]

  • Page 490

    20-16 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Ether type Rules (Trans parent Mode Only) Configuring Ethertype Rules (Transparent Mode Only) The EtherT ype Rules windo w sho ws access rules based on packet Eth erT ypes. EtherT ype rules are used to conf igure non-IP related traf f ic pol[...]

  • Page 491

    20-17 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Ethertype Rules (Tra nsparent Mode Only) Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit EtherType Rule The Add/Edit EtherT ype Rules dialog box lets you add or edit an EtherT ype rule. For more inf[...]

  • Page 492

    20-18 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Ether type Rules (Trans parent Mode Only)[...]

  • Page 493

    CH A P T E R 21-1 Cisco ASDM User Guide OL-16647-01 21 Configuring NAT This chapter describes Network Address Tr ansl ation, and includes the following sections: • N A T Overvie w , page 21-1 • Config uring N A T Control, page 21-15 • Using Dynamic N A T , page 21-16 • Using Static N A T , page 21-26 • Using N A T Exemption, page 21-32 NA[...]

  • Page 494

    21-2 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Note In this document, all types of translation are ref erred to as N A T . When describing N A T , the terms inside and outside represent the security relationship between an y tw o interfaces. The higher security l ev el is inside and the lo wer security le vel is ou[...]

  • Page 495

    21-3 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview NAT in Transparent Mode Using N A T in transparent mode eliminates the need fo r the upstream or downstream routers to perform N A T for their networks. F or example, a tran sparent fire wa ll security appliance i s useful between two VRFs so you can establish BGP neighb[...]

  • Page 496

    21-4 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Figure 21 -2 NA T Exampl e: T ransparent Mode NAT Control N A T control requires that packets trav ersing from an inside interf ace to an outside interf ace match a N A T rule; for an y host on the inside netw ork to access a host on the outside n etwork, you must co n[...]

  • Page 497

    21-5 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Interfaces at the same secur ity lev el are not required to use N A T to communicate. Ho we ver , if you confi gure dynamic N A T or P A T on a same security interf ace, then all traff ic from the interface to a same security interface o r an outside interface mu st matc[...]

  • Page 498

    21-6 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w NAT Types This section descri bes the av ailable N A T types, and includes the follo wing t opics: • Dynamic N A T , page 21-6 • P A T , page 21-8 • Static NA T , page 21 -8 • Static P A T , page 21-9 • Bypassing N A T When NA T Control is Enabled, page 21-10[...]

  • Page 499

    21-7 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Figur e 21 -6 Remote Host At t empts to Connect t o the Real A ddr ess Figure 21-7 sh ows a r emote host attempting to ini tiate a connection to a mapped address. This address is not curr ently in the translation table; ther efore, the se curity appl iance drops the pack[...]

  • Page 500

    21-8 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Dynamic N A T has these disadvantages: • If the mapped pool has fe wer ad dresses than the real group, you could run out of addresses if the amount of traf f ic is more than expected. Use P A T if this ev ent occurs often, because P A T provides o ver 64,000 transl a[...]

  • Page 501

    21-9 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview The main dif ference between dynamic NA T and a range of addresses for static N A T is that static NA T allo ws a remote host to initiate a conn ection to a transl ated host (if an access list exists that al lows it), while dynamic N A T does not. Y ou also nee d an equa[...]

  • Page 502

    21-10 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Bypassing NAT When NAT Control is Enabled If you enable N A T control, then inside hosts must match a N A T rule when accessing out side hosts. If you do not want to perform N A T for some hosts, then you can byp ass N A T for those hosts or you can disable N A T cont[...]

  • Page 503

    21-11 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Figur e 21 -9 P olicy NA T with Diff er ent Destination Addr esses Figure 21-10 sho ws the use of so urce and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices. When the host accesses the server fo[...]

  • Page 504

    21-12 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w For pol icy stati c N A T , both translated and remote ho sts can originate tr af fic. For traf f ic origin ated on the translated network, the N A T rule sp ecifies the real addresses and the destination addresses, b ut for traff ic originated on the remote netw ork,[...]

  • Page 505

    21-13 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Order of NAT Rules Used to Match Real Addresses The security appliance matches real addresses to N A T rules in the follo wing order: 1. N A T exemption—In ord er , until the f irst match. 2. Static N A T and Static P A T (regular an d policy)—In order , unt il the [...]

  • Page 506

    21-14 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209 .165.201.10). The security applia nce refers to the static statement for the inside server and translates the address inside the DNS reply t[...]

  • Page 507

    21-15 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Configuring NAT Contro l Figure 21-13 sho ws a web serv er and DNS server on the ou tside. The security appliance has a static translation for the outsid e server . In this case, when an inside user requests the address for ftp.cisco.com from the DNS serv er , the DNS serv er respon[...]

  • Page 508

    21-16 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Using Dynamic NAT This section describes how t o confi gure dynamic N A T , including dy namic N A T and P A T , dynamic policy N A T and P A T , and identity N A T . Policy N A T lets you identify real addresses for address tran slation by specifyin g the source [...]

  • Page 509

    21-17 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic N A T rule, you sp ecify real addresses and then pair them with a global pool of add resses to which the real addresses are mapped when the y e xit an other interface (in the case of P A T , this i[...]

  • Page 510

    21-18 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Global Pools on Different Interf aces with the Same Pool ID Y ou can create a global pool for each interface using the same pool ID. If you create a global pool for the Outside and DMZ inte rfaces on ID 1, then a single N A T rule associat ed with ID 1 identif ies[...]

  • Page 511

    21-19 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT Figur e 21 -16 Dif f er ent NA T IDs Multiple Addresses in the Same Global Pool Y o u can ha ve multiple add resses in the same global pool; the security applia nce uses the dynamic NA T ranges of addresses f irst, in the order the y are in the conf iguration, and [...]

  • Page 512

    21-20 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Figur e 21 -1 7 NA T and P A T T ogether Outside NAT If a N A T rule translates addresses from an outside in terface to an inside interf ace, then the rule is an outside N A T rule, and you need to sp ecify that it translates inbound tra f fic. If you also w ant t[...]

  • Page 513

    21-21 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT Figur e 21 -1 8 Outside NA T and Inside NA T Combined Real Addresses in a NAT Rule Must be Transla ted on All Lower or Sa me Security Interfaces When you create a N A T rule for a group of IP addresses, then you must perfor m N A T on that group of addresses when t[...]

  • Page 514

    21-22 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Step 2 For a new pool, from the Interf ace drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3 For a ne w pool, in the Pool ID f ield, enter a number between 1 and 2147483647. Do n ot enter a pool ID that is already i n use, [...]

  • Page 515

    21-23 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT T o conf igure a dynamic N A T , P A T , or identity N A T rule, perform the follow ing steps. Step 1 From t he Configuration > Firewall > N A T Rul es pane, choose Add > Add Dynamic NA T Rule . The Add Dynamic N A T Rule dialog box appears. Step 2 In the [...]

  • Page 516

    21-24 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Randomizing the I SN of the protected host pre vents an attacker from predecti ng the next I SN for a ne w connection and po tentially hijacking th e ne w session. TCP initial sequ ence number rand omization can be d isabled if require d. For e xample: – If anot[...]

  • Page 517

    21-25 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT T o conf igure dynamic polic y N A T or P A T , perform the followin g steps: Step 1 From t he Configuration > Firewall > N A T Ru les pane, choos e Add > Advanced > Add Dynamic P olicy NA T Ru l e . The Add Dynamic Polic y N A T Rule dialog box appears[...]

  • Page 518

    21-26 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Static NAT Note Y ou can also set these values usin g a security policy rule (see the “Configu ring Connection Settings” section on page 27-6 ). If you set them in bot h places, then the security app liance uses the lo wer limit. For TCP sequence randomization, if it is d[...]

  • Page 519

    21-27 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Static NAT Policy N A T lets you identify real addresses for address tran slation by specifyin g the source and destination addresses. Y ou can also optionall y specify the source an d destination ports. Re gular N A T can only consider the sour ce addresses, and not th e dest[...]

  • Page 520

    21-28 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Static NAT Step 1 From t he Configuration > Firewall > N A T Rul es pane, choose Add > Add Static NA T Rule . The Add Static N A T Rule dialog box ap pears. Step 2 In the Original area, from the Interf ace drop-do wn list, choose the interf ace that is connected to t[...]

  • Page 521

    21-29 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Static NAT Randomizing the I SN of the protected host pre vents an attacker from predectin g the next I SN for a ne w connection and po tentially hijacking th e ne w session. TCP initial sequ ence number rand omization can b e disabled if requ ired. For example: – If another[...]

  • Page 522

    21-30 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 21-22 sho ws typi cal static policy N A T , static policy P A T , and static p olicy identity N A T scenarios. The translation is always acti ve so both transl ated and remo te hosts can originat e connecti[...]

  • Page 523

    21-31 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Static NAT Step 6 Specify the mapped IP address by clicking one of the follo wing: • Use IP Address Enter the IP address or click the ... b utton to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using pref ix/l ength n otation, su[...]

  • Page 524

    21-32 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using NAT Exemptio n • Maximum Embry onic Connections —Specif ies the maximum number of embryonic connecti ons per host up to 65,536. An em bryonic connection is a connection request that has not f inished the necessary handshake between source and destinatio n. This limit enab[...]

  • Page 525

    21-33 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using NAT Exemption Note Y ou can later specify addresses that you do not want to exemp t. For e xample, you can specify a subnet to ex empt such as 10.1.1.0/24, but if you w ant to tran slate 10.1.1.50, then you can create a separate rule for th at address that remo ves the ex empt[...]

  • Page 526

    21-34 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using NAT Exemptio n[...]

  • Page 527

    CH A P T E R 22-1 Cisco ASDM User Guide OL-16647-01 22 Configuring Service Policy Rules This chapter describes ho w to enable service polic y rules. Service policies p rovide a co nsistent and flexi ble way to conf igure security appliance features. For e xample, you can use a service policy to create a timeout conf iguration th at is specifi c to [...]

  • Page 528

    22-2 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Service Policy Ov erview • Application in spection • IPS • QoS output pol icing • QoS priority queue • QoS traf f ic shaping, hier archical priority queue • NetFlo w Secure Ev ent Logging f iltering Service Policy Elements Config uring a service polic y [...]

  • Page 529

    22-3 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Service Policy Overview Feature Directionality Actions are applied to t raff ic bidirectionall y or unidirectionally d epending on the feature. F or features that are applied bidirectionally , all traf fic that enters or exits the inter face to which yo u apply th e[...]

  • Page 530

    22-4 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Service Policy Ov erview Note Application inspec tion includes multiple inspect ion types, and each inspection type is a separate feature when you consider the ma tching guidelines above. Order in Which Multiple Feature Ac tions within a Rule are Applied The order i[...]

  • Page 531

    22-5 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Service Policy Overview p. SIP q. Skinny r. SMTP s. SNMP t. SQL*Net u. TFTP v. XDMCP w. DCERPC x. Instant Messaging Note RADIUS accounting is not listed because it is the onl y inspection allo wed on management traf fi c. W AAS is not listed because it can be config[...]

  • Page 532

    22-6 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Polic y Rule for Through Traffic For e xample, if HTTP traf f ic matches a policy on the in side interface to inspect HTTP traf f ic, and you hav e a separate polic y on the outside interf ace for HTTP inspecti on, then that traf f ic is not also in[...]

  • Page 533

    22-7 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Adding a Service Polic y Rule for Throug h Traffic – Default Inspection T raffic —The class matches the defa ult TCP and UDP ports used b y all applications that the secu rity appliance can inspect. This option, which is used in the def ault global poli cy , is [...]

  • Page 534

    22-8 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Polic y Rule for Through Traffic multiple A CEs to the same tr af fic class b y repeating this entire procedure. See the “Managing the Order of Service Polic y Rules” section on page 22-13 for information about changing the order of AC E s . •[...]

  • Page 535

    22-9 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Adding a Service Polic y Rule for Throug h Traffic If you want to specify a TCP or UDP port number , or an ICMP service number, enter pr otocol / port . For e xample, enter TCP/8080. By default, the service is IP . Separate multiple services by a co mma. e. (Optiona[...]

  • Page 536

    22-10 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Policy Rule for Management Traffic Step 9 Click Finish . Adding a Service Policy Rule for Management Traffic Y ou can create a service policy for traff ic directed to the security appli ance for management purposes. This type of securit y policy ca[...]

  • Page 537

    22-11 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Adding a Service Policy Rule for Management Traffic both RADIUS accounting and connect ion limits are applied to the interf ace. Ho wev er , if you ha ve a global polic y with RADIUS accounting , and an interface po licy with RADIUS accounting, t hen only the inter[...]

  • Page 538

    22-12 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Policy Rule for Management Traffic Step 6 Click Next . Step 7 The next di alog box depe nds on the traffic match criteria you c hose. • Source and Destination Address—Th is dialog box lets you set the source and desti nation addresses: a. Click[...]

  • Page 539

    22-13 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Managing the Order of Service Policy Ru les In the Service field, enter a port number or name, or c lick ... to choose one already def ined in ASDM. Step 8 Click Next . The Add Management Service Polic y Ru le - Rule Actions dialog b ox appears. Step 9 T o configur[...]

  • Page 540

    22-14 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules RADIUS Accounting Field Descriptions Step 2 Click the Move Up or Mov e Down cursor (see Figure 22-1 ). Figur e 22-1 Moving an A CE Note If you rearrange A CEs in an access list that is us ed in multiple service pol icies, then the change is inherited in all service[...]

  • Page 541

    22-15 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules RADIUS Accounting Field Descriptions Add RADIUS Accounting Policy Map The Add RADIUS Accounting Pol icy Map dialog box lets you add the basic sett ings for the RADIUS accounting map. Fields • Name—Enter the name of the pre viously co nfigu red RADIUS accounting[...]

  • Page 542

    22-16 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules RADIUS Accounting Field Descriptions RADIUS Inspect Map The RADIUS pane lets you vi ew pre viou sly confi gured RADIUS applicatio n inspection maps. A RADIUS map lets you change th e default conf iguratio n values used for RADI US applic ation inspe ction. Y ou can[...]

  • Page 543

    22-17 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules RADIUS Accounting Field Descriptions • Add—Adds the host entr y to the Host table. • Delete—Deletes the host entry from the Host table. Modes The follo wing table sho ws the modes in which this featur e is av ailable: RADIUS Inspect Map Other The RADIUS Ins[...]

  • Page 544

    22-18 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules RADIUS Accounting Field Descriptions[...]

  • Page 545

    CH A P T E R 23-1 Cisco ASDM User Guide OL-16647-01 23 Applying AAA for Network Access This chapter describes ho w to enable AAA (pronoun ced “triple A”) for netw ork access. For information about AAA for management access, see the “Configuring AAA for Sys tem Administrators” secti on on page 16-20 . This chapte r includes the fol lo wing s[...]

  • Page 546

    23-2 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access Information About Authentication The security appliance l ets you conf igure netw ork access authentication using AAA serv ers. This section includes the following topic s: • One-T ime Authentication, page 23-2 • App[...]

  • Page 547

    23-3 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentication fo r Network Access Redirection is an imp rov ement ov er the basic met hod because it pro vides an impro ved user experience when authenticating, and an iden tical user e xperience for HTTP and HTTPS in both Easy VPN and fire w all modes. I[...]

  • Page 548

    23-4 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access Configuring Network Access Authentication T o enable network access authentication, perform th e follo wing steps. Fo r more information about authentication, see the “Informa tion About A uthenticati on” section on [...]

  • Page 549

    23-5 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentication fo r Network Access Enabling the Redirection Method of Authentication for HTTP and HTTPS This method of authenti cation enables HTTP(S) listenin g ports to authenticate netwo rk users. When you enable a listening port, the security appliance[...]

  • Page 550

    23-6 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access • Enabling V irtual HTTP—V ir tual HTTP lets you authenticate sepa rately with the security applian ce and with the HTTP server . Even if the HTTP server does not need a second authen tication, this feature achiev es[...]

  • Page 551

    23-7 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentication fo r Network Access Authenticating Telnet Connecti ons with a Virtual Server Although you can configure network access authenti cation for an y protocol or servi ce (see the “Conf iguring Authentication f or Network Access” section on pa[...]

  • Page 552

    23-8 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access If the destinatio n HTTP server requires aut hentication in addition to the secur ity applianc e, then virtu al HTTP lets you authenticate separately with the secu rity appliance ( via a AAA server) and with the HTTP ser[...]

  • Page 553

    23-9 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Auth orization for Network Access Configuring the Authentication Proxy Limit Y o u can manually conf igure the u auth session limit b y setting the maxim um number of concurrent proxy connections allo wed p er user . T o set the proxy limit, p erform the f[...]

  • Page 554

    23-10 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authoriz ation for Network Access T o conf igure T ACA CS+ authorization, perform the foll owing steps: Step 1 Enable authentication. For more information, see the “Conf iguring Networ k Access Authenti cation” section on page 23-4 . If you hav e alre[...]

  • Page 555

    23-11 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Auth orization for Network Access When you configure the security appliance to authenticate users for network access, you are also implicitly enabling RADIUS authorizations; t herefore, this section contains no inform ation about confi guring RADIUS aut h[...]

  • Page 556

    23-12 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authoriz ation for Network Access 2. If Cisco Secure A CS successfully authenticates the user, Cisco Secure A C S returns a RADIUS access-accept message that contains the interna l name of the applicable downloadable access list. The Cisco IOS cisco-a v-p[...]

  • Page 557

    23-13 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Auth orization for Network Access 6. If the access list required is mo re than approxima tely 4 KB in length, Cisco Secure A CS responds with an access-challenge message that contains a portion of the access list , formatte d as described abov e, and an S[...]

  • Page 558

    23-14 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authoriz ation for Network Access access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp [...]

  • Page 559

    23-15 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Accounting fo r Network Access Converting Wildcard Netma sk Expressions in Downloadable Access Lists If a RADIUS server provides do wnloadable access lists to Cisco VPN 3000 series concentrators as well as to the security appliance, you may need the secur[...]

  • Page 560

    23-16 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization Step 3 From the Interface drop-down list, choose the interface for applying the rule. Step 4 In the Action field, cli ck one of the follo wing, depending on the implementation: • Account ?[...]

  • Page 561

    23-17 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Using MAC Addresses to Ex empt Traffi c from Authentication and Authorization The order of entries ma tters, because the packet uses the first en try it matches, as opposed to a best match scenario. If you ha ve a permit entry , and you want to de n y an address that[...]

  • Page 562

    23-18 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization[...]

  • Page 563

    CH A P T E R 24-1 Cisco ASDM User Guide OL-16647-01 24 Configuring A pplication Layer Protocol Inspection This chapter descri bes how to configure application layer p rotocol inspec tion. Inspecti on engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned[...]

  • Page 564

    24-2 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspection Engine Overview • RADIUS Accounting Inspection, p age 24-19 • RSH Inspection, page 24-19 • R TSP Inspection, page 24-19 • SIP Inspection, pa ge 24-21 • Skinny (SCCP) Inspection, page 24-22 • SMTP and Extended SMTP Inspect io[...]

  • Page 565

    24-3 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspection Engine Overview Inspection Limitations See the follo wing limitations fo r application protocol in spection: • State information for multimedia sessions that require inspection are not passed o ver the state link for stateful failov er .[...]

  • Page 566

    24-4 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Configuring App lication Inspection Configu ring Application Inspection This feature uses Security Policy Rules. Service policies pro vide a consistent and fle xible way to confi gure security appliance features. F or example, you can use a serv i[...]

  • Page 567

    24-5 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection CTIQBE Inspection T o conf igure application in spection, perform the f ollow ing steps: Step 1 Click Configuration > Fi rewall > Ser vice Policy Rul es . Step 2 Add or edit a service policy r ule according to the “ Adding a Service Policy Ru[...]

  • Page 568

    24-6 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection DCERPC Inspection • Entering the debug ctiqbe command may delay message transmission, which may ha ve a performance impact in a real-ti me en vironment. When y ou enable this deb ugging or logging and Cisco IP SoftPhone seems unable to complete [...]

  • Page 569

    24-7 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection DNS Inspection • T ranslates the DNS record based on the configuration completed using N A T rules. Translatio n only applies to the A-record in the DNS r eply; therefore, DNS Re write does not af fect rev erse lookups, which request the PTR record[...]

  • Page 570

    24-8 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection ESMTP Inspection Figur e 24-1 T ranslating th e Addr ess in a DN S Reply (DNS Rewr it e) DNS re write also works if the cl ient making the DN S request is on a DMZ netw ork and the DNS server is on an insi de interface. ESMTP Inspection ESMTP insp[...]

  • Page 571

    24-9 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection FTP Inspection Note If you disable FTP inspection engines, outbou nd users can start connections only in passi ve mode, and all inbound FTP is disabl ed. Using Strict FTP Using strict FTP increases th e security of p rotected netw orks by pre v entin[...]

  • Page 572

    24-10 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection GTP Inspection • The security appliance replaces th e FTP server response to the SYST command with a series of Xs. to pre vent the serv er from rev ealing its system type to FTP clients. T o override this default beha vior , use the Lo w settin[...]

  • Page 573

    24-11 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection H.323 Inspection Figure 24-2 GPRS T unneling Protocol The UMTS is the commercial con v ergence of f ix ed-line telephon y , mobile, Internet and computer technology . UTRAN is the netw orking proto col used for impl ementing wireless network s in th[...]

  • Page 574

    24-12 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt applicat ions such as Cisco Call Manager and V ocalT e c Gatekeeper . H.323 is a suite of protocol s def ined by the International T elecommunicatio[...]

  • Page 575

    24-13 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection HTTP Inspection The H.323 ITU standard requires that a TPKT head er, def ining the lengt h of the message, precede the H.225 and H.245, bef ore being passed on to the re liable connection. Because the TPKT header does not necessarily need to be sent[...]

  • Page 576

    24-14 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Instant Messaging In spection Instant Messaging Inspection The IM inspect engine lets you apply fine grained co ntrols on the IM appl ication to contr ol the netw ork usage and stop leakage of confidential data, pr opagation of wo rms, and other [...]

  • Page 577

    24-15 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection MGCP Inspection For search responses, when the LD AP serv er is lo cated outside, N A T should be considered to allo w internal peers t o communicate locally while re gister ed to external LD AP serv ers. For such search responses, xlates are search[...]

  • Page 578

    24-16 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection MGCP Inspection the Internet or o ver other packet n etworks. Using N A T and P A T with MGCP lets you support a large number of de vices on an internal network wi th a limited set of external (glob al) addresses. Examples of media gat ew ays are[...]

  • Page 579

    24-17 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection MMP Inspection • DeleteCo nnection • Notifi cationRequest • Notify • AuditEndpoint • AuditConnection • RestartInProgr ess The first four commands are sent b y the call agent to the gatew ay . The Notify command is sent by the gate way to[...]

  • Page 580

    24-18 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection NetBIOS Inspection • V erifies that client to serv er MMP content lengths are n ot exceeded. If an ent ity content length is exceeded (4096), the TCP session is terminated. Note 4096 is the v alue currently used i n MMP implementations. Since M[...]

  • Page 581

    24-19 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection PPTP Inspection PPTP Inspection PPTP is a protocol for tunneling PPP traf f ic. A PPTP session is composed of one TCP channel and usually two PP TP GRE tunnels. The TCP channel is the contr ol channel used for ne gotiating and managing the PPTP GRE [...]

  • Page 582

    24-20 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection RTSP Inspection RTSP Inspection Overview The R T SP inspection engine lets th e security applia nce pass R TSP pack ets. R TSP is used by RealAudio, RealNetworks, Ap ple QuickT ime 4, Real Player , and Cisco IP/TV connections. Note For Cisco IP/T[...]

  • Page 583

    24-21 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection SIP Inspection • W ith Cisco IP/TV , the number of translates the security appliance pe rforms on the SD P part of the message is proportio nal to the number of progr am listings in the Content Manager (each program listing can ha ve at least six [...]

  • Page 584

    24-22 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Skinny (SCCP) Inspection • Session Initiation Protocol ( SIP)-Specific Ev ent Notif ication, RFC 3265 • Session Initiation Protocol ( SIP) Extension for Instant Messagin g, RFC 3428 MESSA GE/INFO requests can co me in at any time after re gis[...]

  • Page 585

    24-23 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Skinny (SCCP) Inspection Note For specif ic information abo ut setting up the Phone Prox y on the security appliance, which is part o f the Cisco Unif ied Communications architecture and supports IP P hone deploymen t, see Phone Pr oxy , page 19-24 [...]

  • Page 586

    24-24 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection SMTP and Extende d SMTP Inspection When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallMana ger , no access list or static entry is re quired to allo w the Cisco IP Phones to initiate the connecti[...]

  • Page 587

    24-25 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection SNMP Inspection W ith SMTP inspection enabled, a T elnet session us ed for interacti ve SMTP may hang if th e follo wing rules are not observ ed: SMTP commands must be at l east four characters in length; must be terminated with carriage return and [...]

  • Page 588

    24-26 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Sun RPC Inspection The packets that need fix-up contain embedded host/port addr esses in the follo wing format: (ADDRESS=(PROTOCOL=tcp)(DEV=6)( HOST=a.b.c. d)( PORT= a)) SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t, Refuse, Resend, and Ma[...]

  • Page 589

    24-27 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Sun RPC Inspection • IP address— Displays the IP address of the SunRPC server . • Mask —Displays the subnet mask of t he IP Address of the SunRPC serv er . • Service ID— Displays the Su nRPC program number , or service ID, al lowed to tr[...]

  • Page 590

    24-28 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection TFTP Inspec tion TFTP Inspection TFTP inspection is enabled by default. TFTP , described in RFC 1350, is a simple protocol to read and wr ite files between a TFTP serv er and client. The security appliance inspects TFTP traff ic and dy namically [...]

  • Page 591

    24-29 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions • Select H.323 M ap, page 24 -33 • Select HTTP Map, page 24-34 • Select IM Map, page 24-34 • Select IPSec-Pass-Thru Map, page 24-35 • Select MGCP Map, page 24-35 • Select NETBIOS Map, pa ge 24-36 • S[...]

  • Page 592

    24-30 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions – Config ure—Displays the Select HTTP Map dialo g box, which lets you select a map name to use for this prot ocol. • ICMP— Enables application inspection for th e ICMP protocol. • ICMP Error— Enables[...]

  • Page 593

    24-31 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions For More Information Inspect Map Field Descripti ons, page 24-59 Inspect command pages for each protocol in the Cisco Security Appliance Command Refer e nce . Select DCERPC Map The Select DCERPC Map dial og box le[...]

  • Page 594

    24-32 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Select ESMTP Map The Select ESMTP Map dialog box lets you select or create a ne w ESMTP map. An ESMTP map lets you change the con[...]

  • Page 595

    24-33 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Select GTP Map The Select GTP Map dialog box lets you sel ect or create a new GTP map. A GTP map let s you change the conf iguratio[...]

  • Page 596

    24-34 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Select HTTP Map The Select HTTP Map dialog box lets you select or create a new H TTP map. An HTTP map lets you change the configu[...]

  • Page 597

    24-35 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions Select IPSec-Pass-Thru Map The Select IPSec-Pa ss-Thru dialog box lets you select or create a n ew IP Sec map. An IPSec map lets you change t he confi guration v alues used for IPSec application inspectio n. The S[...]

  • Page 598

    24-36 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Select NETBIOS Map The Select NETBIOS Map dialog box lets you select or create a ne w NetBIOS map. A NetB IOS map lets you change the conf iguration v alues used for NetBIOS application inspection. The Select Ne[...]

  • Page 599

    24-37 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions Select SCCP (Skinny) Map The Select SCCP (Skinny) Map dialog box lets you select or create a ne w SCCP (Skinny) map. An SCCP (Skinny) map lets you change the co nfiguratio n val ues used for SCCP (Skinny) applicat[...]

  • Page 600

    24-38 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Fields • Use the default SIP inspection map —Specifies to use the def ault SIP map. • Select a SIP map f or fine contr ol over inspection— Lets you select a defined application inspection map or add a ne[...]

  • Page 601

    24-39 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Class Map Field Descriptions An inspection class map matche s appl ication traff ic with criteria specific to the applica tion, such as a URL string. Y ou then identify the class map in th e inspect map and enable acti[...]

  • Page 602

    24-40 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Add/Edit DNS Traffic Class Map The Add/Edit DNS T raff ic Class Map dialog box lets you def ine a DNS class map. Fields • Name—Enter the name of the DNS class map, up to 40 charac ters in leng th. • Description?[...]

  • Page 603

    24-41 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Header Flag V alue—Lets you enter an ar bitrary 16-bit v alue in hex t o match. • T ype Criterion V alues—Specifies the v alue d etails for the DNS type match. – DNS T ype Field Name—Lists the DNS types to se[...]

  • Page 604

    24-42 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Manage Regular Expressions The Manage Regular Expression s dialog box lets you configure Re gular Expressions for use in pattern matching. Re gular expressions th at start with “_defa ult” are default re gular ex [...]

  • Page 605

    24-43 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns • Add—Adds a re gular e xpression class map. • Edit—Edits a regular e xpression class map. • Delete—Deletes a regular expression class map. Modes The follo wing table sho ws the modes in which this featur e[...]

  • Page 606

    24-44 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Add/Edit FTP Traffic Class Map The Add/Edit FTP T raf f ic Class Map dialog bo x lets you define a FTP class map. Fields • Name—Enter the name of the FTP class map, up to 40 ch aracters in length. • Description?[...]

  • Page 607

    24-45 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns GET—FTP client command for the retr (retri ev e a fi le) command. HELP—Help informatio n from the serv er . MKD—Create a directory . PUT—FTP client comman d for the stor (store a f ile) command. RM D— R em ov[...]

  • Page 608

    24-46 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions H.323 Class Map The H.323 Class Map panel l ets you conf ig ure H.323 class maps for H.323 inspection. An inspectio n class map ma tches applic ation traff ic with cr iteria specific to the a pplication. Y ou then ide[...]

  • Page 609

    24-47 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns • Add—Adds an H.323 class map . • Edit—Edits an H.323 cl ass map. • Delete—Deletes an H.323 class map. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit H.323 Match [...]

  • Page 610

    24-48 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions – Audio—Match audi o type. – V ideo—Match video type. – Data—Mat ch data typ e. Modes The follo wing table sho ws the modes in which this featur e is av ailable: HTTP Class Map The HTTP Class Map panel let[...]

  • Page 611

    24-49 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Add/Edit HTTP Traffic Class Map The Add/Edit HTTP T raf f ic Class Map dialog box lets you def ine a HTTP class map. Fields • Name—Enter the name of the HTTP class map, up to 40 characters in length. • Descriptio[...]

  • Page 612

    24-50 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions – Request Body—Applies the re gular expressi on match t o the body of the request. Regular Expressi on—Lists the def ined regu lar expressions to match. Manage—Opens the Manage Regu lar Expressions di alog box[...]

  • Page 613

    24-51 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns – Request Header Count—App lies the regular expressio n match to the header of the request with a maximum number of header s. Greater Than Count—Ent er the maximum number of headers. – Request Header Length—A[...]

  • Page 614

    24-52 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Greater Than Lengt h—Enter a f ield length v alue in b ytes that response f ield lengt hs will be matched against. – Response Header Field Count—Appl ies the regular e xpression match to the header of t he respo[...]

  • Page 615

    24-53 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns – Response Status Line—Applies the re gular expr ession match to the status line. Regular Expressi on—Lists the def ined regu lar expressions to match . Manage—Op ens the Manage Regular Expressions di alog box,[...]

  • Page 616

    24-54 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Add/Edit IM Traffic Class Map The Add/Edit IM T raff ic Class Map dialog box lets you define a IM class ma p. Fields • Name—Enter the name of the IM class map, up to 40 characte rs in leng th. • Description—En[...]

  • Page 617

    24-55 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns – Source IP Address—Match source IP address. – Destination IP Address—Match d estination IP address. – Filename—Match f ilename form IM file transfer serv ice. • Protocol Criterion V alues—Specif ies wh[...]

  • Page 618

    24-56 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions • Destination IP Address Criterion V alues—Specifies to match the de stination IP address of the IM service. – IP Address—Enter the destination IP address of the IM service. – IP Mask—Mask of the destinati[...]

  • Page 619

    24-57 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit SIP Traffic Class Map The Add/Edit SIP T raf f ic Class Map dialog box lets you def ine a SIP class map. Fields • Name—Ente[...]

  • Page 620

    24-58 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions – Content T ype—Match the Con tent T ype header . – IM Subscriber—Match the SIP IM subscriber . – Message Path—Match the SIP V ia header . – Request Method—Match the SIP request method. – Third-P art[...]

  • Page 621

    24-59 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Manage—Opens the Manage Re gular Expression Class di alog box, which lets you con figu re regul ar expression class maps. • Message Path Cri terion V alues—Specifies t o match a SIP V ia header . Applies th[...]

  • Page 622

    24-60 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions • DNS Inspect M ap, page 24 -64 • ESMTP Inspect Map, page 24-71 • FTP Inspect Map, page 24-79 • GTP Inspect Map, page 24-84 • H.323 Inspect Map, page 24-89 • HTTP Inspect Map, page 24-95 • Instant Mess[...]

  • Page 623

    24-61 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Use the Service Polic y Rules tab on the Security Pol icy pane to appl y the inspect map to traf fic matc hing the criteria specif ied in the servi ce policy . A service polic y can apply to a specific interface or t[...]

  • Page 624

    24-62 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions DCERPC Inspect Map The DCERPC pane lets you vie w pre viously co nfigured DCERPC application inspection maps. A DCERPC map lets you change the def ault confi gur ation v alues us ed for DCERPC ap plication inspectio[...]

  • Page 625

    24-63 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Endpoint mapper service lo okup: enabled Endpoint mapper service look up timeout: 00:05:00 – Medium—D efault. Pinhole timeout: 00:01:00 Endpoint mapp er service: not enfo rced Endpoint mapper service look up: dis[...]

  • Page 626

    24-64 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – High Pinhole timeout: 00:01:00 Endpoint mapp er service: enforced Endpoint mapper service look up: disabled – Default Lev el—Se ts the security lev el back to th e default lev el of Med ium. • Details—Sh[...]

  • Page 627

    24-65 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions • Add—Conf igures a ne w DNS inspect map. T o edit a DNS inspect map, select the DNS entry in the DNS Inspec t Maps tabl e and click C ustomize. • Delete—Deletes the inspect map selec t ed in the DNS Inspect [...]

  • Page 628

    24-66 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit DNS Policy Map (Security Level) The Add/Edit DNS Polic y Map pane lets yo u configure th e security le vel and add itional settings fo r DNS application inspection maps. Fields • Name—When adding a DNS [...]

  • Page 629

    24-67 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: enforced – Default Le v el—Sets the security le ve l back to the default le v el of Lo w . • Detail[...]

  • Page 630

    24-68 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Drop packets that e xceed specified maximum length (global)—Drop s packets that exceed maximum length in b ytes. Maximum Pack et Length—Enter maximum packet le ngth in bytes. – Server Settings—A pplies setti[...]

  • Page 631

    24-69 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit DNS Inspect The Add/Edit DNS Inspect d ialog box lets you def ine the mat ch criterion and v alue for the DNS inspect map. Fields • Single Match—Specif ies that the DNS in spect has only one match statem[...]

  • Page 632

    24-70 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – DNS Class Field V alue—Specifies to match eith er a DNS class field v alue or a DNS class field range. V alue—Lets you enter an arbitrary v alue between 0 and 6 5535 to match. Range—Lets you enter a range [...]

  • Page 633

    24-71 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions An inspectio n class map ma tches applic ation traff ic with cr iteria specific to the a pplication. Y ou then identify th e class map in the in spect map and enable actions. The dif ference between creating a class [...]

  • Page 634

    24-72 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Log if body line length i s greater than 1000 Log if sender address length i s greater than 320 Log if MIME fi le name length is greater than 255 – Medium Obfuscate Server Banner Drop Connections if comman d line [...]

  • Page 635

    24-73 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions • Add—Opens the Add MIME Fil e T ype Filter dial og box to add a MIME f ile type f ilter . • Edit—Opens the Edit MIME File T ype Filter dialog box to edit a MIME f ile type f ilter . • Delete—Del etes a M[...]

  • Page 636

    24-74 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Drop Connections if comman d recipi ent count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections and log if send er address length is greater than 320 Drop Connections and[...]

  • Page 637

    24-75 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Edit—Opens the Edit ESMTP Inspect d ialog box to edit an ESMTP inspection. – Delete—Deletes an ESMTP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Mov es an inspection do wn [...]

  • Page 638

    24-76 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Log—Enable or d isable. • Body Line Length Criterion V alues—Specifies the val ue details for body line length match. – Greater Than Lengt h—Body line length in b ytes. – Action—Reset, drop connect[...]

  • Page 639

    24-77 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – A vailable P arameters T able: 8bitmime auth binarymime checkpoint dsn ecode etrn others pipelining size vrfy – Add—Adds the sele cted parameter from the A vai lable P arameters table to the Selected Paramete[...]

  • Page 640

    24-78 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Log—Enable or d isable. • MIME Filename Length Criteri on V alues—Specif ies the v alue details for MI ME filename length match. – Greater Than Length—MIME f ilename length in b ytes. – Action—Rese[...]

  • Page 641

    24-79 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions FTP Inspect Map The FTP pane lets you vie w pre viously con figured FTP application inspection maps. An FTP map lets you change the defa ult config uration v alues used for FTP application inspection. FTP command fi [...]

  • Page 642

    24-80 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions File Type Filtering The File T ype Filtering dialog bo x lets you conf igure the settings for a file type f ilter . Fields • Match T y pe—Shows the match ty pe, which ca n be a positive or negati ve match. • C[...]

  • Page 643

    24-81 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Default Le v el—Sets the security le ve l back to the default le v el of Medium. • Details—S hows the Parameters and Inspec tion s tabs to config ure additional settings. Modes The follo wing table sho ws t[...]

  • Page 644

    24-82 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit FTP Map The Add/Edit FTP Inspect dialog box lets yo u define the match criterion and v alue for the FTP i nspect map. Fields • Single Match—Specif ies that the FTP in spect has only one match statement.[...]

  • Page 645

    24-83 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Manage—Op ens the Manage Regular Expressions di alog box, which lets you confi gure regu lar expressions. – Regular Expression Class—Lists the def ined regular e xpression classes to match. – Manage—Ope[...]

  • Page 646

    24-84 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions GTP Inspect Map The GTP pane lets you vie w pre viously conf igured GTP appli cation inspection maps. A GTP map lets you change the defa ult config uration v alues used for GTP application inspection. GTP is a relat[...]

  • Page 647

    24-85 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Fields • Mobile Country Code—Def ines the non-zero, three-dig it va lue identifying the mobil e country code. One or two-digit ent ries will be prepended by 0 to create a three-digit v alue. • Mobile Network Co[...]

  • Page 648

    24-86 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit GTP Policy Map (Details) The Add/Edit GTP Poli cy Map pane lets you conf igure the security l ev el and addition al settings for GTP application inspection maps. Fields • Name—When adding a GTP map, ent[...]

  • Page 649

    24-87 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Request Queue—Lets you ch ange the default fo r the maximum period of inacti vity before recei ving the GTP message during a GTP session. The d efault is 1 minute. T imeout is in the format hh : mm : ss , where hh [...]

  • Page 650

    24-88 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit GTP Map The Add/Edit GTP Insp ect dialog box lets you define the mat ch criterion and v alue for t he GTP inspect map. Fields • Match T y pe—Specifies whethe r traff ic should ma tch or not ma tch the v[...]

  • Page 651

    24-89 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – V alue—Specifies whether v alue is an e xact match or a range. Equals—Enter a value. Range—Enter a range of values. – Action—Drop pack et. – Log—Enable or d isable. Modes The follo wing table sho ws[...]

  • Page 652

    24-90 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Limit payload to audio or video, based on the signaling exchange: no – High State Checking h225 Enabled State Checking ras Enabled Call P arty Number Enabled Call duration Limit 1 :00:00 R TP conformance enforced [...]

  • Page 653

    24-91 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit H.323 Policy Map (Security Level) The Add/Edit H.323 Polic y Map pane lets you con figur e the security le ve l and additional settin gs for H.323 application inspection map s. Fields • Name—When adding [...]

  • Page 654

    24-92 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions • Details—Shows the State Checking , Call Attrib utes, T unneling and Protocol Conformance, HSI Group Parameters, and Inspections tab s to confi gure additional settings. Modes The follo wing table sho ws the mo[...]

  • Page 655

    24-93 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Add—Opens the Add HSI Grou p dialog box to add an HSI gro up. – Edit—Opens the Edit HSI Gr oup dialog box to edit an HSI group. – Delete—Deletes an HSI group. • Inspections—T ab that shows you t he [...]

  • Page 656

    24-94 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit H.323 Map The Add/Edit H.323 Inspect dialog box lets you def ine the match criteri on and v alue for the H.323 inspect map. Fields • Single Match—Specif ies that the H.323 inspect has only one match sta[...]

  • Page 657

    24-95 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Manage—Op ens the Mana ge H323 Clas s Maps dialog bo x to add, edit, or delete H.323 Class Maps. • Action—Drop packet, dr op connection, or reset. Modes The follo wing table sho ws the modes in which this f[...]

  • Page 658

    24-96 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – High Protocol violation acti on: Drop connection and log Drop connections fo r unsafe methods: Allo w only GET an d HEAD. Drop connections for requ ests with non-ASCII head ers: Enabled URI filtering: Not config[...]

  • Page 659

    24-97 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit HTTP Policy Map (Security Level) The Add/Edit HTTP Polic y Map pane lets you conf ig ure the securi ty le vel and additi onal settings for HTTP application inspection maps. Fields • Name—When adding an H[...]

  • Page 660

    24-98 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit HTTP Policy Map (Details) The Add/Edit HTTP Polic y Map pane lets you conf ig ure the securi ty le vel and additi onal setti[...]

  • Page 661

    24-99 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit HTTP Map The Add/Edit HTTP Inspect dialog box lets you def ine the match criterion and value f or the HTTP inspect map. Fields • Single Match—Specif ies that the HTTP inspect has only one match st atemen[...]

  • Page 662

    24-100 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions cookie, date, expect, e xpires, from, host, if-mat ch, if-modif ied-since, i f-none-match, if-range, if-unmodif ied-since, last-modif ied, max-forw ards , pragma, proxy-authorizatio n, range, referer , te, trailer [...]

  • Page 663

    24-101 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Method—Specif ies to match on a request method: bc opy , bdelete, bmove , bpropfin d, bproppatch, connect, copy , delete, edit, get, getattrib ute, getattribu tenames, getproperties, head, index, lock, mkcol, mkdi[...]

  • Page 664

    24-102 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Regular Expressi on—Lists the def ined regu lar expressions to match. Manage—Opens the Manage Regu lar Expressions di alog box, which let s you configu re regular expressions. Greater Than Count —Enter the ma[...]

  • Page 665

    24-103 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – H323 T raf fic Class—Specif ies the HTTP traff ic class match. – Manage—Opens the Manage HTTP Class Maps dial og box t o add, edit, or delete HTTP Class Maps. • Action—Drop connectio n, reset, or log. [...]

  • Page 666

    24-104 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit Instant Messaging (IM) Policy Map The Add/Edit Instant Messaging (I M) Policy Map pane lets y ou configu re the security le vel and additional settin gs for IM application inspection map s. Fields • Name[...]

  • Page 667

    24-105 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Destination IP Address—Match d estination IP address. – V ersion—Match IM fil e transfer service version. – Client Login Name—Match client login name from I M service. – Client Peer Login Name—M at[...]

  • Page 668

    24-106 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Regular Expressi on—Lists the def ined regu lar expressions to match. – Manage—Opens the Manage Regu lar Expressions di alog box, which let s you configu re regular expressions. – Regular Expression Cla[...]

  • Page 669

    24-107 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Lo w—Default . Maximum ESP flo ws per client: Unlimi ted. ESP idle timeout: 00:10 :00. Maximum AH flo ws per client: Unlimit ed. AH idle timeout: 00 :10:00. – High Maximum ESP flo ws per client:10. ESP idle [...]

  • Page 670

    24-108 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions AH idle timeout: 00 :00:30. – Default Lev el—Sets t he security level back to the de fault lev el of Low . • Details—Sho ws additional paramet er settings to conf igure. Mode The follo wing table sho ws the[...]

  • Page 671

    24-109 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions MGCP Inspect Map The MGCP pane lets you vie w pre viously conf igur ed MGCP application inspection maps. An MGCP map lets you change the def ault confi guration v alu es used for MGCP application inspection. Y ou ca[...]

  • Page 672

    24-110 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit MGCP Policy Map The Add/Ed it MGCP Po licy Map pane l ets you con f igure the command queue, gate way , and call agent settings for MGCP applicat ion inspection maps. Fields • Name—When adding an MGCP [...]

  • Page 673

    24-111 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit MGCP Group The Add/Edit MGCP Group dialog box lets yo u defin e the config uration of an MGCP grou p that will be used when MGCP application inspection is enabled. Fields • Group ID—Specif ies the ID of[...]

  • Page 674

    24-112 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions NetBIOS Inspect Map The NetBIOS pane lets you vie w pre viously config ured NetBIOS application inspection maps. A NetBIOS map lets you change the defau lt configurat io n values used for NetBIOS application inspec[...]

  • Page 675

    24-113 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions RTSP Inspect Map The R TSP pane lets you vie w pre viously confi gur ed R TSP application inspection maps. An R TSP map lets you c hange the de fault configuration values us ed for R TSP application in spection. Y o[...]

  • Page 676

    24-114 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Edit—Opens the Edit R TSP Inspect dialog box t o edit a R TSP inspection. – Delete—Deletes a R TSP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Mov es an inspection do wn [...]

  • Page 677

    24-115 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: SCCP (Skinny) Inspect Map The SCCP (Skinn y) pane lets you vie w pre viously conf igured SCCP (Sk inny) applicatio n inspection maps.[...]

  • Page 678

    24-116 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Maximum message ID: 0x141. Minimum pref ix length: 4. Maximum pref ix length: 65536. Media timeout: 00 :01:00. Signaling timeout: 00:05: 00. R TP conformance: Enforced . Limit payload to audio or vi deo, based on t[...]

  • Page 679

    24-117 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit SCCP (Skinny) Policy Map (Security Level) The Add/Edit SCCP (Skinn y) Polic y Map pane lets you conf igure the security le v el and additional settings for SCCP (Skin ny) application i nspection maps. Field[...]

  • Page 680

    24-118 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Limit payload to audio or vi deo, based on the signaling exchange: Y es. – Message ID Filtering—Open s the Messaging ID Filtering dial og box for conf iguring messag e ID filters. – Default Lev el—Se ts the[...]

  • Page 681

    24-119 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Criterion—Sho ws the criterion of the inspection. – V alue—Shows the v alue to match in t he inspection. – Action—Sho ws the action if the match condition is met . – Log—Sho ws the log state. – A[...]

  • Page 682

    24-120 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions SIP Inspect Map The SIP pane lets you vie w pre viously conf igured SIP applicat ion inspection maps. A SIP map lets yo u change the default conf iguration values used for SIP application inspection. SIP is a widel[...]

  • Page 683

    24-121 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – High SIP instant m essaging (I M) extensions: Enab led. Non-SIP traf f ic on SIP port: Denied. Hide server ’ s and end point’ s IP addresses: Disabled. Mask software version a nd n on-SIP URIs: Enabled. Ensu[...]

  • Page 684

    24-122 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Non-SIP traf fic on SIP port: Permit ted. Hide server ’ s and endpoi nt’ s IP addresses: Disabled. Mask software version a nd n on-SIP URIs: Disabled. Ensure that the number of hops to d e stination is greater [...]

  • Page 685

    24-123 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Enable SIP instant messaging (IM) ext ensions—E nables Instant Messagi ng extensions. Def ault is enabled. – Permit non-SIP traf f ic on SIP port—Permits non-SIP traf f ic on SIP port. Permitted b y defaul[...]

  • Page 686

    24-124 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Move Up—Moves an inspection up in the list. – Move Down—Mov es an inspection do wn in the list. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit SIP Inspect The A[...]

  • Page 687

    24-125 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Regular Expressi on—Lists the def ined regu lar expressions to match . – Manage—Op ens the Manage Regular Expressions di alog box, which lets you confi gure regu lar expressions. – Regular Expression Cla[...]

  • Page 688

    24-126 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Regular Expression Class—Lists the def ine d regular expression classes to match. – Manage—Op ens the Manage Regular Expression Class dialog box, which lets y ou confi gure regul ar expression class maps.[...]

  • Page 689

    24-127 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit SNMP Map The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection. Fields • SNMP Map Name—Defines th e name of the application inspectio n map. • SNM[...]

  • Page 690

    24-128 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions[...]

  • Page 691

    CH A P T E R 25-1 Cisco ASDM User Guide OL-16647-01 25 Configuring QoS Hav e you e ver part icipated in a long-distan ce phon e call that in v olv ed a satellite connection? The con versatio n might be interrupted with brief , but per ceptible, gaps at odd interv als. Those gaps are the time, called the latency , between the arri v al of pack ets b[...]

  • Page 692

    25-2 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS QoS Overview Supported QoS Features The security appliance suppor ts the following QoS features: • Policing—T o prev ent indi vidual flo ws from hogg ing the network bandw idth, you can limit th e maximum bandwidth used p er flo w . See the “Policing Overvie w” section on pag[...]

  • Page 693

    25-3 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS QoS Overview For traf f ic shaping, a tok en b ucket permits burstiness b ut bound s it. It guarantees that the burstiness i s bounded so that the flo w will ne v er send faster than the token b ucket capacity , di vided by the ti me interv al, plus the established r ate at which tok[...]

  • Page 694

    25-4 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS QoS Overview Traffic Shaping Overview T raf fic shap ing is used to match de vice an d link speed s, thereby cont rolling packet loss, v ariable delay , and link saturation , which can cause jitter an d delay . • T raf fic shaping mu st be applied to all outgoing traff ic on a ph y[...]

  • Page 695

    25-5 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating the Standard Pr iority Queue for an Interface Y o u cannot conf igure traf f ic shaping and standard priori ty queueing for the same interf ace; only hierarchical priori ty queueing is allo wed. F or example, if you configu re standard priority queueing for the global po lic[...]

  • Page 696

    25-6 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating a Po licy for Standard Priority Queu eing and/or Policing This setting guaran tees that the hardware-based t ransmit ring imposes no more than 10-ms of e xtra latency fo r a high-priority packet. This option sets the maximum number of lo w-latenc y or normal priority pack et[...]

  • Page 697

    25-7 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing • Conform Action—The action to tak e when the rate is less than the co nform-burst value. V alues are transmit or dr op. • Exceed Action—T ake this action when the rate is between the conform-rate value [...]

  • Page 698

    25-8 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating a Policy for Tr affic Shaping and Hierarchical Priority Queueing Step 4 (Optional) T o confi gure priority queueing for a subset of shaped traf f ic: a. Click Enfor ce priority to selected shape traffic . b. Click Conf igure to identify the traf f ic that you want to priorit[...]

  • Page 699

    CH A P T E R 26-1 Cisco ASDM User Guide OL-16647-01 26 Configuring Filter Rules This chapte r includes the fol lo wing sections: • URL Filtering, pa ge 26-1 • Filter Rules, page 26-5 URL Filtering Y o u can apply f iltering to connection requests origin ating from a more secure network to a less secure network. Al though you can use A C Ls to p[...]

  • Page 700

    26-2 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules URL Filtering Configuring URL Filtering T o enable f iltering with an e xternal f iltering serv er , perform the follo wing st eps. Step 1 Go to Configuration > Firewall > URL Filter Servers to specify an external f iltering server . Se e URL Filtering Serv ers, page 2[...]

  • Page 701

    26-3 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules URL Filtering – Add/Edit Pa rameters for W ebsense URL Filtering, page 26-3 – Add/Edit Parameters for Secure Computin g SmartFilter URL Filterin g, page 26-4 • Insert Before—Adds a ne w f iltering server in a hi gher priority position t han the currently selected ser[...]

  • Page 702

    26-4 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules URL Filtering Add/Edit Parameters for Secure Co mputing SmartFilter URL Filtering • Interface—Specif ies the interface on whic h the URL filtering serv er is connected. • IP Address—Specifies the IP address of the URL f iltering server . • T imeout—Specif ies the[...]

  • Page 703

    26-5 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Source/Destination Address—Caches entr ies based on both the source address initi ating the URL request as well as the UR L destination ad dre ss. Choose this mode if users do not share the same URL fil tering polic y on the server . – Cache size—Speci[...]

  • Page 704

    26-6 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules Benefits The Filter Rules pane pro vides information about the f ilter rules that are currently conf igured on the security appliance. It also provid es b uttons that you can use to add or modify the f ilter rules and to increase or decrease the amount of detail[...]

  • Page 705

    26-7 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Add—Lets you add a f ilter rule. – Edit—Lets you edit a f ilter rule. – Delete— Lets you delete a filter rule. – Find—Lets you f ind a filter ru le. • Use the Services tab to choose a pred efin ed filter ru le. – T ype—Lets you choose a s[...]

  • Page 706

    26-8 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Filter HTTP (URL) – Do not f ilter HTTP (URL) – Filter HTTPS – Do not f ilter HTTPS – Filter FTP – Do not f ilter FTP • Source—Enter the source of the traff ic to which the f iltering action applies. Y ou can enter the source in one of the f ol[...]

  • Page 707

    26-9 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Block users from connect ing to an HTTP proxy server—Pre v ent HTTP requests made throu gh a proxy server . – T runcate CGI parameters from URL sent to URL server —The security appliance forwards only the CGI script locatio n and the script name, witho[...]

  • Page 708

    26-10 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules Step 3 For Source, Destination, Source or Destination, and Service filters, p erform the follo wing steps: a. Choose the match criteria from the drop-do wn list. Choose “is” (w ithout the quotes) for e xact string matches or choose “contains” for partia[...]

  • Page 709

    26-11 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules For More Information Filtering the R ule T able, page 26-9 Browse Source/Destination/Service The Brow se Source/Destination/Service dialog box lets you choose from e xisting IP address, name, or service objects. Fields • Add—Click to add a ne w I P address,[...]

  • Page 710

    26-12 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules For More Information Filter Rules, page 26-5 URL Filtering, pa ge 26-1[...]

  • Page 711

    CH A P T E R 27-1 Cisco ASDM User Guide OL-16647-01 27 Configuring Advanced Firewall Protection This chapter describes ho w to pre ven t network attacks by configuring protection features, and includes the following sections: • Config uring Threat Detection, page 27-1 • Config uring Connection Settings, page 27-6 • Config uring IP Audit, page[...]

  • Page 712

    27-2 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Th reat Dete ction • Basic Threat Detection Ov ervie w , page 27-2 • Config uring Basic Threat Detection, page 27-2 Basic Threat Detection Overview Using basic threat detection, the security appliance monitors the rat e of dropped packet s an[...]

  • Page 713

    27-3 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Threa t Detection Configuring Scanning Threat D etection A typical scanning attack consists of a host that tests the accessibility of every IP addres s in a subnet (by scanning through man y hosts in the sub net or sweeping through man y ports in[...]

  • Page 714

    27-4 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Th reat Dete ction Caution The scanning threat detection feature can affect the security appliance performance and memory significantly while it creates and gathers host- and subnet-ba sed data structure and information. T o conf igure scanning t[...]

  • Page 715

    27-5 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Threa t Detection Caution Enabling statistics can af fect the secu rity applian ce performance, depending on the type of statistics enabled. Enabling statistics fo r hosts affect s performance in a significant w ay; if you ha ve a high traf f ic [...]

  • Page 716

    27-6 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Co nnection Settings Configuring Connection Settings This section descri bes how to set maximum TCP and UDP co nnections, maximum embryonic connections, maximum per -client connecti ons, connec tion ti meouts, dead connection detection, and ho w [...]

  • Page 717

    27-7 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Connec tion Settings VPN requires the ability t o process the 3-way h and shake packets to pro vide selectiv e A CK and other TCP options for Clientless SS L VPN connections. T o di sable TCP Intercept for management traf fic, you can set the emb[...]

  • Page 718

    27-8 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Co nnection Settings Step 1 Configure a service polic y on the Conf iguration > Fire wall > Servi ce Policy Rules pane accordin g to Chapter 22, “Conf iguring Service Polic y Rules. ” Y o u can conf igure connection l imits as part of a[...]

  • Page 719

    27-9 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Connec tion Settings Randomizing the ISN of the protected host pre vents an attacker from predecting the next ISN for a ne w connection and potentiall y hijacking the ne w session. Step 6 T o c onfigure TCP normalization, che ck Use TCP Map . Cho[...]

  • Page 720

    27-10 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit • Drop SYN P ackets with data—D r op s S Y N p ac k e ts wi t h d at a . • Drop SYN A CK P ackets with data—Drops TCP SYN ACK packets t hat contain data. • Drop packets w ith in v alid A CK—Dro ps packets with an in valid A [...]

  • Page 721

    27-11 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring IP Audit IP Audit Policy The IP Audit Polic y pane lets you add audit p olicies and assign them to interfaces. Y ou can assign an attack policy an d an informational polic y to each interf ace. The attack polic y determines the action to take wi[...]

  • Page 722

    27-12 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit – Attack—Sets the policy type as attack. – Information—Sets the p olicy type as informati onal. • Action—Sets one or more actions to take when a pa ck et matches a signat ure. If you do not choo se an action, then the defa u[...]

  • Page 723

    27-13 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring IP Audit IP Audit Signature List T able 27-3 li sts supported signatures and sy stem message numbers. T able 27 -3 Signat ur e IDs and S ystem Message Nu mbers Signature ID Message Number Signature T itle Signature T ype Description 1000 400000 [...]

  • Page 724

    27-14 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit 1103 400009 IP Overlapping Fragments (T eardrop) At tack T riggers wh en two fragments contained within the same IP datagram ha ve of fsets th at indicat e that they sha re positio ning with in the datagram. This could mean that fragmen[...]

  • Page 725

    27-15 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring IP Audit 2008 400018 ICMP T imestamp Reply Informational Triggers when a IP d atagram is recei ved with the protocol f ield of the IP he ader set to 1 (ICMP) and the type field in the ICMP header set to 14 (T imestamp Reply). 2009 400019 ICMP In[...]

  • Page 726

    27-16 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit 3042 400028 TCP FIN only flags Attack Triggers when a single orphaned TCP FIN packet is sent to a pri vile ged port (ha ving port number less than 1024) on a specific host. 3153 400029 FTP Improper Address Speci fied Informational Trigg[...]

  • Page 727

    27-17 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring th e Fragment Size Configuring the Fragment Size By default, th e security appliance allo ws up to 24 fragments per IP pack et, and up to 200 fragments await ing reassembly . Y ou might need to let fragments on your network if you ha v e an appl[...]

  • Page 728

    27-18 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring the Fr agment Size – T imeout—Specif ies the maximum numb er of seconds to w ait for an entire fr agmented packet to arri ve. The timer starts after the f irst fragmen t of a packet arri ves. If all f ragments of the packet do not arri ve b [...]

  • Page 729

    27-19 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring th e Fragment Size • Fai l— Display only . Displays the number of failed reassembly attempts. • Ov er f l ow— Display only . Displays the number of IP packets in the ov erflo w queue. Modes The follo wing table sho ws the modes in which [...]

  • Page 730

    27-20 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Anti-Spoofing Configuring Anti-Spoofing The Anti-Spoof ing windo w lets you en able Unicast Re verse P ath F orwardin g on an interface. Unicast RPF guards against IP spoof ing (a pack et uses an in correct source IP address to obscure its true [...]

  • Page 731

    27-21 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring TCP Options Fields • Inbound and Outb ound Reset—Sets whether to reset denied TCP co nnections for inbound an d outbound t raf fi c. – Interface—Sho ws the interface name. – Inbound Reset—Sho ws the interf ace reset setting for inbou[...]

  • Page 732

    27-22 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring TCP Options CLOSING state. Having man y sockets in the CLOSING state can degrade the performance of an end host. F or exam ple, some W inSock mainframe cli ents are know n to exhibi t this beha vior and degrade the performance of the mainframe s[...]

  • Page 733

    27-23 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Global Timeo uts Configuring Global Timeouts The T imeouts pane lets you set the timeo ut durations for u s e with the security appliance. All durations are displayed in the format hh: mm:ss. It sets the idle time for the connection and translat[...]

  • Page 734

    27-24 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Global T imeouts • SIP Disconnect—Modif ies the idle time af ter whic h SIP session is d eleted if the 200 OK is not receiv ed for a CANCEL or a BYE message. The min imum value is 0:0: 1, the maximum v alue is 0:10:0. The def ault v alue is [...]

  • Page 735

    CH A P T E R 28-1 Cisco ASDM User Guide OL-16647-01 28 Configuring IPS This chapter descri bes how to configure the adaptiv e security appliance to sup port an AIP SSM that is installed in the security appliance. Note The Cisco PIX 500 series security appli ances do not support SSMs. This chapte r includes the fol lo wing sections: • AIP SSM Ov e[...]

  • Page 736

    28-2 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS AIP SSM Overview How the AIP SSM Works with the Adaptive Security Appliance The AIP SSM runs a separate application from the adapti v e security ap pliance. It is , ho wever , integrated into the adaptiv e security appliance traffic flo w . The AIP SSM does not contain any external i[...]

  • Page 737

    28-3 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS AIP SSM Overview • Promiscuous mode —This mode sends a duplicate str eam of traf fic to the AIP SSM. This mode is less secure, but h as little impact on traf f ic throughput. Unlik e the inline mode, in pro miscuous mode the AIP SSM can only block tr af fic b y instructing t h e [...]

  • Page 738

    28-4 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS AIP SSM Overview Figur e 28-3 Security Cont exts and Vir tual Sensors Figure 28-4 sh ows a si ngle mode security appliance paired w ith multiple virtual sen sors (in inline mode); each def ined traf fic f low goes t o a different senso r . Figure 28-4 Single Mod e Secur ity Appli anc[...]

  • Page 739

    28-5 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Accessing IDM from ASDM 4. Using ASDM on the ASA 5500 seri es adaptiv e security appliance, iden tify traff ic to di v ert to the AIP SSM. See the “Di verting T raff ic to the AIP SSM” section on page 28-6 . Accessing IDM from ASDM ASDM uses IDM to conf igure the AIP SSM. If the [...]

  • Page 740

    28-6 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Diverting Traffic to the AIP SSM Step 1 In the ASDM Device List pane, double-click Syst em under the acti ve de vi ce IP address. Step 2 On the Context Management > Security Conte xts pane, choo se a context that you w ant to conf igure, and click Edit . The Edit Conte xt dialog b[...]

  • Page 741

    28-7 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Diverting Traffic to the AIP SSM The Add Service Polic y Rule W iza rd - Service Polic y dialog box appear s. Complete the Service Policy and T raff ic Classificati on Criteria dialog box es. See the “ Adding a Service Policy Rule for Through T raf f ic” section on page 22-6 for [...]

  • Page 742

    28-8 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Resetting the AIP SSM Password V irt ual Sensors to Security Contexts” section on page 28-5 ). If you do not speci fy a sensor name, then the traf f ic uses the default sensor . In mul tiple context mode, you can specify a default sen sor for the contex t. In single mode or if you [...]

  • Page 743

    CH A P T E R 29-1 Cisco ASDM User Guide OL-16647-01 29 Configuring Trend Micro Content Security Note The ASA 5580 does not support th e CSC SSM feature. This chapter descri bes how to configure the CSC SSM, and includes the follo wing sections: • Connecting to the CSC SSM, page 29-1 • Managing the CSC SSM , page 29-2 • CSC SSM Setup, page 29-[...]

  • Page 744

    29-2 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM • Other IP Address or Hostn ame—Connect s to an alternate IP address or hostname on the SSM. Step 3 En ter the port nu mber in th e Port field, and then click Contin ue . Step 4 In the CSC Password dialo g box, type your CSC passwor[...]

  • Page 745

    29-3 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Managing the CSC SSM • A service polic y that determines which traf f ic is di verted to the SSM for scans. In this e xample, the client co uld be a netwo rk user who is accessing a website, d ownl oading fil es from an FTP server , or retriev ing e-mail f[...]

  • Page 746

    29-4 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM • The management port of the adapti v e security appl iance is connected to th e management network. T o allo w management of the adapti v e security appliance and the CSC SSM, hosts running ASDM must be connected to t he management n[...]

  • Page 747

    29-5 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Managing the CSC SSM • Acti vat ion keys, r eceiv ed after completing Step 2 . • The SSM management port IP address, netmask, and gate way IP address. The SSM ma nagement port IP address must be accessible by the hosts used to run ASDM. The IP addresses [...]

  • Page 748

    29-6 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM The new service polic y appears in the Service Policy Rules pane. g. Click Apply . The adapti ve security appliance beg ins di verting tr af fic t o the CSC SSM, which performs the cont ent security s cans that ha v e been enable d acc [...]

  • Page 749

    29-7 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Managing the CSC SSM Y ou enable traff ic scanning with th e CSC SSM on th e CSC Scan t ab in the Add Service Polic y Rule W izard Rule Actions screen . Y ou can apply service po licies t hat include CSC scanning globall y or to specific interf aces; therefo[...]

  • Page 750

    29-8 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM Figure 29-4 sho ws service policy rules that select only th e traf fic that the adapti ve security appliance should scan. Figur e 29-4 Optimized T r affic Selection f or CSC Scans In the inside-polic y , the first class, inside-class1, [...]

  • Page 751

    29-9 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup • If CSC card fails—Conf igures the action to take if the CSC SSM becomes inoperable. – Permit traf fic—Allo ws traf f ic if th e CSC SSM fails. – Close traff ic—Blocks traff ic if the CSC SSM fails. Modes The follo wing table sho w[...]

  • Page 752

    29-10 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 Activation/License The Acti vat ion/License pane lets you conf igure ac ti v ation codes for the fol lowin g two components of the CSC SSM: • Base License • Plus License Y ou can us[...]

  • Page 753

    29-11 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 IP Configuration The IP Conf iguration pane lets yo u confi gure IP ad dresses and other rele v ant details for th e CSC SSM, the DNS servers it shou ld use, and a proxy serv er for retr[...]

  • Page 754

    29-12 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Fields • Host and Domain Names—Contains in formation about the hostname and domai n name of the CSC SSM. – HostName—Sets the hostname of the CSC SSM. – Domain Name—Sets the domain name th at contains the CSC SSM. • Incoming E-ma[...]

  • Page 755

    29-13 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup Fields • IP Address—Sets the address of a host or netw ork you want to add to the Selected Hosts/Netwo rk list. • Mask—Sets the netmask for the ho st or network you specif ied in the I P Address f ield. T o allo w all hosts and netw or[...]

  • Page 756

    29-14 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Note The default passw ord is “cisco. ” Fields • Old Passw ord—Requires the current passw ord for management access to t he CSC SSM. • New P assword—Sets the ne w passw ord for management access to the CSC SSM. • Confir m Ne w P[...]

  • Page 757

    29-15 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup Note This feature is a v ailable only in mult iple-conte xt mode in the system co ntext. For More Information See Password , page 29-13 Wizard Setup The W izard Setup screen lets y ou start the CSC Set up W izard. Before you can directly acces[...]

  • Page 758

    29-16 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Fields • Activ ation Code — Display only . Displays the acti v ation code settin gs you ha ve made on t his screen. – Base License—Sho ws the acti vation code. The Ba se License includes anti-virus, anti-spyware, and file blocking. ?[...]

  • Page 759

    29-17 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 CSC Setup Wizard Ho st Configuration The CSC Setup W izard H ost Conf iguration screen di sp lays the host and domain names, incoming e-mail domain name, administrator e-mail add ress, e[...]

  • Page 760

    29-18 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information See Managing the CSC SSM, page 29-2 CSC Setup Wizard Password Configuration The CSC Setup W izard P assword Conf iguratio n ascreen display[...]

  • Page 761

    29-19 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup • Add—Click to sp ecify additional traf f ic details for CSC scanning . For more informat ion, see Specify traf fic for CSC Scan, page 29-19 . • Edit—Click to modify additi onal traf fic detail s for CSC scanning. For more informat ion[...]

  • Page 762

    29-20 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup For More Information See CSC Setup W izard T raf f ic Selection for CSC Scan, page 29-18 CSC Setup Wizard Summary The CSC Setup W izard Summary screen d isplays the settings that you ha ve made wi th the CSC Setup W izard. Y ou can revie w yo[...]

  • Page 763

    29-21 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Web • Password— Display only . Indicates whether or not you ha ve changed the password in the P assword Config uration screen. • Back—Click to return to precedin g screens of the CSC Se tup W izard. • Next—Dimmed; ho we v er , if you click Ba ck[...]

  • Page 764

    29-22 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Mail • Scanning—Includes a field and a link ab out HTTP scanning on th e CSC SSM. – HTTP Scanning— Display only . Shows whether or not HTTP sc anning is enable d on the CSC SSM. – Config ure W eb Scanning—Opens a screen for conf iguring HTTP sc[...]

  • Page 765

    29-23 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Mail Fields • Scanning—Includes f ields and links ab out SMTP scanning. – Incoming Scan — Display only . Shows whet her or not the incoming SMTP scanning feature is enabled on the CSC SSM. – Config ure Incoming Scan—Opens a screen for co nf igur[...]

  • Page 766

    29-24 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security File Transfer Note T o access the CSC SSM, you must re enter the CSC SSM password. Sessions in the CSC SSM browser time out after ten minutes of inact ivity . If you cl ose the CSC SSM browser and click another li nk in ASDM, you are not pro mpted for the [...]

  • Page 767

    29-25 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Updates • Config ure File Blocking—Ope ns a screen for config uring FTP f ile blocking settings on th e CSC SSM. Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information See Managing the CSC SSM, page 29-2 U[...]

  • Page 768

    29-26 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Updates For More Information See Managing the CSC SSM, page 29-2[...]

  • Page 769

    CH A P T E R 30-1 Cisco ASDM User Guide OL-16647-01 30 Configuring ARP Inspection and Bridging Parameters This chapter describes how to enable ARP inspection and ho w to customize bridging operations for the security appliance in tr ansparent f ire wall mode. In multiple conte xt mode, the commands i n this chapter can be entered in a security cont[...]

  • Page 770

    30-2 Cisco ASDM User Guide OL-16647-01 Chapter 30 Config uring ARP Inspection and Bridging Parameters Configuring ARP Inspection Note The dedicated management interface, if present, neve r floods packets e ven i f this parameter is set to flood. ARP inspection pre vents malicious users from imper sonati ng other hosts or routers (kno wn as ARP spoo[...]

  • Page 771

    30-3 Cisco ASDM User Guide OL-16647-01 Chapter 30 Configuring ARP Inspec tion and Bridgin g Parameters Configuring ARP Inspection Modes The follo wing table sho ws the modes in which this featur e is av ailable: ARP Static Table Although hosts identi fy a packet destination b y an IP address, the actual deliv ery of the packet on Ethernet reli es o[...]

  • Page 772

    30-4 Cisco ASDM User Guide OL-16647-01 Chapter 30 Config uring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Add/Edit ARP Static Configuration The Add/Edit ARP Static Conf iguration dialog b ox lets you add or edit a st atic ARP entry . Fields • Interface—Sets the interface attach ed to the host netw ork. • IP Addre[...]

  • Page 773

    30-5 Cisco ASDM User Guide OL-16647-01 Chapter 30 Configuring ARP Inspec tion and Bridgin g Parameters Customizin g the MAC Address Table drops the traf fic and generates a system message . When you add a static ARP entry (see the “A R P S t a t i c T able” section on page 30-3 ) , a static MA C address entr y is automatically added to the MA C[...]

  • Page 774

    30-6 Cisco ASDM User Guide OL-16647-01 Chapter 30 Config uring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Add/Edit MAC Address Entry The Add/Edit MA C Ad dress Entry dialog box lets you add o r edit a static MA C address ent ry . Normally , MA C addresses are added to the MA C address tabl e dynamically as traff ic fro[...]

  • Page 775

    P ART 4 Conf iguring VPN[...]

  • Page 776

    [...]

  • Page 777

    CH A P T E R 31-1 Cisco ASDM User Guide OL-16647-01 31 SSL VPN Wizard SSL VPN Feature Clientless, bro wser-based SSL VPN lets users establish a s ecure, remote-access VPN tunnel to the security appli ance using a web browser . After auth entic ation, users access a portal page and can access specific, supported internal resour ces. The network admi[...]

  • Page 778

    31-2 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard SSL VPN Interface SSL VPN Interface Provide a Co nnection name (pre viously called t unnel gr oup ), enable an interface for SSL VPN connections, and pro vide digital certif icate information in this windo w . Fields • Connection Name—Pro vide a connection name for this group of c[...]

  • Page 779

    31-3 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard Group Policy Modes The follo wing table sho ws the modes in which this featur e is av ailable: Group Policy Group policies conf igure co mmon attrib utes for group s of users. Create a ne w group polic y or select an existing o ne to modify . Fields • Create ne w group polic y—Ena[...]

  • Page 780

    31-4 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard IP Address Pools an d Client Image IP Address Pools and Client Image Provide a range of IP addresses to remote SSL VPN users and id entify SSL V PN client ima ges to the security appliance in this win dow . Fields • IP Address Pool—SSL VPN clients receive ne w IP addresses when th[...]

  • Page 781

    31-5 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard Summary Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • — • ——[...]

  • Page 782

    31-6 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard Summary[...]

  • Page 783

    CH A P T E R 32-1 Cisco ASDM User Guide OL-16647-01 32 VPN The security appliance creates a virtual priv ate networ k b y creating a secure connection across a TCP/IP network (such as the Internet) that users see as a pr iv ate connection. It can create single-user-to-LAN connections and LAN-to -LAN connections. The secure connection is called a tu[...]

  • Page 784

    32-2 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Note The VPN wizard lets you assign either preshared keys or dig ital certifi cates for authentication. H o wev er , to use certif icates, you must enrol l with a certif ication authorit y and configur e a trustpoint prior to usin g the wizard. Use the ASDM Device Administration > [...]

  • Page 785

    32-3 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard • Enable inbound IPsec sessions to bypass interface access lists—Enab le IPsec authenticated inbound sessions to alw ays be permitted through the secu rity appliance (that is, without a check of the interface access-list statements). Be aw are that th e inbound sessions bypass onl[...]

  • Page 786

    32-4 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard When two peers want to communicat e, the y exchange certif icates and digi tally sign data to authenticate each other . When you add a ne w peer to the netw ork, it enrolls with a CA, and none of the other peers require additional co nfigurat ion. – Certif icate Signing Algorithm—[...]

  • Page 787

    32-5 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Fields • Encryption —Select the s ymmetric en cryption al gorithm the securi ty appliance uses to establ ish the Phase 1 SA that protects Phase 2 negotiat ions. The security appliance su pports the follo wing encryption algorithms: The default, 3DES, is mor e secure than DES b ut [...]

  • Page 788

    32-6 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard For IPsec to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks. The host s and networks you con figure as Local Hosts and Net works in this pane l must be confi gured as Remote Hosts and Network s on the device at the remote site for [...]

  • Page 789

    32-7 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Fields • Cisco VPN Client Release 3.x or higher , or ot her Easy VPN Remote pr oduct—Click for IPsec connections, includi ng compatible software and hardware clients other than those named here. • Microsoft W indo ws client using L2 TP over I Psec—Click to enable connections f[...]

  • Page 790

    32-8 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard – Pre-shared Ke y—T ype the preshared key . – Certif icate—Click to use certif icates for authen tication between the local security appliance and the remote IPsec peer . T o complete this section, you must ha ve pre viously enr olled with a CA and do wnloaded one or more cert[...]

  • Page 791

    32-9 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard • Authenticate using an AAA serv er group—Click to use an e xternal server gr oup for remote user authentication. • AAA Server Group Name—Select a AAA serv er group conf igured pre viously . • New ...—Click to conf igure a ne w AAA server group. Modes The follo wing table [...]

  • Page 792

    32-10 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard User Accounts Use the User Accounts panel to add new users to th e security appliance internal user datab ase for authentication pur poses. Fields Provide th e follow ing information: • User to Be Added—Use the fields in this section to add a user . – Username—E nter the user[...]

  • Page 793

    32-11 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Attributes Pushed to Client Use the Attributes Pushed to Client (Optional) panel to have the security app liance pass in formation about DNS and WINS servers an d the default domain name to remot e access clients. Fields Provide in formation for remote access client s to use. • T u[...]

  • Page 794

    32-12 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Fields • Host/Network to Be Ad ded—Complete these fi elds to ex empt a particular host or network from NA T . – Interface—Select the name of the interface that connects to the hosts or networks you hav e selected. – IP address—Select the IP address of the host or network.[...]

  • Page 795

    32-13 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard[...]

  • Page 796

    32-14 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard[...]

  • Page 797

    CH A P T E R 33-1 Cisco ASDM User Guide OL-16647-01 33 Configuring Certificates Digital certif icates provide digit al identif ication for authenticati on. A digital certif icate contains informa tion that iden tifies a device or user , such as the name, serial number , company , department, or IP address. CAs issue digital certificates in the cont[...]

  • Page 798

    33-2 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication CA Certificates Fields • Certificates —Displays a list of the certif icates av ailable id entified by issued to and by , the date the certificate e xpires, and the certificate’ s usage or pur pose. Y ou can click a certi ficate in the list[...]

  • Page 799

    33-3 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication Add/Install a CA Certificate The CA Certif icate panel lets you add a ne w certif icate conf igurat ion from an exi sting f ile, by manually pasting a certif icate, or b y automatic enrollment. Cl ick the appro priate option to acti vate o ne o[...]

  • Page 800

    33-4 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication – Retry Period: Specify the maximum number of minutes to retry installi ng a certificate.The default is one minute. – Retry Count: Specify the number of retries for installing a certificate. The def ault is 0, which indicates unlimited r etr[...]

  • Page 801

    33-5 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication Request CRL The Request CRL button updates the cur rent version of the Certificate Re v ocation List (CRL). CRL update pro vides the current status of certif icate us ers. If the request f ails, an error message displays. The CRL is generated a[...]

  • Page 802

    33-6 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication The follo wing panels are the tab -selectable displays th at address CA certif icate conf igurati on specif ics. Each tabbed display i s summarized in the follo wing list: Revocation Check —The Re vocation Check panel lets you chose or reject [...]

  • Page 803

    33-7 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication The methods you select are implemente d in the order in which you add them. If a method detects an error , subsequent re vocati on checking methods acti v ate. Re vocation Checking Ov erride - Click the Consider certif icate valid if r evocatio[...]

  • Page 804

    33-8 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication • Click the Enable Lightweight Dir ectory Access Protocol (LD AP) b utton to specify LD AP CRL retrie va l. W ith LD AP , CRL retriev al star ts an LD AP session by connecti ng to a named LD AP server , accessed by passw ord. The connection is[...]

  • Page 805

    33-9 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication OCSP Rules Fields • Certif icat e Map —Displays the name of the certif icate map to mat ch to this OCSP rule. Certif icate maps match user permissions to specif ic f ields in a certif icate. Y ou must conf igure the certifi cate map before [...]

  • Page 806

    33-10 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication The security appliance supports tw o methods of checking re v ocation status: CRL and OCSP . Fields • CRL Options – Cache Refresh Time —Specify the number of minutes between cache refreshes. The default number of minutes is 60. The range [...]

  • Page 807

    33-11 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication – Disable nonce extension —By default the OCSP request incl udes the n once extension, wh ich cryptographically binds requests w ith responses to a void replay attacks. It works b y matching the extension in th e request to that in [...]

  • Page 808

    33-12 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Identity Certific ates Authentication Add/Install an Identity Certificate The Identity Certif icate panel lets you imp ort an exis ting identity certif icate from a f ile or add a ne w certificate conf iguration from an e xisting file.[...]

  • Page 809

    33-13 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication Click the appropriate optio n to acti vat e one of the follo wing: Add Identity Certificate Fields Assign values to the f ields in the Add Identity Certif icat e dialog box as follo ws: • T o import an identit y certificate from an ex[...]

  • Page 810

    33-14 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Identity Certific ates Authentication – Name (in K ey P air > Ne w window )—Selects a default ke y pair name, such as <Default-RSA-K e y>, or you can enter a ne w ke y pair name. – Size (in K ey P air > Ne w windo w)—Specif ies th e defa ult ke y pair si[...]

  • Page 811

    33-15 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication – Va l u e : ( in Certificate Sub ject DN > Selec t wind ow)— Enter the v alue for each of the DN attrib utes that you select in the At tribut e list. W ith a v alue assigned to an attribute, use the now-activ e Add b utton to ad[...]

  • Page 812

    33-16 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Identity Certific ates Authentication Export Identity Certificate Fields • Export to a file —Specify th e name of the PKCS12-format f ile to use in e xporting the certif icate configuration; • Certif icate F orma t—Click PKCS12 format, the pub lic ke y cryptography [...]

  • Page 813

    33-17 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication – New —Click to add a ne w ke y pair , pro viding a name, modulus size, and usage. When yo u generate the ke y pair , you ha v e the option of sending it to the security appliance or sa ving it to a file. • Certif icate Subject DN[...]

  • Page 814

    33-18 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Code-Signer Certificates Step 7 In the Advanced Options panel, verify that the FQDN: f ield is the correct FQDN of the security appliance and click OK to close the windo w . Step 8 In the Add Identity Certif icate panel, click the Add Certif icate at th e bottom. Step 9 Whe[...]

  • Page 815

    33-19 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Code-Signer Certificates Show Code-Signer Certificate Details The Show Details b utton displays the Code Si gner Details dialog box, which sho ws the fol lowing information about the selected certificate: • General —Displays the v alues for type, serial n umber , statu[...]

  • Page 816

    33-20 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Local Certificate Authority Import or Export a C ode-Signer Certificate Assign v alues to the f ields in the Import Certif icate windo w as follo ws: • Decryption Passphrase: Specify the passphrase used to decrypt th e PKCS12 file • Files to Import From: Y ou can type t[...]

  • Page 817

    33-21 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Local Certificate Authority Note The local CA provides a certificat e authority on the adaptiv e secur ity appliance for use with SSL VPN connections, both brow ser - and client-based. User enrollment is by bro wser webpage login. The Loca l C A integrates basic certificat[...]

  • Page 818

    33-22 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Local Certificate Authority Configuring the Local CA Sever The CA Serv er window lets you cust omize, modify , and control Local CA server operation. This section describes the parameters that can be specified. Additional paramete rs ar e av aila ble when you c lick Mor e O[...]

  • Page 819

    33-23 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Local Certificate Authority Note Click A pply to be sure you sav e the Local CA certif icate and k ey pair so the conf iguration is not lost if you reboot t he security appliance. When you select the Disable button to halt the Local CA serv er , you sh utdo wn its operatio[...]

  • Page 820

    33-24 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Local Certificate Authority SMTP Server & Email Settings T o set up e-mail access for the Local CA se rver , yo u configure The Simple Mail Transfer Protocol (SMTP) e-mail server , the e-mail address from which to send e-mails to Local CA users, and you specify a standa[...]

  • Page 821

    33-25 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Local Certificate Authority That Local CA database resides can be configured to be on an of f-box f ile system that is mounted and accessible to the security appl iance. T o specify an ext ernal file or share, enter the pathname to the external f ile or click Br owse and s[...]

  • Page 822

    33-26 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Manage User Certificates Reset Button The Rese t button remo ves an y changes or edits and returns th e display to the original content s. Deleting the Local CA Server The Delete Certif icate A uthority Serve r b utton at the bo ttom of the More Options section of the CA Se[...]

  • Page 823

    33-27 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Manage User Certifica tes Whene ver you change any certif icate status, be sure to update th e CRL to reflec t the latest c hanges. • T o change certificate status, see Re v oking a Local C A Certif icate and Unre voking a Local CA Certif icate . Revoking a Local CA Cert[...]

  • Page 824

    33-28 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Manage User Database Manage User Database The Local CA user database contains use r identif ication in formation and the status of each user in the system (enrolled, allo wed, re v oked, etc.). W ith the Manage User Databa se window , you can add new users, select specific [...]

  • Page 825

    33-29 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Manage User Data base Add a Local CA User The Add b utton allo ws you to enter a ne w user into the Local CA database. Each ne w user to be entered into the database must have a predefined us er name, e-mail address, and subject name. Local CA Add User Fields • Username:[...]

  • Page 826

    33-30 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Manage User Database Delete a Local CA User The Delete b utton remo ves the selected user from the database an d remov es an y certif icates iss ued to that user from the Local CA Database. A deleted user cannot be restored; to recreate the delete d user record, you must us[...]

  • Page 827

    CH A P T E R 34-1 Cisco ASDM User Guide OL-16647-01 34 IKE IKE, also called ISAKM P , is the negotiation pr otocol that lets two hosts agr ee on how to b uild an I Psec security associat ion. T o configure the securi ty appliance for virtual pri vat e networks, you set global IKE parameters that apply system wi de, and you also create IKE policies [...]

  • Page 828

    34-2 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Parameters • Select the second or thi rd option for the Fragmentation Policy paramet er in the Configuration > VPN > IPsec > Pre-Fragmentation pa nel. These options let traff ic tra vel across N A T devices that do not support IP fr agmentation; the y do not impede the operation o[...]

  • Page 829

    34-3 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Parameters Alerting Peers Before Disconnecting Client or LAN-to-LAN sessions may be dro pped fo r sev eral reasons, such as: a security appliance shutdo wn or reboot, sessi on idle timeout, maximu m co nnection time exceeded, or administrato r cut-of f. The security appliance can notify qual[...]

  • Page 830

    34-4 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies – Ke y Id String —T ype the alpha-numeric string the peer s use to look up the preshared key . • Disable inbound aggr essive mode connections —Select to disable aggres si ve mode connections. • Alert peers bef ore disconnecting —Select to h av e the securi ty appliance n[...]

  • Page 831

    34-5 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies – Priority # —Sho ws the priority of the policy . – Encryption —Shows the encry ption method. – Hash —Sho ws the has al gorithm. – D-H Group —Sh ows the Di ff ie-Hellman gro up. – A uthentication —Sho ws the authentication method. – Lifetime (secs)—Sho ws the[...]

  • Page 832

    34-6 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies D-H Group —Select th e Diff ie-Hellman group identi fier , which the two IPsec peers use to deri ve a shared secret without transm itting it to each other . Lifetime (secs)—Either select Unlimited or type an integer fo r the SA lifetime. The default is 86 ,400 seconds or 24 ho u[...]

  • Page 833

    34-7 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies only with the priv ate IP addresses that get assigned to cl ients. Th e IP addresses assigned to other resources on your pri v ate network are part of your n etwork administr ation responsibilities, not part of security appliance management. Therefore, when we discuss IP addresses h[...]

  • Page 834

    34-8 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec • Ending Address —Sho ws the last IP address a vai lable in each configured pool. • Subnet Mask —Sho ws the subnet mask for addresses i n each conf igured pool. • Add —Click to add a ne w address pool. • Edit/Delete —Click to edit or delete an al ready conf igured address p[...]

  • Page 835

    34-9 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Note The ASA supports LAN-to-LAN I Psec connections with Cisco peers, and with third-party peers that comply with all rele v ant stan dards. During tunnel establishment, the tw o peers nego tiate security associations that gov ern authenticatio n, encryption, encapsulation, and k ey manage[...]

  • Page 836

    34-10 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Fields Note Y ou cannot edit, delete, or cop y an implicit rule. The securi ty appliance implici tly accepts the traf fic selection proposal from remote client s when configur ed with a dynamic tunn el policy . Y ou can override it by gi ving a specific tr af fic selection. • Add — Cl[...]

  • Page 837

    34-11 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec • SA Lifetime —Displays the S A lifetime for the rule. • CA Certificate —Displays the CA certif icate for the pol icy . This applies to static connection s only . • IKE Negotiation Mode —Displays w hether IKE negot iations use main or aggressi v e mode. • Description —(Opt[...]

  • Page 838

    34-12 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec central-site device. A dynamic tunnel policy is useful when the remo te access clients ha ve dynamically assigned IP addresses o r when you do no t want to configure separate pol icies for a large number of remote access clients. Fields • Interface —Select the interface name to which [...]

  • Page 839

    34-13 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab Fields • Security Association Lifetime parameters—Conf igures the duration of a Security Association (SA). This parameter specif ies how to measure the lifetime of th e IPsec SA ke ys, which is ho w long the IPsec SA lasts un[...]

  • Page 840

    34-14 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec – Add/Edit—Choose IP Address or Netw ork Object Group to add more sour ce addr esses or groups. – Delete—Click to delete an entry . – Filter—Enter an IP Address to f ilter the results displ ayed. – Name —Indicates that the parameters that f ollow specify the name of the so[...]

  • Page 841

    34-15 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec – Destinatio n —Specify the IP address, network object group or interface IP address for the source or dest ination host or netw ork. A rule cannot use the same address as both the source and destination. Click ... for either of these fields to launch the Bro wse dialogs that contain [...]

  • Page 842

    34-16 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec – Tim e R an g e —Specify the name of an existing time range or create a new range. – ... —Displays the Add T ime Range pane, on wh ich you can define a ne w time range. – Please enter the description below ( optional) —Pro vides space for you to enter a brief description of t[...]

  • Page 843

    34-17 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Fields • Pre- Fragmentation —Sho ws the current pre-fragmentation configu ration for e ver y configured interface. – Interface —Sho ws the name of each configured interface. – Pre- Fragmentation Enabled —Shows, for each interf ace, whether pre-fragmentation is enabled. – DF [...]

  • Page 844

    34-18 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec IPsec Transform Sets Use this panel to vie w and add or edit transf orm sets. A transform is a set of operations done on a data flo w to provide data authen tication, data conf identiality , and data compression. F or example, one transform is the ESP p rotocol with 3DES encr yption and t[...]

  • Page 845

    34-19 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Load Balancing – ESP Encryption —Selects the Encapsulating Security Proto col (ESP) encryption algorithms for the transform set s. ESP provi des data priv ac y services, optional data aut hentication, and anti-replay services. ESP encapsulates the data being protected. – ESP A uthentica t[...]

  • Page 846

    34-20 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Load Balancing T o implement load balancing, y ou group together lo gically tw o or more de vices on the same pri v ate LAN-to-LAN network i nto a virtual cluster . All de vices in the virtu al cluster carry session load s. One de vice in the virt ual cluster , the virtual cluster master , dire[...]

  • Page 847

    34-21 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Load Balancing – Enable IPsec Encryption —Enables or disables IPsec encryption. If you select this check box , you must also specify and v erify a shar ed secret.The secur ity appliances in the virtual c luster communicate via LAN-to-LAN tunnels using IPse c. T o ensure that all load-balanc[...]

  • Page 848

    34-22 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Setting Global NAC Parameters Step 2 Add an entry for each of y our securi ty appliance outside interfaces into your DNS server , if such entries are not already present. Each security appliance out side I P address should ha ve a DN S entry associated with it for lookups. Th ese DNS entries mu[...]

  • Page 849

    34-23 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Admissio n Control Poli cies server . When the timer e xpires, the security ap pliance tries to initiate a ne w EAP o v er UDP association with the remote host. The setting is in seconds. Enter a value in the range 60 to 8640 0. The default set ting is 180. The Clientless Au[...]

  • Page 850

    34-24 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Ad mission Control Policies • Uses, Requirements, and Lim itations • Fields • What to Do Next About NAC N A C protects the enterpri se network from int rusion and infection from worms, viruses, and rogue applications b y performing endpoint compl iancy and vulnerabilit[...]

  • Page 851

    34-25 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Admissio n Control Poli cies Uses, Requirements, and Limitations When configured to support N A C, th e se curity appliance functions as a client of a Cisco Secure Access Control Serv er , requiring that you install a minimum of one Access Co ntrol Server on th e network to [...]

  • Page 852

    34-26 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Ad mission Control Policies • Delete—Remov es an entry from the Posture V alidation Exception list. What to Do Next Follo wing th e confi guration of the N A C policy , you must assign it to a grou p policy for it to become activ e. T o do so, choose Conf iguration > [...]

  • Page 853

    34-27 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Admissio n Control Poli cies Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • — • ——[...]

  • Page 854

    34-28 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Ad mission Control Policies[...]

  • Page 855

    CH A P T E R 35-1 Cisco ASDM User Guide OL-16647-01 35 General A virtual pri v ate network is a networ k of virtual circuits t hat carry pri v ate traf fic o ver a public netwo rk such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide priv ac y and security by requiring all users to au thenticate and by encr[...]

  • Page 856

    35-2 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Client Software Fields • Enable Client Update—Enables or disables client update, both globally and for specif ic tunnel groups. Y ou must enable client update before you can send a client update notif ication to W indo ws, MA C OS X, and Linux VPN clients, or init iate an automatic updat[...]

  • Page 857

    35-3 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Client Software For VPN 3 002 hardware clients, th e upgrade proceed s automatically , with no notif ication. Y o u must check Enable Client Updat e in the windo w for the upgrade t o work. Clients that are not connected receiv e the upgrade notif ication or automa tically upgrade the next t[...]

  • Page 858

    35-4 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Default Tunnel Gateway Default Tunnel Gateway T o confi gure the default tunnel g ate way , click the Static Route link in this windo w . The Config uration > Routing > Routing > St atic Route windo w opens. Modes The follo wing table sho ws the modes in which this featur e is av ai[...]

  • Page 859

    35-5 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es • IPSec Security As sociations . • Network lists f or filterin g and split tunneling • User authentication servers, and spec ifically the intern al authentic ation server. Fields • Group Polic y—Lists the currently conf igured group policies and Add, Edit, and Delet[...]

  • Page 860

    35-6 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add AAA Server Group The Add AAA Serv er Group dialog box lets you confi gure a ne w AAA serv er group. The Accounting Mode attrib ute applies only to RADIUS and T ACA CS+ p rotocols. Fields • [...]

  • Page 861

    35-7 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es • Address Pools—(Netw ork (Client) Access only ) Specifi es the name of one or more address pools to use for this grou p policy . • Select—(Network (Client) A ccess only) Opens the Sel ect Address Pools windo w , which sho ws the pool name, startin g and ending addres[...]

  • Page 862

    35-8 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies • Manage—Opens the Bro wse T ime Range di alog box, on which you can ad d, edit, or delete a time range. • Simultaneous Logins—Specif ies the maximum number of simultan eous logins allowed for this user . The default v alue is 3. The minimum value is 0, which disables [...]

  • Page 863

    35-9 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es Fields • Bookmark List—Select a pre viously-conf igured Bookmark list or click Manage to create a new one. Bookmarks appear as links, from which users can na vigat e from the portal page. • URL Entry—Enable to allo w remote users to enter URLs directly int o the porta[...]

  • Page 864

    35-10 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies • HTTP Proxy—Enables or disables the forwardin g of an HTTP applet proxy to the cl ient. The proxy is useful for technol ogies that interfere with proper content tr ansformation, such as Ja v a, Acti veX, and Flash. It bypasses mang ling while ensuring t he continued use [...]

  • Page 865

    35-11 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es Adding or Editing a Site-to- Site Internal Group Policy The Add or Edit Grou p Policy wi ndow lets you specify tunnel ing protocols, f ilters, connection settings, and server s for the gro up polic y being added or mod ified. F or each of th e fi elds on this wi ndo w , chec[...]

  • Page 866

    35-12 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies example, you can attach an access list to a time range to restrict access to the se curity appliance. A time range consists of a start time, an end t ime, and opti onal recurring (that is, pe riodic) entries. F or more information abou t time ranges, see the online He lp for [...]

  • Page 867

    35-13 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es • Recurring T ime Ranges—Constrains the acti v e time of this time range within the start and end times when the time range is acti v e. For e xample, if the st art time is start no w and the end time is ne v er end, and you want t he time range to be ef fecti ve e v ery[...]

  • Page 868

    35-14 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager ACL Manager The A CL Manager dialog box lets you def ine access control lists (A CLs) to control the access of a specific ho st or network to another host/net work, including the protoco l or port that can be used. Y ou can configure A CLs (Access Control Lists) to appl y to use[...]

  • Page 869

    35-15 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Extended ACL This pane prov ides summary information about e x tended A CLs, and let s you add or edit A CLs and AC E s . Fields • Add—Lets you add a ne w A CL. When you highlight an e xisting A CL, i t lets you add a ne w A CE for that A CL. • Edit—Opens the Edit A CE d[...]

  • Page 870

    35-16 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager • T ime—Specif ies the name of the time range to be applied i n this rule. • Description—Sho ws the description you t yped when you added the rule. An impli cit rule includes the follo wing description: “Implicit ou tbound rule. ” Modes The follo wing table sho ws th[...]

  • Page 871

    35-17 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Protocol—Selects the protocol to which this rule ap plies. Possible v alues are ip, tcp, udp, icmp, and other . The remaining av aila ble f ields in the Protocol and Service area depend upo n the protocol you select. The ne xt fe w bu llets describe the consequences of eac[...]

  • Page 872

    35-18 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Browse Source/Destination Address The Brow se Source or Destination Ad dress dialog box lets you select an obj ect to use a s a source or destinatio n for thi s rule. Fields • T ype—Determines the type of object to use as the source or destination for th is rule. Selections [...]

  • Page 873

    35-19 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add TCP Service Group The Add TCP Service Group dialog box lets you config ure a new a TCP servi ce group or port to add to the bro wsable source or destination port list for t his protocol in this[...]

  • Page 874

    35-20 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager • Filter/Clear—Specif ies a filter crit erion that you can use to search for items in the Name list, thus displaying only thos e items that match that crit erion. When you make an en try in the Filter f ield, the Filter b utton becomes acti ve. Clicki ng the Filter b utton p[...]

  • Page 875

    35-21 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Browse Other The Brow se Other dialog box lets you sel ect a protocol group for this rul e. Fields • Add—Opens the Add Pro tocol Group dialog box, on which you can conf igure a ne w service group. • Find—Opens the Filter fiel d. • Filter/Clear—Specif ies a filter cri[...]

  • Page 876

    35-22 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add/Edit Internal Group Policy > Servers The Add or Edit Group Polic y windo w , Servers item lets you specify DNS and WINS servers, as well as the DHCP scope and default domain. Add/Edit Internal Group Policy > IPSec Client The Add or Edit Group Poli cy > IPSec dialog [...]

  • Page 877

    35-23 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Server Addresses (space delimited )—Specifies the IP addresses of the IPSec backup servers. This f ield is a v ailable only when th e v alue of the Server Co nfiguratio n selection is Use the Backup Servers Belo w . Modes The follo wing table sho ws the modes in which this[...]

  • Page 878

    35-24 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Y o u must specify the so ftware ver sion for this client. Y ou can specify * to ma tch any version. – Y o ur entries must match e xactly those on the URL fo r the VPN client, or the TFTP serv er for the VPN 3002. – The TFTP server for distr ibuting the hardw are client [...]

  • Page 879

    35-25 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Fields • Inherit—(Multiple instances) Indicates that the corresponding setting tak es its v alue from the default gro up policy . Deselecting the Inherit check box mak es other options a v ailable f or the parameter . Th is is the default option for all attributes on this ta[...]

  • Page 880

    35-26 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Note A carriage return/line feed, create d by pressing Enter , counts as 2 characters. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab This tab conf ig[...]

  • Page 881

    35-27 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add or Edit Internal Group Policy > Advanced > IE Browser Proxy This dialog bo x configures attribut es for Microsoft Internet Explorer . Fields • Proxy Server Po licy—Conf igures the Micro soft Internet Explorer bro wser prox y actions (“methods”) for a client PC.[...]

  • Page 882

    35-28 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Rotating prox ies by time of day or day of the week to accommodate a server maintenance schedule. – Specifying a backup proxy serv er to use in case the pr imary proxy fails. – Specifying the nearest proxy for roaming u sers, based on the lo cal subnet. Y o u can use a t[...]

  • Page 883

    35-29 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add/Edit Internal Group Poli cy > Client Firewall Tab The Add or Edit Group Policy wi ndo w , Client Firew all tab, lets you con figur e fir ew all settings for VPN clients for the group po licy being added or modified . Note Only VPN clients running Microsoft W in dows can u[...]

  • Page 884

    35-30 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Note If you require a f ire wall for a group , make sure the group does not in clude any clients ot her than W indo ws VPN clients. An y other clients in the group (in cluding ASA 5505 in client mode an d VPN 3002 hardwa re clients) are unable to connect. If you ha ve remote use[...]

  • Page 885

    35-31 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add/Edit Internal Group Poli cy > Hardware Client Tab The Add or Edit Group Poli cy > Hardw are Client dialog box lets you co nfigure sett ings for the VPN 3002 hardw are client for the group polic y being adde d or modi fied . The Hardware Client tab parameters do not per[...]

  • Page 886

    35-32 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager If you ha ve a def ault home page on the remote network behind the security appli ance, or if you direct the bro wser to a website on the remote netwo rk behi nd the security appliance, the hardware client directs the bro wser to the proper pages for user lo gin. When you succes[...]

  • Page 887

    35-33 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Note Cisco LEAP au thenticates wi reless clients to RA DIUS servers. It d oes not include RADI US accounting services. LEAP users behin d a hardware client ha ve a ci rcular dilemma: they cannot negoti ate LEAP authentication because th ey cannot send their credential s to the R[...]

  • Page 888

    35-34 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Conn ections Fields • List Name—Specif ies the name of the list to be added or selects the nam e of the list t o be modif ied or deleted. • URL Display Name—Specif ies the URL name d isplayed to the user . • URL—Specif ies the actual URL asso ciated with the [...]

  • Page 889

    35-35 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Connections Connection Prof iles—Conf igure protocol-specif ic attrib utes for connect ions (tunnel groups). • Add/Edit—Click to Add or Edit a Connectio n Profile (tun nel group). • Name—The name of the Connection Prof ile. • Aliases—Other names b y which t[...]

  • Page 890

    35-36 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Conn ections Setting Advanced Attributes for an IPSec or SSL VPN Connection Use the advanced attrib utes to fine-tune the p arameters of the IPSec or SSL VPN co nnection. Setting General Attributes for an IPSec or SSL VPN Connection Choose Advanced > General in the Ad[...]

  • Page 891

    35-37 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Connections Lookup. Y ou append the group to the username in the format username<delimiter>gr oup , the possibilities being, for e xample, J aneDoe@VPNGr oup, Ja neDoe#VPNGr oup , and J aneDoe!VPNGr oup . • Passwo rd Management—Lets you config ure parameters re[...]

  • Page 892

    35-38 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections Note This does not change the number of days before the password expi res, but rather , it enables the notif ication. If you select this o ption, you must also specify t he number of days. Modes The follo wing table sho ws the modes in which this featu[...]

  • Page 893

    35-39 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections • Keep Installer on Client System —Enable to all ow permanent client installation on th e remote computer . Enabling disables the automatic uninstall ing feature of the client. The client remains installed on the remote computer for subsequent co n[...]

  • Page 894

    35-40 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections Figur e 35-1 Promp t Displa yed t o Remot e Users f or SSL VPN Client Do wnload Fields • Inherit—Check to i nherit the v alue from the def ault group polic y . • Post Login Setting— Choose to pro mpt the user and set t he timeout to perform th [...]

  • Page 895

    35-41 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections Dead Peer Detection Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect a condition where the pe er is not responding, and the connect ion has failed. Fields • Gateway Side Detection— Uncheck the[...]

  • Page 896

    35-42 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections Fields • V iew (Unlabel ed)—Indicates whether the selected entry is e xpanded (minus sign) o r contracted (plus sign). • # column—Specifies the A CE ID number . • Enable—Indi cates whethe r this A C L is enabled or disabled. Y ou can e[...]

  • Page 897

    35-43 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clientless SSL VPN Connections – Add—Opens the Add Clientl ess SSL VPN dialog box for the selected conn ection. – Edit—Opens the Edit Clien tless SSL VPN dialog box for the sel ected connection. – Delete—Removes the selected connection from the table. There is no con[...]

  • Page 898

    35-44 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections • Clientless SSL VPN attrib utes. Add or Edit Clientless SSL VPN Connections > Advanced > General Use this wi ndow to specify whether to strip the re alm and group from the username before passing them to the AAA serv er , and to specify p[...]

  • Page 899

    35-45 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clientless SSL VPN Connections day that the p assword expires. The default is to notify t he user 14 days prior to password expir ation and e very day thereafter unti l the user changes the password. The range is 1 through 180 days. Note This does not change the number of days b[...]

  • Page 900

    35-46 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections Assign Authentication Server Group to Interface This dialog box lets you associate an interf ace with a AAA serv er group. The results app ear in the table on the Authenticati on dialog box. Fields • Interface—Selects an interface, DMZ, Ou tsi[...]

  • Page 901

    35-47 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clientless SSL VPN Connections Add or Edit SSL VPN Connections > Advanced > SSL VPN This dialog box lets you config ure attrib utes that af fect what the remote user sees upon login. Fields • Login Page Customizatio n—Config ures the look and fe el of the user login pa[...]

  • Page 902

    35-48 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers The table on this dialog b ox shows the attributes of the already-configured NetBIOS serv ers. The Add or Edit T un nel Group windo w for Client less SSL VP N access, NetBI[...]

  • Page 903

    35-49 Cisco ASDM User Guide OL-16647-01 Chapter 35 General IPSec Remote Access Co nnection Profiles Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN This dialog box lets you specify portal-related attrib utes for Clientless SSL VPN connections. Fields • Portal Page Customization—Selects the cust omization to appl[...]

  • Page 904

    35-50 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Add or Edit an IPSec Remo te Access Connection Profile Add or Edit an IPSec Remote Access Connection Profile The Add or Edit IPSec Remote Acce ss Connection Prof ile dialog box has a na vigation pane that lets you select basic or advanced elements to conf igure. Add or Edit IPSec Remote Acc[...]

  • Page 905

    35-51 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles – Manage—Opens the Conf igure Group Policies dialog box, fro m which you can add, edit, or delete grou p policies. – Client Protocols—Selects the proto col or protocols to u se for this connection. By def ault, both IPSec[...]

  • Page 906

    35-52 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Add/Edit Certif icate Matching Rule Criterion Add/Edit Certificate Matching Rule Use the Add/Edit Certif icate Matching Rule dialog box to assign the name of a li st (map) to a connection profile. Fields • Map —Choose one[...]

  • Page 907

    35-53 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit Certificate Matching Rule Criterion Use the Add/Edit Certificate Matching Rule Criterion dialog box to conf igur e a certif icate matching rule criterion for the selected grou p. Fields • Rule Priority —(Display only[...]

  • Page 908

    35-54 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Operator —Select the operator used in the rule: – Equals —The distinguished name f ield must e xactly match the v alue. – Contains —The distinguished name f ield must in clude the v alue within it. – Does Not Equa[...]

  • Page 909

    35-55 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit Site-to-Site Connection The Add or Edit IPSec Si te-to-Site Connection dialog box lets you create or modify an IPSec Site-to-Site connection. These dialog boxes let yo u specify the peer IP address, specify a connec tion[...]

  • Page 910

    35-56 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Adding or Editing a Site-to-Site Tunnel Group The Add or Edit IPSec Site-to-Site T unnel Group dialog box lets you specify attr ibutes for the IPSec site-to-site conn ection that you ar e adding. In additio n, you can select IKE [...]

  • Page 911

    35-57 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Crypto Map Entry In this windo w , specify crypto para meters for the Con nection Prof ile. Fields • Priority —A unique priority (1 through 65 ,543, with 1 the highest priority) . When IKE negotiation begins , the peer that i[...]

  • Page 912

    35-58 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Perfect F orward Secrecy —Ensures that the key for a gi ven IPSec SA w as not deriv ed from any other secret (lik e some other keys). If someone we re to break a ke y , PFS ensures that the attacker would not be able to der[...]

  • Page 913

    35-59 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Sho w Details—Displays detailed inf ormation about a certif icate that you select in the table. • Delete—Removes the selected certificate from th e table. There is no conf irmation or u ndo. Modes The follo wing table s[...]

  • Page 914

    35-60 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Fields • The radio buttons specify whether to check certif i cates for rev ocation. The v alues of these buttons are as follows: – Do not check certifi cates for re v ocation – Check Certif icates for re v ocation • Rev o[...]

  • Page 915

    35-61 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Note Allowi ng ov erride account-disabled is a poten tial security risk. – Enable notif ication upon password e xpiration to allo w user to change password —Checking this check box mak es the follo wing two parameters a v ail[...]

  • Page 916

    35-62 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles – T o add an address pool to th e security appliance, choose Add . The Add IP Pool dialog box opens. – T o change th e conf iguration of an addres s pool on the security appliance, choose Edit . The Edit IP Pool dialog box op[...]

  • Page 917

    35-63 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Fields Use the follo wing descriptions to assign v alues to the f ields in this wi ndow: • Global Client Address Assignment Pol icy—Conf igu res a polic y that affects all IPSec and SSL VPN Client connections ( including An y[...]

  • Page 918

    35-64 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Select Address Pools The Select Address Pools windo w sho ws the poo l name, starting and ending addresses, and su bnet mask of address pools av ailable for client address assignment and lets you add, edit, or delete entries from[...]

  • Page 919

    35-65 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit Tunnel Group > G eneral Tab > Authentication This dialog bo x is av ailable fo r IPSec on Remote Access and Site-to-Si te tunnel groups. The setting s on this dialog box apply to the tunnel group glo bally across t[...]

  • Page 920

    35-66 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles – Server Group—Select an av ailabl e, pre viously conf igured authorization server group or group of servers, i ncluding the LOCAL grou p. Y ou can associate a serv er group with more than on e interface. – Add—Click Add [...]

  • Page 921

    35-67 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit SSL VPN Connections > Advanced > Accounting The settings on this dialog box apply to the connection (t unnel group) globally across th e security appliance. This dialog box lets you co nfigure the fo llowi ng attri[...]

  • Page 922

    35-68 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Add/Edit Tunnel Group > General > Advanced The Add or Edit T unnel Group window , General, Advanced dialog box, lets you con figure t he follow ing interface-specif ic attrib utes: • Interface-Specif ic Authenti cation Se[...]

  • Page 923

    35-69 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Authentication Mode—S pecifies t he authentication mode: none, xauth, o r hybrid. – none—Specif ies no authentication mode. – xauth—Specif ies the use o f IKE Extended Authentication mode, wh ich provides the capabi[...]

  • Page 924

    35-70 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Client VPN Software Up date T able—Li sts the client type , VPN Client revisions, and image UR L for each cl ient VPN softw are packag e installed. F o r each client type, you can specify the acceptable client software revi[...]

  • Page 925

    35-71 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Default Gr oup Polic y—Specif ies the follo wing group-po licy attr ibutes: – Group Polic y—Selects a group polic y to use as the def ault group polic y . The default v alue is DfltGrpPolicy . – Manage—Opens the Con[...]

  • Page 926

    35-72 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Fields • Name—Specif ies the name assigned to this tun nel group. For th e Edit function, this f ield is display-only . • T ype—( Display-only ) Display s the type of tun nel group you are adding or editing. The contents [...]

  • Page 927

    35-73 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles – Enable notif ication pri or to expirat ion—When you check this op tion, the security appli ance notif ies the remote user at login th at the current password is ab out to expir e or has expired, then of fers the user the op[...]

  • Page 928

    35-74 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles 2. An extended authentication (xau th) e xchange then au thenticates th e remote VPN user . This extended authentication can use one of th e supported le gac y authentication methods. Note Before setting the authenticati on type [...]

  • Page 929

    35-75 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles – Image URL—Specif ies the URL or IP address fr om which the correct VPN client software image can be do wnloaded. Fo r W indo ws-based VPN clients, the URL must be of the form htt p:// or https://. F or ASA 5505 in clien t m[...]

  • Page 930

    35-76 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles that support such notification; that is, RA DIUS, RADIUS with an NT serv er , and LD AP servers. The security appliance ign ores this command if RADIUS or LD AP auth entication has not been configured. Note that this does not cha[...]

  • Page 931

    35-77 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Configuring Internal Group Policy IPSec Client Attributes Use this windo w to specify whether to strip the re alm and group from the username before passing them to the AAA serv er , and to specify passw ord management options. F[...]

  • Page 932

    35-78 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Note Allowi ng ov erride account-disabled is a poten tial security risk. – Enable notif ication upon passwor d expiration to allow user to change password—Checking this check box mak es the follo wing two parameters a v ailab[...]

  • Page 933

    35-79 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Add—Opens the Assign Address Pool s to Interface windo w , on which you can select an interf ace and select an address pool to assign. • Edit—Opens the Assign Address Pools to Interface window with the interface and add[...]

  • Page 934

    35-80 Cisco ASDM User Guide OL-16647-01 Chapter 35 General System Options Add or Edit an IP Address Pool Config ures or modif ies an IP address pool. Fields • Name—Specifies th e name assign ed to the IP address pool. • Starting IP Address—Specif ies the f irst IP address in the pool. • Ending IP Address—Specifies the last IP address in[...]

  • Page 935

    35-81 Cisco ASDM User Guide OL-16647-01 Chapter 35 General System Options Y ou can require an access rule to apply to the lo cal IP addresses by unchecking this option. The access rule applies to the local IP address, and not to the original client IP address used before the VPN packet w as decrypted. • Limit the maximum number of acti v e IPSec [...]

  • Page 936

    35-82 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Zone Labs Integrity Server • Policy—Select s the split-tunneling policy , specifying whether to include or e xclude from the tunnel the indicated network lists. If you do not select Inherit, t he default is Exclude N etwork List Belo w . • Network List —Selects the networks to wh ic[...]

  • Page 937

    35-83 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Zone Labs Integrity Server Note The current release of the security appliance supports one Inte grity Serv er at a time ev en though the user interfaces suppor t the confi guration of up to f i ve Int egrity Serv ers. If the acti ve Serv er fails, conf igure another Integ rity Server on the[...]

  • Page 938

    35-84 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Easy VPN Remote Easy VPN Remote Easy VPN Remote lets the ASA 5505 act as an Easy VPN client de vice. The ASA 5505 can then initiate a VPN tunnel to an Easy VPN server , which can be a security appliance, a Cisco VPN 3000 Concentrator , an IOS-based router , or a f ire wall acting as an Easy[...]

  • Page 939

    35-85 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Easy VPN Remote – Group Passw ord—Specif ies the password to use with the speci fied group p olicy . – Confir m Password —Requires you to conf irm the group passw ord just entered. – X.509 Certif icat e—Specif ies the use of a n X.509 digital certifi cate, supplie d by a Cer tif[...]

  • Page 940

    35-86 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Advanced Easy VPN Pro perties Advanced Easy VPN Properties Device Pass-Through Certain de vices like Ci sco IP phones, printers, and the like are incapable of performing authentication, and therefore of particip ating in indi vidual uni t authentication. T o accommodate these devi ces, the [...]

  • Page 941

    35-87 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Advanced Easy VPN Propertie s – Add—Mov es the specif ied IP address and mask to the IP Addr ess/Mask list. – Remov e—Mov es the selected IP address and mask pair from the IP Address/ Mask list to the indi vidual IP Address and Mask fields in this area. – IP Address/Mask—Lists t[...]

  • Page 942

    35-88 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Advanced Easy VPN Pro perties[...]

  • Page 943

    CH A P T E R 36-1 Cisco ASDM User Guide OL-16647-01 36 Configuring Dynamic Access Policies This chapater describes ho w to con figure dynamic access policies. It includes the follo wing sections. • Understanding VPN Access Policies • Add/Edit Dynamic Access Policies • Add/Edit AAA At tribu tes • Retrie ve AD Groups from selected AD Server G[...]

  • Page 944

    36-2 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies • DfltAccess Policy—Al ways the last en try in the D AP summary t able, always with a pri ority of 0. Y ou can configure Access Policy attributes for the default access pol icy , but it does not contain —and you cannot conf[...]

  • Page 945

    36-3 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies DAP Support for Remote Access Connection Types The D AP system supports the fo llo wing remote access methods: • IPsec VPN • Clientless (bro wser-based) SSL VPN • Cisco AnyConnect SSL VPN • PIX cut-through proxy (po stu[...]

  • Page 946

    36-4 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies DAP and Endpoint Security The security applia nce obtains endpoint security attr ib utes b y using posture assessment metho ds that you confi gure. These include Cisco Secure Desktop and N AC. F or details, see the Cisco Secure D[...]

  • Page 947

    36-5 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Anti virus (Requires Cisco Secure Desktop) endpoint.a v . labe l .exists Host Scan true — Antivirus program exists endpoint.a v . labe l .version string 32 V ersion endpoint.a v . labe l .descripti on string 12 8 A ntivirus d[...]

  • Page 948

    36-6 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies DAP and Anti-Virus, Anti-Spyware, and Personal Firewa ll Programs The security appliance uses a D AP policy when the user attrib utes matches the configured AAA and endpoint attributes. The Prelogin Assessment and Ho st Scan modu[...]

  • Page 949

    36-7 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Fields • Selection Criteria—Determine the AAA and endpoint attrib utes to test for dynamic access pol icy retrie va l. • AAA Attrib utes – AAA Attrib ute—Identifi es the AAA attrib ute. – Operation V alue—Identifi[...]

  • Page 950

    36-8 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Step 8 In the Advanced f ield yo u can enter one or more l ogical exp ressions to set AAA o r endpoint attri butes other than what is possible in the AAA and Endpoint areas above. Step 9 T o configure network and webtype A CLs, f[...]

  • Page 951

    36-9 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies • Access Policy Attri butes—These tabs let y ou set attrib utes for net work and webtyp e A CL f ilters, file access, HTTP proxy , URL entry and lists, port forwarding, and clientless SSL VPN access methods. Attrib ute v al[...]

  • Page 952

    36-10 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies – File Server Bro wsing—Enables o r disables CIFS bro wsing for file serv ers or shared features. Note Browsing requi res NBNS (Master Browser or WI NS). If that fail s or is not conf igured, we use DNS. Note The CIFS browse[...]

  • Page 953

    36-11 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies has tested the follo wing applications: W indows T e rminal Services, T elnet, Secure FTP (FTP over SSH), Perforce, Outlook Expr ess, and Lotus Notes. O ther TCP-based applications may also work, bu t Cisco ha s not teste d th[...]

  • Page 954

    36-12 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies – Both-default-Any Connect Client—Connect via eith er clientless or the An yConnect client, with a default of An yConnect. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit AAA Attrib[...]

  • Page 955

    36-13 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies LD AP attri butes consist of an att ribut e name and attrib ute v alue pair in the D AP record . • RADIUS—The RADIUS client stores all nati ve RADIUS response attrib ute v alue pairs in a database associated with the A AA [...]

  • Page 956

    36-14 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Retrieve AD Groups from selected AD Server Group Y ou can query an Active Directory server for a v ailabl e AD groups in this window . This feature applies only to Acti ve Directory serv ers using LD AP . Use the group informati[...]

  • Page 957

    36-15 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Fields • Endpoint Attrib ute T ype—Select from the drop-do wn list the endpoint at tribu te you want to set. Options include Antisp yware, Anti virus, Appli cation, File, N A C, Operating System, Personal Firew all, Proces[...]

  • Page 958

    36-16 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies • Policy (Location)—Enter the Cisco Secure Desk top Microsoft W in dows locati on prof ile, case sensitiv e. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Guide This section pro vides info[...]

  • Page 959

    36-17 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Example : EV AL(endpoint.os.v ersion, “EQ”, “W indo ws XP”, “str ing”) Constructing DAP Logical Expressions Study these examples for help in cr eating lo gical expressions in Lua. • This AAA Lua e xpression tests[...]

  • Page 960

    36-18 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Y o u use ASDM to conf igure CheckAndMsg through t he Advanced f ield in D AP . The security applianc e displays the message to the user only wh en the D A P record containing the LU A Check AndMsg function is selected and resul[...]

  • Page 961

    36-19 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Y o u can b uild the ex pression in this e xample because the deb ug dap trace returns: endpoint.os.windows.hotfix["KB923414 "] = "true"; Checking for Antivirus Programs Y o u can conf igure messages so tha[...]

  • Page 962

    36-20 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies The expected result is that the connectio n is not allo wed and the message appears as a blinking ! point. Step 5 Click the blinking ! to see the message and links for remediation. Advanced Lua Functions When working with dynami[...]

  • Page 963

    36-21 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies end)() Further Information on Lua Y ou can find detailed LU A programming information at http://www .lua.org/manual /5.1/manual.html . Operator for Endpoint Category Y ou can configure multiple instances of each ty pe of endpo[...]

  • Page 964

    36-22 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Using DAP to Apply a WebVPN ACL D AP can directly enfo rce a subset of access policy attri butes incl uding Network A CLs (for IPsec and AnyConnect), cl ientless SSL VPN W eb-T ype A CLs, URL lists, and Functions. I t cannot dir[...]

  • Page 965

    36-23 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies[...]

  • Page 966

    36-24 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies[...]

  • Page 967

    CH A P T E R 37-1 Cisco ASDM User Guide OL-16647-01 37 Clientless SSL VPN End User Set-up This ections is f or the system ad ministrator w ho sets up Clientless (bro wser -based) SSL VPN for end users. It summarizes conf iguration requirements an d ta sks for the user remote system. It also specifies information t o communicate to users to get them[...]

  • Page 968

    37-2 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Communicating Security Tips Communicating Security Tips Advise users alw ays to log out from the session. (T o log out of Clientless SSL VPN, cl ick the logout icon on the Clientless SSL VPN toolbar or close the bro wser .) Advise users that usi ng Clientless SSL V[...]

  • Page 969

    37-3 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features T able 37 -2 Cli entless SSL VPN Rem ote S ystem Configuration and End User Requirements T ask Remote Sy stem or End User Requirements Specifications or Use Suggestions Starting Clientless SSL VPN Connec[...]

  • Page 970

    37-4 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Using the Floating T oolbar in a Clientless SSL VPN Connection A floating toolbar is a v ailable to simplify the use of Clientless SSL VPN. The t oolbar lets you enter URLs, bro wse file locations, and c[...]

  • Page 971

    37-5 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Network Br owsing and File Management File permi ssions con figu red for sha red remote access Only shared folders and files are accessible via Clientless SSL VPN. Server name and passwords for prot ecte[...]

  • Page 972

    37-6 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Using A pplications (called Port Forwarding or A pplication Access) Note On Macintosh OS X, only t he Safari bro wser supports this feature. Note Because this featu re requires in stalling Sun Mi crosyst[...]

  • Page 973

    37-7 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Capturing Clientless SSL VPN Data The CLI capture command lets you log information about websites that do not display properly o ve r a Clientless SSL VPN connection. This data can help your Cisco customer support engineer trou ble[...]

  • Page 974

    37-8 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Creating a Capture File Perform the follo wing steps to capture dat a about a Clientless SSL VPN session to a fi le. Step 1 T o start the Clientless SSL VPN capture utility , use the capture command from pri vile ged EXEC mode. cap[...]

  • Page 975

    37-9 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data https:// IP_addr ess or hostname of the security appliance/ web vpn_captur e.html The captured content displays in a snif fer format. Step 4 When you finish e xamining the captur e content, stop the cap ture by usin g the no ver si[...]

  • Page 976

    37-10 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data[...]

  • Page 977

    CH A P T E R 38-1 Cisco ASDM User Guide OL-16647-01 38 Clientless SSL VPN Clientless SSL VPN lets users establish a secure, re mote-access VPN tunn el to the security appliance using a web b rowser . There is no need for eith er a software or hardware client. Clien tless SSL VPN provides easy access to a br oad range of web resour ces an d both web[...]

  • Page 978

    38-2 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Security Precautions • Educate users. I f an SSL-enabled s ite is not inside the pri v ate netw ork, users should not vi sit this site ov er a Clientless SSL VPN con nection. They sho uld open a separate bro wser window to visit such sites, and use that browser to vie w the pres[...]

  • Page 979

    38-3 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Security Precaution s Add ACL This pane lets you create a ne w A CL. Fields • A CL Name—Enter a name for the A CL. Maximum 55 characters. Add/Edit ACE An Access Control Entry permits or denies access to sp ecif ic URLs and servi ces. Y ou can configur e multiple A CEs for an A[...]

  • Page 980

    38-4 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secu re Deskto p Examples Here are examples of A CLs for Clientless SSL VPN: Modes The follo wing table sho ws the modes in which this featur e is av ailable: Configuring the Setup for Cisco Secure Desktop The Cisco Secure Desktop Setup windo w disp[...]

  • Page 981

    38-5 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secure Desktop Note If you click the Br owse Fla sh button to up grade or do wngrade the Cisco Secure Desktop image, select the package to install, and click OK , t he Uninstall C isc o Secure Desktop dialog windo w asks you if you w ant to delete t[...]

  • Page 982

    38-6 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secu re Deskto p Y o u can use the b uttons in this wind ow as fo llows: • T o select the pa th of the secured esktop_asa_ < n >_< n >*.pkg f ile to be transferre d, click Upload . The Selected File Path dialo g box displays the conten[...]

  • Page 983

    38-7 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Application Helper Configuring Application Helper Clientless SSL VPN includes an Application Prof ile Customization Frame w ork option that lets the security appliance handle non-stan dard applications and web resource s so the y display correctly ov er a Clientless SS[...]

  • Page 984

    38-8 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Ap plication Helper Upload APCF package Fields • Local File Path—Sho ws th e path to the APCF f ile on your computer . Click Brows e Local to automatically insert the path i n this field, or enter t he path. • Brow se Local Files—Click to locat e and choose the[...]

  • Page 985

    38-9 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Auto Signon Auto Signon The Auto Signon win dow o r tab lets you conf igure or edit auto si gnon for users of Clientless SSL VPN . Auto signon is a si mplified single signon method that you can use if you do not alr eady hav e an SSO method deploy ed on your internal netw ork. W i[...]

  • Page 986

    38-10 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Auto Signon Add/Edit Auto Signon Entry The Add/Edit Auto Si gnon Entry dialog box let s you add or edit a ne w auto signon i nstruction. An auto signon instruction def ines a range of internal servers using the auto sig non feature and the particular authentic ation meth od. Fiel[...]

  • Page 987

    38-11 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Session Settings Configuring Session Settings The Clientless SSL VPN Add/Edit Internal Group Polic y > More Options > Sessio n Settings windo w lets you s pecify person alized user inform ation between clientless SSL VPN s essions. By default, e ach group polic [...]

  • Page 988

    38-12 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Java Code Signer Java Code Signer Code signing appends a digital sign ature to the e xecutable code itsel f. This digital signature pro vides enough information to au thentica te the sign er as well as to ensure that the code has not been subsequently modif ied since si gned. Cod[...]

  • Page 989

    38-13 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Content Rewrite • Restore Cache Default—Click to restore de fault v alues for all cache par ameters. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Content Rewrite The Content Re write pane lists al l applications for which content re write [...]

  • Page 990

    38-14 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Java Code Signer Add/Edit Content Rewrite Rule • Enable cont ent rewrite—Click to en able content r ewrite for this rewrite rule. • Rule Numb er—(Optional ) Enter a nu mber for thi s rule. This num ber specifies the prio rity of the rule, relati ve to the o thers in the l[...]

  • Page 991

    38-15 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding Fields • Code Signer Certif icate —Choose th e conf igured certi f icate that you want to employ in Ja v a object signing. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Encoding This window lets you view or specify the character en[...]

  • Page 992

    38-16 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding – windo ws-125 2 – none If you ch oose none or specif y a v alue that t he browser on the Clientless SSL VPN session do es not support, it uses it s own default encodin g. Y o u can type a string consisting of up to 40 character s, and equ al to one of the v alid cha[...]

  • Page 993

    38-17 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding – shift_jis Note If you are usi ng Japanese Sh if t_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remo ve the font family . – unicode – windo ws-125 2 – none If you ch oose none or specify a valu e[...]

  • Page 994

    38-18 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding • The follo wing example matches URLs such as ht tp://www .cisco.com and ftp://wwz.carrier .com: access-list test webtype permit url *://ww?.c*co*/ • The follo wing e xample matches URLs su ch as http://www .cisco.com:80 and https:// www .cisco.com:81: access-list te[...]

  • Page 995

    38-19 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Port Forwarding Modes The follo wing table sho ws the modes in which this featur e is av ailable: Port Forwarding Both the Port F orwardin g pane and Confi gure Port F orwarding List s dialog box let you view the port forwarding lists. Both the Port F orwar ding pane and the Ad d[...]

  • Page 996

    38-20 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Port Forwarding Requirements and Restrictions The follo wing restrictions apply to port forwarding: • The remote host must be runn ing a 32-bit v ersion of one of the follo wing: – Microsoft W indo ws V ista, W indo ws XP SP2 or SP3; or W in dows 2000 SP4. – Apple Mac OS X [...]

  • Page 997

    38-21 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Port Forwarding • Neither port forw arding nor the ASDM Ja v a applet work with user authent ication using digital certificates. Ja v a does not have the ability to acce ss the web bro wser ke ystore. Therefore Jav a cannot use certificates that the bro wser uses to authen tica[...]

  • Page 998

    38-22 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Use of External Proxy Servers Configuring the Use of External Proxy Servers Use the Proxies pane to conf igure the security appliance to u se external proxy servers to handle HTTP requests and HTTPS requests. These servers act as an intermedi ary betwee n users an[...]

  • Page 999

    38-23 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Proxy Bypass • IP Address—Enter the host name or IP address of the external HTTPS proxy s erver • Port—Enter the port that listens fo r HTTPS requests. The default port is 4 43. • Exception Address List— (Optional) Enter a URL or a comma-delimited list of [...]

  • Page 1000

    38-24 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Proxy Bypass • Path Mask—Di splays the URI path to match for proxy b ypass. • URL—Displays the tar get URLs. • Re write—Displays the re write options . These are a combination of XML, link, or non e. • Add/Edit—Click to add a pr oxy bypass entr y or ed[...]

  • Page 1001

    38-25 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN DTLS Settings DTLS Settings Enabling Datagram T ransport Layer Security (DTLS) allo ws the AnyCon nect VPN Client establish ing an SSL VPN connection to use tw o simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS av oids latenc y and bandwi dt h problems as sociat[...]

  • Page 1002

    38-26 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSL VPN Client Settings The security appliance do wnloads the client based on the group polic y or local user polic y attrib utes. Y o u can conf igure the security appl iance to automatically do wnload the cli ent, or you can conf igure it to prompt the remote user abou t whethe[...]

  • Page 1003

    38-27 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSL VPN Client Settings Add/Replace SSL VPN Client Image In this windo w , you can specify a f ilename for a file on t he security appliance flash memory that yo u want to add as an SSL VPN client image, or to replac e an image al ready listed in the table. Y ou can also browse t[...]

  • Page 1004

    38-28 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSL VPN Client Settings Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit SSL VPN Client Profiles In this windo w , you can specify the path of a f ile on the local computer or in flash memory of t he security appliance that you w ant to i[...]

  • Page 1005

    38-29 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Bypass Interface A ccess List • Flash File System P ath—Identif ies the f ilename of the f ile in the flash memory of the securi ty appliance that you w ant to id entify as an client profile. • Browse Flash—Displays the Bro wse Flash Dialog wi ndow where you can vie w all[...]

  • Page 1006

    38-30 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSO Servers • T o conf igure SSO with the HTTP F orm protocol, see Conf iguring Session Settings . The SSO mechanism either starts as part of the AAA process (HTTP F orm s) or just after successful user authentication to either a AAA se rver (SiteMinder) or a SAML Bro wser Post[...]

  • Page 1007

    38-31 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSO Servers SAML POST SSO Serv er Configuration Use the SAML server documentation provided b y th e server softw are vendor to conf igure the SAML server in Relyi ng Party mode. Th e follo wing steps list t he values req uired to config ure the SAML Serv er for Browser Post Prof [...]

  • Page 1008

    38-32 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Clientless SSL VPN Access Step 2 Using your Cisco.com login, do wnload t he file cisco_v pn_auth.jar from http://www .cisco.com/cgi -bin/tableb uild.pl/asa an d copy it to the d efault libr ary directory for the SiteMinder server . This .jar file is also av ailabl e on the Cisco [...]

  • Page 1009

    38-33 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Clientless SSL VPN Access • Config ure the amount of security appli anc e memory that Clientless SSL VPN can use. T o conf igure Clientless SSL VPN services for in di vidual users, the best practice is to use the Confi guration > VPN > General > Group P olicy >Add/E[...]

  • Page 1010

    38-34 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information Clientless SSL VPN End User Set-up Configuring Smart Tunnel Access The Smart T unnels table d isplays the smart tunnel lists, each of which ident[...]

  • Page 1011

    38-35 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access • Create one or more smart tunnel lists of the client applicati ons, then assign the list to the grou p policies or local u ser policies for whom you w ant to provid e smart tunnel access. • Create one o r more bookm ark list entr ies that sp e[...]

  • Page 1012

    38-36 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access • When smart tunnel starts, the security appliance t unnels all traff ic from the bro wser process the user used to initiate the cli entless session. If the user starts another instance of th e bro wser process, it passes all traff ic to the tunn[...]

  • Page 1013

    38-37 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Configuring a Smart Tunnel (Lotus example) T o conf igure a Smart T unnel, perform the follo wing steps: Note These example instructions p rovide the minimu m instructions required to add smar t tunnel support for an application. See the field de s[...]

  • Page 1014

    38-38 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add or Edit Smart Tunnel List The Add Smart T unn el List dialog box lets you add a list of smart tunnel entri es to the security appliance confi guration. The Edit Smart T u nnel List dialog box lets you mo dify the contents of the list . Field ?[...]

  • Page 1015

    38-39 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access For W i ndo ws, if you want to add smart tunnel access to an app lication started from the command prompt, you must speci fy “cmd.e xe” in the Process Name of o ne entry in the smart tunnel list, and specify the path to the applicati on itself [...]

  • Page 1016

    38-40 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add or Edit Smart Tunnel Auto Sign-on Server List The Add Smart T unn el Auto Sign-on Serv er List dialog box lets you add one or more li sts of server s for which to[...]

  • Page 1017

    38-41 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add or Edit Smart Tunnel Auto Sign-on Server Entry The Add or Edit Smart T unnel Entr y dialog box lets you identify a serv er to be added to a smart tunnel auto sign-on list. Y ou can identify it by its ho stname, or IP address and subnet mask. Ca[...]

  • Page 1018

    38-42 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Configuring Customization Objects Y ou can customize all end-user visible conte nt on th e clientless SSL VPN portal. T o do so, you create an XML customization object, using an XML t emplate, the Customization Edito r in ASDM, or by expor ting and[...]

  • Page 1019

    38-43 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add Customization Object T o add a customization object, create a copy of and provide a uni que name for the DfltCu stomization object. Then you c an modify or ed it it to meet your requirements. Field Customization Object Name—Enter a name for t[...]

  • Page 1020

    38-44 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Creating XML-Based Portal Customization Objects and URL Lists This section includes the following topics: • Understanding the XML Customization Fi le Structure • Customization Example • Using the Customization T emplate Understanding the XML [...]

  • Page 1021

    38-45 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access text text A rbitrary U RL em pty string info- panel node The panel with a custom text and image mode string enable| disable disabl e image-position string ab ove |belo w above The image position, relati ve to text image-url string Arbitra ry URL e [...]

  • Page 1022

    38-46 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access window node see authenticatio n page description title-text string Arbitrary string Empty string title-panel node see au thentication page description mode string enable|disable Disable text string Arbitrary string Empty string logo-url string Arbi[...]

  • Page 1023

    38-47 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access prompt-box-titl e stri ng Arbitrary string Address T itle for U RL prompt box bro wse-button -text string Arbitrary string Bro wse Browse b utton te xt logout-prompt-te xt string Arbitrary string Logout column node (multiple) One column will be sho[...]

  • Page 1024

    38-48 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Customization Example The follo wing e xample illustrates the f ollow ing customization options: • Hides tab for the File access applicat ion • Changes tit le and order o f W eb Access application • Defin es two columns on the h ome page • [...]

  • Page 1025

    38-49 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <logout-form> <form> <title-text l10n="yes">title WebVPN Logon</title> <message-text l10n="yes">message WebVPN Logon</title> <login-button-text l10n="yes">Login</login-butto[...]

  • Page 1026

    38-50 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <type>RSS</type> <url>rss.xyz.com?id=78</url> </pane> <pane> <id>text_pane</id> <type>TEXT</type> <url>rss.xyz.com?id=78</url> <column>1</column> <row>0</r[...]

  • Page 1027

    38-51 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Note: all white spaces in tag values are significant and preserved. Tag: custom Description: Root customization tag Tag: custom/languages Description: Contains list of languages, recognized by ASA Value: string containing comma-separated language c[...]

  • Page 1028

    38-52 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/auth-page/title-panel/font-color Description: The background color of the title panel Value: HTML color format, for example #FFFFFF Default value: #000000 Tag: custom/auth-page/title-panel/font-weight Description: The font weight Value:[...]

  • Page 1029

    38-53 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Description: Text of the information panel Text: arbitrary string Default value: empty string ********************************************************* Tag: custom/auth-page/logon-form Description: Contains logon form settings Tag: custom/auth-page[...]

  • Page 1030

    38-54 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Value: HTML color format, for example #FFFFFF Default value: #000000 Tag: custom/auth-page/logon-form/background-color Description: The background color of the logon form Value: HTML color format, for example #FFFFFF Default value: #000000 ********[...]

  • Page 1031

    38-55 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access ********************************************************* Tag: custom/portal/window Description: Contains the portal page browser window settings Tag: custom/portal/window/title-text Description: The title of the browser window of the portal page V[...]

  • Page 1032

    38-56 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/portal/application/mode Description: The application mode Value: enable|disable Default value: enable Tag: custom/portal/application/id Description: The application ID. Standard application ID's are: home, web-access, file-access, [...]

  • Page 1033

    38-57 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/portal/column (multiple) Description: Contains settings of the home page column(s) Tag: custom/portal/column/order Description: The order the column from left to right. Columns with lesser order values go first Value: arbitrary number D[...]

  • Page 1034

    38-58 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Value: URL string Default value: empty string Tag: custom/portal/pane/text Description: The text value for panes with type TEXT Value: arbitrary string Default value:empty string Tag: custom/portal/pane/column Description: The column where the pane[...]

  • Page 1035

    38-59 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <text>?? (Japanese)</text> </language> - <language> <code>ru</code> <text>??????? (Russian)</text> </language> - <language> <code>ua</code> <text>?????????? (Ukrainian)&l[...]

  • Page 1036

    38-60 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <font-color>#000000</font-color> <background-color>#ffffff</background-color> </logon-form> - <logout-form> - <title-text l10n=" yes "> - <![CDATA[ Logout ]]> </title-text> - <messa[...]

  • Page 1037

    38-61 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access </text> <logo-url l10n=" yes ">/+CSCOU+/csco_logo.gif</logo-url> <gradient>yes</gradient> <style /> - <background-color> - <![CDATA[ #ffffff ]]> </background-color> - <font-size>[...]

  • Page 1038

    38-62 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <mode>enable</mode> <id>app-access</id> - <tab-title l10n=" yes "> - <![CDATA[ Application Access ]]> </tab-title> <order>4</order> </application> - <application> <mode&[...]

  • Page 1039

    38-63 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Help Customization <title /> <url l10n=" yes " /> <notitle /> <column /> <row /> <height /> </pane> - <url-lists> <mode>group</mode> </url-lists> </portal> </custom> Help Customization The sec[...]

  • Page 1040

    38-64 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Help Customization Language—Displays the abbre viation of the langua ge rendered by the bro wser . This field is not used for file t ranslation; it indicat es the language used in the f ile. T o identify the name of a language asso ciated with an abbre viation in the table, dis[...]

  • Page 1041

    38-65 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Help Customization https:// addr ess_of_secu rity_applia nce /+CSCOE+/help/en/rdp-hlp.inc Step 3 Choose File > Save (P age) As. Caution Do not change the contents of the File name box. Step 4 Change the Save as type optio n to “W eb Page, HTML only” and click Sa v e. Step [...]

  • Page 1042

    38-66 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browse r Acce ss to Client-Server Plug-ins present in the Br owse Lan guage Code dialog box, en ter the abbre viation for the language you w ant into the Language Code field and click OK , or enter it into the Language text box to th e left of the dots. T o identify t[...]

  • Page 1043

    38-67 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins About Installing Browser Plug-ins A bro wser plug-in is a separate program t hat a we b bro wser in v okes to perfor m a dedicated function, such as connect a client to a server within the bro wser windo w . The security applia[...]

  • Page 1044

    38-68 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browse r Acce ss to Client-Server Plug-ins Plug-in Requirements and Restrictions Clientless SSL VPN must be enabled on the security ap pliance to pro vide remote access to the plug- ins. The minimum access rights required f or remote use belong to th e guest pri vileg[...]

  • Page 1045

    38-69 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins • vnc-plugin.jar—The V irtual Netw ork Computing plug- in lets the remote user use a moni tor , ke yboard, and mouse to vie w and contro l a computer with remote desktop sh aring turned on. Cisco redistrib utes this plug-in[...]

  • Page 1046

    38-70 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browse r Acce ss to Client-Server Plug-ins The plug-in is no w a v ailable for future Clientless SSL VPN sessions. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Assembling and Installing Third-Party Plug-ins—Example: Citrix Java P[...]

  • Page 1047

    38-71 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Language Localization Step 3 Ex tract the fol lowing f iles fro m the Citrix Jav a client: • JICA-confi gN.jar • JICAEngN.jar Y o u can use W inZip to perform this step and the next. Step 4 Add the extracted files to the ica-plugin.zip file. Step 5 Ensure the EULA included wi[...]

  • Page 1048

    38-72 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Language Localization The software image package for th e security appliance includes a la nguage localization template for each domain that is part of the standard functionality . The templates for plug-ins are included wi th the plug-ins and def ine their o wn translation domai[...]

  • Page 1049

    38-73 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Language Localization Language —The language of e xisting La nguage Lo calization tables. Language Localization T emplate —The template that the table is based on. Creating a Translation Table The follo wing procedure describes ho w to creat e a translation table: Step 1 Go t[...]

  • Page 1050

    38-74 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Language —Specify a language. Use an abbreviation that is comp atible with the language options of your bro wser . The security appliance create s the ne w translation tab le with this name. Te x t E d i t o r —Use the editor to change the message tr[...]

  • Page 1051

    38-75 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Fields Import—Launches the Import An yConnect Customization Objects di alog, where you can specify a f ile to import as an object. Export—Launches the Export An yConnect Customization Objects dial og, where you can specify a f ile to export as an obje[...]

  • Page 1052

    38-76 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Installs Specify f iles for customizing the An yConnect client installati on in this panel. Note The security appliance does not support t his feature for the An yConnect VPN client, v ersions 2.0 and 2.1. F or more information on manual ly customizing t[...]

  • Page 1053

    38-77 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization When exp o rt i n g , it is automatically f illed-in with the name from th e entry you selected in the table. When importing , yo u enter the language name in the manner that you w ant it to be identif ied. The imported transl ation table then appears in [...]

  • Page 1054

    38-78 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Configure GUI Customizatio n Objects (Bookmark Lists) This dialog box lets you add, edit, and delete, import and e xport bookmar k lists. The Bookmarks windo w lets you conf igure lists of serv ers and URLs for access over clientless SSL VPN. Fol lowin g[...]

  • Page 1055

    38-79 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization • Add—Opens the Add Boo kmark Entry dialog box , on which you can con figur e a ne w server or URL and display name. • Edit—Opens the Edit Bo okmark Entry dial og box, on which you can conf igure a ne w serv er or URL and display name. • Delete?[...]

  • Page 1056

    38-80 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization • Enable Smart T unnel Option—Select to open the bookmark in a ne w windo w that uses the smart tunnel feature to pass data through the security appli ance to or from the destination serv er . This option lets you pro vide smart tunnel sup port for a[...]

  • Page 1057

    38-81 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Configure GUI Customization Objects (Web Contents) This dialogue box l ets you import and e xport web conten t objects. Fields • File Name—Displays the names of the web content objects. • File T ype—Identif ies the file typ e(s). • Import/Export[...]

  • Page 1058

    38-82 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Add/Edit Post Parameter Use this pane to conf igure post parameters for bookmark entries and URL list s. Since these are often personalized resources that contain the user ID and password or other input parameters, you might need to def ine Client less S[...]

  • Page 1059

    38-83 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Using Macros 1 - 4 The security appliance obtains v alues for the f irs t four su bstitutions from the SSL VPN Login page, which includes f ields for username, password, int ernal password (optional), an d group. It recognizes these strings in user reques[...]

  • Page 1060

    38-84 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Figur e 38-1 Using ASDM t o Configure a Macr o that Sets a Homepag e Example 2: Setting a Bookmark or URL Entry Y o u can use an HTTP Post to l og in to an O W A resource using an RSA one-time passw ord (O TP) for SSL VPN authentication, and th en the st[...]

  • Page 1061

    38-85 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Figur e 38-2 Configur ing a Bookmar k Entry[...]

  • Page 1062

    38-86 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization[...]

  • Page 1063

    CH A P T E R 39-1 Cisco ASDM User Guide OL-16647-01 39 E-Mail Proxy E-mail proxies exten d remote e-mail capability to users of Clientless SSL VPN. When users attempt an e-mail session via e-mail proxy , the e-mail client establishes a tunnel using the SSL pr otocol. The e-mail proxy protocols are as follo ws: POP3S POP3S is one of the e-mail proxi[...]

  • Page 1064

    39-2 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy AAA AAA This panel has three tabs: • POP3S T ab • IMAP4S T ab • SMTPS T ab Modes The follo wing table sho ws the modes in which this featur e is av ailable: POP3S Tab The POP3S AAA panel associ ates AAA serv er groups and conf igures the def ault group polic y for POP3S sessions.[...]

  • Page 1065

    39-3 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy AAA Fields • AAA server group s—Click to go to the AAA Serv er Groups panel (Conf iguration > Featur es > Properties > AAA Setu p > AAA Server Gr oups), where you can add or edit AAA serv er groups. • group policies—Click to go to the Grou p Policy panel (Con figurat[...]

  • Page 1066

    39-4 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy AAA – Secondary DN Field—(Optio nal) Select the secondary DN f ield you w ant to conf igure for POP3S authorization. The def ault is OU. Options include all o f those in the preceding table, with the addition of None , which y ou select if you do not want to includ e a secondary fi[...]

  • Page 1067

    39-5 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy AAA • Default G roup Policy —Select the group pol icy to ap ply to IMAP4S users when AAA does not return a CLASSID attrib ute. If you do not specify a d efault group po licy , and there is no CLASSID, the security appliance can not establish the session. • Authorization Settin gs?[...]

  • Page 1068

    39-6 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy AAA Modes The follo wing table sho ws the modes in which this featur e is av ailable: SMTPS Tab The SMTPS AAA panel associates AAA serv er groups and conf igures the defaul t group polic y for SMTPS sessions. Fields • AAA server gr oups—Click to go to the AAA Serv er Groups pan el [...]

  • Page 1069

    39-7 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Access – Primary DN Field—Select the primary DN f ield you w ant to conf igure for SMTPS authorization. The def ault is CN. Options in clude the follo wing: – Secondary DN Field —(Optional) Select the secondary DN f ield yo u want to conf igure for SMTPS authorization. The d efa[...]

  • Page 1070

    39-8 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Access Fields • Interface—Displays the names of all conf igured interfaces. • POP3S Enabled—Sho ws whether POP3 S is enable d for the interf ace. • IMAP4s Enabled—Show s whether IMAP 4S is enabled for the interface. • SMTPS Enabled—Sho ws whether SMT PS is enabled for t[...]

  • Page 1071

    39-9 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Authentication Edit E-Mail Proxy Access The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy . Y ou can config ure e-mail proxies on indi vidual int erfa ces, and you can conf igure e-mail p roxies for one interface and then apply you r settings[...]

  • Page 1072

    39-10 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Authentication Fields POP3S/IMAP4S/SMTPS Authenticati on—Let you conf igure authentication meth ods for each of the e-mail proxy types. Y ou can select multiple methods of authenticati on. • AAA—Select to require AAA authen tication. Th is option re quires a configured AAA serve[...]

  • Page 1073

    39-11 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Default Servers Note IMAP generates a number of sessi ons that are not limited b y the simultaneous user count b ut do count against the number of simultaneous login s allowe d fo r a username. If the number of IMAP sessions exceeds this maxi mum and the Clientless SSL VPN connection e[...]

  • Page 1074

    39-12 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Default Servers Fields • POP3S/IMAP4S/SMTPS Default Server—Let you config ure a default serv er , port and non-authenticated session limit for e-mai l proxies. • Name or IP Address—T ype the DNS name or IP address for the default e- mail proxy serv er . • Port—T ype the po[...]

  • Page 1075

    39-13 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Delimi ters Modes The follo wing table sho ws the modes in which this featur e is av ailable: Delimiters This panel lets you co nfigure username/passw ord delimiters and server delimiters for e-mail proxy authentication. Fields • POP3S/IMAP4S/SMTPS Delimiters—Let you conf igur e us[...]

  • Page 1076

    39-14 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Delimiters Note Passwor ds for Clientless SSL VPN e-mail pr oxy user s cannot contain characters that are us ed as delimiter s. – Server Delimiter—S elect a delimiter to separate the user name from the name of the e-mail server . It must be dif ferent from the VPN Name Delimiter .[...]

  • Page 1077

    CH A P T E R 40-1 Cisco ASDM User Guide OL-16647-01 40 Configuring SSL Settings SSL The security appliance uses the S ecure Sockets Layer (SSL) protocol and its successor , T ransport Layer Security (TLS) to achie ve secu re message transmis sion for both ASDM an d Clientless, browser-based sessions. The SSL window lets you configure SSL versions f[...]

  • Page 1078

    40-2 Cisco ASDM User Guide OL-16647-01 Chapter 40 Configuring SSL Settings SSL Options for Client SSL v ersions include the follo wing: • Encryption —Lets you set SSL encr yption algorithms. – A vailable Algorithms —Lists th e encryptio n algorithms the security appliance supports that are not in use for SSL connections. T o use, or make ac[...]

  • Page 1079

    40-3 Cisco ASDM User Guide OL-16647-01 Chapter 40 Configuring SSL Settings SSL • Certificate —Click to select a pre viously enrolled certif icate to associate with the named interface. Modes The follo wing table sho ws the modes in which this featur e is av ailable: SSL Certificates In this pane, you can require th at de vice manage ment sessio[...]

  • Page 1080

    40-4 Cisco ASDM User Guide OL-16647-01 Chapter 40 Configuring SSL Settings SSL[...]

  • Page 1081

    P ART 5 Monitoring the S ecurity Appliance[...]

  • Page 1082

    [...]

  • Page 1083

    CH A P T E R 41-1 Cisco ASDM User Guide OL-16647-01 41 Monitoring Interfaces ASDM lets you monitor interf ace statistic s as well as interface-related features. ARP Table The ARP T able pane displays the ARP table, incl uding static and dynamic entries. The ARP table includes entries that map a MAC address to an IP address for a gi ven interface. S[...]

  • Page 1084

    41-2 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces DHCP DHCP Server Table The DHCP Server T able lists the IP addresses assigned to DHCP clients. Fields • IP Address—Shows the IP addr ess assigned to the client. • Client-ID—Sho ws the client MA C address or ID . • Lease Expiration—Shows the date that the DHCP lease[...]

  • Page 1085

    41-3 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces DHCP Bound—The security appliance has a va lid lease and is operat ing normally . Renewing—The security appliance is trying to rene w the lease. It regularly sends DHCPREQUEST mes sages to the cu rrent DHCP server , and waits for a reply . Rebinding—The security appliance[...]

  • Page 1086

    41-4 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces MAC Address Table – DHCPREQUEST – DHCPDECLINE – DHCPRELEASE – DHCPINFORM – BOO TREPL Y – DHCPOFFER – DHCP A CK – DHCPNAK • Count—Sho ws the number of times a specific message was processed. • Direction—Sho ws if the message type is Sent or Received. •[...]

  • Page 1087

    41-5 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces Dynamic ACLs • T ype—Sho ws if the entry is static or d ynamic. • Age—Sho ws the age of the entry , in minutes. T o set the timeout, see MA C Address T able . • Refresh—Refreshes the table with current information from the security appli ance. Modes The follo wing t[...]

  • Page 1088

    41-6 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces Interface Graphs Fields • A vailable Graphs for—Lists the type s of statistics av ailable for mo nitoring. Y ou can choose up to four types of statist ics to sho w in one graph windo w . Y ou can open multiple graph windo ws at the same time. – Byte Counts—Sho ws the n[...]

  • Page 1089

    41-7 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces Interface Graphs Collisions—The number of messages retransmi t ted due to an Ethernet collision (singl e and multiple collisions). Thi s usually occurs on an o vere xtended LAN (E thernet or transceiver cable too long, more than tw o repeaters between stations, or t oo many c[...]

  • Page 1090

    41-8 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces PPPoE Client Graph/Table The Graph windo w sho ws a graph for the selected statistics. The Grap h wind o w can show up to four graphs and tables at a time. By default , the graph or table displays the real-time statistics. If you enable History Metrics, page 6-6 , you can vie [...]

  • Page 1091

    41-9 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces interface connection Fields Select a PPPoE interface—Select an interface t hat you want to vi e w PPPoE client lease information. Refresh—loads the latest PPP oE connection information fr om the security appliance f or display . interface connection The interface conn ectio[...]

  • Page 1092

    41-10 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces interface conn ection Modes Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • — • ——[...]

  • Page 1093

    CH A P T E R 42-1 Cisco ASDM User Guide OL-16647-01 42 Monitoring VPN The VPN Monitoring sections sho w parameter s and statistics for the follo wing: • VPN statistics for specific Remote Access, LAN- to-LAN, Clientless SSL VPN, and E-mail Proxy sessions • Encryption stat istics for tunnel groups • Protocol statis tics for tunnel gro ups • [...]

  • Page 1094

    42-2 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Connection Graphs • Remov e—Mov es the selected tunnel type from the Selected Grap hs box to the A vaila ble Graphs box. • Show Graphs—Displays a w indow consisting of grap hs of the tunnel types displaye d in the Selecte d Graphs box. Each type in the wi ndow displayed ha[...]

  • Page 1095

    42-3 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics VPN Statistics These panels sho w detailed pa rameters and sta tistics for a specific remote-access, LAN-to-LAN, Clientless SSL VPN, or E-mail Proxy session. The parameter s and statistics dif fer depending on th e session protocol. The conten ts of the statistical tabl[...]

  • Page 1096

    42-4 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics The contents of the second table, also unlabeled, on this panel depend on the sel ection in the Filter By list. In the follo wing list, the f irst-le v el bullets sho w the Fi lter By selection, and the second-le v el bullets sho w the column headings for this table. ?[...]

  • Page 1097

    42-5 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics – Bytes Tx/Bytes Rx—Sho ws the total number of b ytes transmitted to/recei ved from the remote peer or client by the security appliance. • Clientless SSL VPN—Indicates that the v alues in this table r elate to Clientless SSL VPN traf fic. – Us e r na m e/ I P [...]

  • Page 1098

    42-6 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Modes The follo wing table sho ws the modes in which this featur e is av ailable: Sessions Details The Session Details windo w displays conf iguration se ttin gs, statistics, and state informati on about the selected session. The Remote Detailed table at the top o f the[...]

  • Page 1099

    42-7 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics – Unkno wn—Posture v alidation is in progress. The posture token is an informational te xt string which is configurable on the Access Control Se rver . The A CS do wnloads the posture token to the security appliance for informational purpo ses to aid in system monit[...]

  • Page 1100

    42-8 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Redirect URLs remain in force until eith er the IPSec session ends or until posture rev alidatio n, for which the A CS do wnloads a ne w access policy th at can contain a different redirect URL or no redirect URL. More—Press this bu tton to re v alidate or initialize [...]

  • Page 1101

    42-9 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics The but tons in this windo w are as follo ws: Note Choose Monitoring > VPN > VPN Statistics > N A C Session Summary if you want to rev alidate or initialize all sessions that are subject to post ure validati on. • Re vali date Session—Click if the posture o[...]

  • Page 1102

    42-10 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics • Encryption Statistics—Sho ws the statistics for all the data encryption algorithms i n use b y currently activ e sessions. – Encryption Algorithm—List s the encryption al gorithm to which the statistics in this ro w apply . – Sessions—Lists the number of [...]

  • Page 1103

    42-11 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics • N/A—Number of peers for wh ich N A C is disabled according to the VPN N A C grou p policy . • Re validate All —Click if the posture of the peers or t he assigned access policies (that is, the do wnloaded A CLs), ha v e changed. Clicking th is b utton initiate[...]

  • Page 1104

    42-12 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics VLAN Mapping Sessions This panel displays the number of sessi ons assigned to an egress VLAN, as determined by the value of the Restrict Access to VLAN pa rameter of each group policy in use. The security appl iance forwar ds all traff ic to the s pecified VLAN. Field [...]

  • Page 1105

    42-13 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Crypto Statistics This panel displays the crypto st atistics for curr ently acti v e user and administ rator sessions on the security appliance. Each row in the table r epresents one crypto statistic. Fields • Sho w Statistics For—Selects a specif ic protocol, IKE [...]

  • Page 1106

    42-14 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Modes The follo wing table sho ws the modes in which this featur e is av ailable: Cluster Loads Use this pane l to view the current traff ic load distrib ution among th e s erver s in a VPN load-b alancing cluster . If the server is not part of a cluster , you r eceiv [...]

  • Page 1107

    42-15 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Note These statistics are for SSO wi th S iteMinder an d SAML Brow ser Post Profile serv ers only . Fields • Show Statist ics For SSO Server — Selects an SSO serv er . • SSO Statistics—Sho ws the statistics for al l the curre ntly acti ve sessions on the select[...]

  • Page 1108

    42-16 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics – Number of rejects – Number of timeouts – Number of unrecognized responses • Refresh—Updates the statistics sho wn in the SSO St atistics table • Clear SSO Server Stati stics—Resets statistics for the displayed server . Modes The follo wing table sho ws [...]

  • Page 1109

    CH A P T E R 43-1 Cisco ASDM User Guide OL-16647-01 43 Monitoring Routing Y ou can use ASDM to monitor OSPF LSAs, OSPF an d EIGRP neighbors, and th e routing table. T o access the routing monito ring screens, go to Monitoring > Routing in the ASDM interface. This section contains the following topics: • Monitoring OSPF LSAs, page 43-1 • Moni[...]

  • Page 1110

    43-2 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Monitoring OSPF LSAs The T ype 1 pane displays all T ype 1 LSAs receiv ed by the security appliance. Each ro w in the table represent s a single LSA. Fields • Process— Display only . Displays th e OSPF process fo r the LSA. • Area— Display only . Displays the OSPF area fo[...]

  • Page 1111

    43-3 Cisco ASDM User Guide OL-16647-01 Chapter 43 Monitoring Routing Monitoring OSPF LSAs Type 3 T ype 3 LSA are summary link advertisements that are passed between areas. The y describe the networks within an area. Fields • Process— Display only . Displays the OSPF process for the LSA. • Area— Display only . Displays the OSPF area for the [...]

  • Page 1112

    43-4 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Monitoring OSPF LSAs • Sequence #— Display only . Displays the link state sequence num ber . The link state sequence number is used to detec t old or dupli cate LSAs. • Checksum— Display only . Displays the checksum of the content s of the LSA. Modes The follo wing table [...]

  • Page 1113

    43-5 Cisco ASDM User Guide OL-16647-01 Chapter 43 Monitoring Routing Monitoring O SPF Neighbors Fields • Process— Display only . Displays the OSPF process for the LSA. • Area— Display only . Displays the OSPF area for the LSA. • Network— Display only . Displays the address o f the external ne twork. • Advertiser— Display onl y . Dis[...]

  • Page 1114

    43-6 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Monitoring OSPF Neighbors – 2-W ay—This state designates that bi- directional communication has been established between the security appliance and the neighbor . Bi-directi onal means that each device has seen the hello packet from the other device. This state is attain ed w[...]

  • Page 1115

    43-7 Cisco ASDM User Guide OL-16647-01 Chapter 43 Monitoring Routing Monitoring EIGRP Neighbo rs • Interface— Display o nly . Displays the interface on which the OSPF neighbor has formed adjacency . Modes The follo wing table sho ws the modes in which this featur e is av ailable: Monitoring EIGRP Neighbors The EIGRP Neighbors pane displays dy n[...]

  • Page 1116

    43-8 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Displaying Routes Displaying Routes The Routes pane displays the st atically conf igured, connected, and discov ered routes in the security appliance routing table. Fields • Protocol— Display only . Displays the origin of the route informatio n. – RIP—The route was deri v[...]

  • Page 1117

    CH A P T E R 44-1 Cisco ASDM User Guide OL-16647-01 44 Monitoring Properties This chapte r includes the fol lo wing sections: • Monitoring AAA Serv ers, page 44-1 • Monitoring De vice Access, page 44-4 • Connection Graphs • CRL • DNS Cache • IP Audit • System Re sources Grap hs • WCCP Monitoring AAA Servers This section includes the[...]

  • Page 1118

    44-2 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring AAA Se rvers Step 1 From t he ASDM toolba r , click Monitoring . The monitorin g functions display in the l eft-hand Navigation pane. Step 2 Click Properti es . The Properties Navigation pane op ens. Step 3 Click AAA Servers . The AAA Servers di alog box opens in the[...]

  • Page 1119

    44-3 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring AAA Servers The dialog box closes. Fields Used to Monitor AAA Servers The follo wing table describes the f ields for monito ring AAA Servers. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Field Description Server Gro up The name of[...]

  • Page 1120

    44-4 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess Monitoring Device Access This section includes the following topics: • Monitoring User Lockou ts • Monitoring Authenticated Users • Monitoring Acti v e Sessions • Fields Used to Monitor Device Access Monitoring User Lockouts This section includ[...]

  • Page 1121

    44-5 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device Access Step 2 Click Properti es . The Properties Navigation pane op ens. Step 3 Click the plus (+) symbol next to De vice A ccess. The list of De vice Access functi ons expand s below i t. Step 4 Click AAA Local Locked Out Use rs . The AAA Local Locked Out Use[...]

  • Page 1122

    44-6 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess All lockouts from the secu rity appliance are remo ved and usernames remo ved f rom the list. Removing One User Lockout Use this procedure to r emov e a lock out for one user who wa s locked out of the secur ity appliance after failing to successfully [...]

  • Page 1123

    44-7 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device Access Prerequisites • Y ou are connected to the secu rity appliance using ASDM. • Y o u ha ve alread y completed the initial security appliance conf igurations included in th e ASDM startup wizard. For more information, see Using the Startup W izard, page[...]

  • Page 1124

    44-8 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess • Y o u ha ve alread y configured the security applia nce access for the session traf fic y ou want to monitor . See the procedures in one of the follo wing sections : – Config uring De vice Access for ASDM, T elnet, or SSH, page 16-1 – Config ur[...]

  • Page 1125

    44-9 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device Access The follo wing table describes the f ields for monito ring activ e SSH sessions. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Disconnecting an Active Session Use this procedure to disconnect an active ASDM/H TTPS, SS[...]

  • Page 1126

    44-10 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess Procedure T o disconnect an activ e security applia nce session, perform the foll o wing step s: Step 1 From t he ASDM toolba r , click Monitoring . The monitorin g functions display in the l eft-hand Navigation pane. Step 2 Click Properti es . The Pr[...]

  • Page 1127

    44-11 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Connection Graphs Modes The follo wing table sho ws the modes in which this featur e is av ailable: Fields for Monitoring Users Who Have Authenticated with a Server The follo wing table describes the f ields for mon itoring authenticated u sers. Modes The follo wing table sho [...]

  • Page 1128

    44-12 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Connection Grap hs Perfmon The Perfmon pane lets you vie w the performance information in a graphical format. Y ou can choose up to four types of statisti cs to sho w in one graph windo w . Y ou can open multiple graph wind ows at the same time. Fields • A vailable Gr aphs?[...]

  • Page 1129

    44-13 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties CRL • Sho w Graphs—Click to display a ne w or updated g raph windo w . Modes The follo wing table sho ws the modes in which this featur e is av ailable: CRL This pane allo ws yo u to vie w or clear as sociated CRLs of s elected CA cert ific ates. Fields • CA Certif icate[...]

  • Page 1130

    44-14 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties IP Audit • If ne w entries arri ve b ut there is no room in th e cache because the size was exceeded or no more memory is av ailabl e, the cache will be thinned b y one third, based on the entries age. The oldest entries wi ll be removed. Fields • Host— Sho ws the DNS na[...]

  • Page 1131

    44-15 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties IP Audit Impossible IP Packet (1102) IP T eardrop (1 103) – ICMP Requests—Sho ws the packet count for th e follow ing signatures: Echo Request (2004) T ime Request (2007) Info Request (2009) Address Mask Request (2011) – ICMP Responses—Sho ws the packet coun t for the [...]

  • Page 1132

    44-16 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties System Resources Gra phs – RPC Requests to T arget Hosts—Show s the pa cket count for the fo llow ing signatures: Port Registratio n (6100) Port Unregistration (6101) Dump (6102) – YP Daemon Portmap Requests—Sho ws the packet count for th e follo wing signatures: ypser[...]

  • Page 1133

    44-17 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties System Resources Graphs Blocks This pane let s you view the free and used m emory bl ocks. Y ou can choose up to four types of statistics to sho w in one graph windo w . Y ou can open multiple graph windo ws at the same t ime. Fields • A vailable Gr aphs —Lists th e compon[...]

  • Page 1134

    44-18 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP Memory This pane lets you vie w the memory utilizati on. Y ou ca n choose up to four types of statistics to show in one graph windo w . Y ou can open multiple graph windo ws at the same time. Fields • A vailable Gr aphs—Lists the components you can graph . – Free Me[...]

  • Page 1135

    44-19 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP Service Groups This pane allo ws you to vie w and refresh the servic e group, the display mode, and hash set tings, which include the source and destinat ion IP addresses and the source and destinat ion port numbers. Fields • Service Group—Choose t he applicable servi[...]

  • Page 1136

    44-20 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP • WCCP Interface Statistics— Display-only . Shows the current WCCP interface statistics. For e xample: WCCP interface configuration details: Management0/0 Output services: 0 Input services: 1 Static: None Dynamic: 001 Mcast services: 0 Exclude In: FALSE[...]

  • Page 1137

    44-21 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP[...]

  • Page 1138

    44-22 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP[...]

  • Page 1139

    CH A P T E R 45-1 Cisco ASDM User Guide OL-16647-01 45 Monitoring Logging Y ou can view real-time syslog messag es that appear in the log buf fer . When you open the Cisco ASDM 6.1(3) for ASA 8.0(4) main application windo w , the most recent ASDM s ystem log messages appear at the bottom of a scroll ing windo w . Y o u can use these messages to he [...]

  • Page 1140

    45-2 Cisco ASDM User Guide OL-16647-01 Chapter 45 Monitoring Loggin g Log Buffer Log Buffer Viewer The Log Buf fer V iewer pane lets yo u vie w messages th at appear in the log b uf fer , an e xplanation of the message, details about the m essage, and recommended actio ns to take, if necessary , to resolve an error . T o access this pane, choose Mo[...]

  • Page 1141

    45-3 Cisco ASDM User Guide OL-16647-01 Chapter 45 Monitoring Log ging Real-Time Log Viewer Real-Time Log Viewer The Real-T ime Log V ie wer lets you view real-time syslog messages in a separate window . T o access this pane, choose Monitoring > Logging > Real-T ime Log V iewer . T o view syslog messages in real -time, perform the follo wing s[...]

  • Page 1142

    45-4 Cisco ASDM User Guide OL-16647-01 Chapter 45 Monitoring Loggin g Real-Time Log Viewer • Click Sav e Log to sa ve the cont ents of the log to your comput er . • Click Clear Display to clear the list of messages. • Click Color Settings to specify that messages of dif ferent se ver ity le vels display in dif ferent colors. • Click Crea te[...]

  • Page 1143

    CH A P T E R 46-1 Cisco ASDM User Guide OL-16647-01 46 Monitoring Failover Failo ve r monitoring in ASDM d epends upon the mode of th e de vice. In single conte xt mode, or with in a security conte xt in multip le context mode, y ou can monitor the stat e of failo v er for the de vice an d vie w stateful failov er statistics. In the system ex ecuti[...]

  • Page 1144

    46-2 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Contex t Fields Failo ver state of the system— Display only . Displays the fail ov er state of the security ap pliance. The information in thi s fiel d is the same output you w ould recei ve from the sho w f ailov er c[...]

  • Page 1145

    46-3 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Sing le C ontext Mo de or in a Security Context – *Acti ve T ime—The amount o f time, in seconds, that the unit has been in the acti ve state. – *[context_name] Interface name (n.n.n.n)—For each interface, the display sho ws the IP address currently[...]

  • Page 1146

    46-4 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Contex t – VPN DHCP upd—T unneled DHCP connection information. • *Logical Update Queue Information—Displays th e follo wing statistics: – Recv Q—The status of the receiv e queue. – Xmit Q—The status of th[...]

  • Page 1147

    46-5 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Sing le C ontext Mo de or in a Security Context Fields • A vailable Graphs for—Lists the ty pes of statistical informa tion av ailable for monitoring. Y ou can choose up to four statistic types to d isplay in one graph wi ndo w . Double-clicking a stati[...]

  • Page 1148

    46-6 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e Monitoring Failover in the System Execution Space Y o u can monitor the failo ver status of t he system and of the indi vidual f ailov er groups in the sy stem context. See t he follo wing topics for mo nitoring fail over st atus[...]

  • Page 1149

    46-7 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the Syste m Execution Space • Monitored Interf aces—Displays the number of interfaces whose health you are monitoring for fai love r . • failo ver replicatio n http—Specif ies that HTTP replication i s enabled. • Group x Last F ailov er—Displays[...]

  • Page 1150

    46-8 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e – UDP conn—Dynamic UDP connection information. – ARP tbl—Dynamic ARP table informat ion. – L2BRIDGE tbl— Layer 2 bridge table informatio n (transparent fire wall mode only). – Xlate_T imeout—Indicates connecti on [...]

  • Page 1151

    46-9 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the Syste m Execution Space For More Information For more information about failo ver in general, see Understandin g Failo ver . Failover Group 1 and Failover Group 2 The Failov er Group 1 and Failov er Group 2 panes disp lay the failover state of the selec[...]

  • Page 1152

    46-10 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e – xmit—Number of tran smitted packets to t he other unit – xerr—Number of error s that occurred while transmit ting packets to the other unit – rcv—Number of receiv ed packets – rerr—Number of erro rs that occu r[...]

  • Page 1153

    46-11 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the Syste m Execution Space For More Information For more information about failo ver in general, see Understandin g Failo ver . Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • • —— •[...]

  • Page 1154

    46-12 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e[...]

  • Page 1155

    CH A P T E R 47-1 Cisco ASDM User Guide OL-16647-01 47 Monitoring Trend Micro Content Security Note The ASA 5580 does not support th e CSC SSM feature. ASDM lets you monitor the CSC SSM stat isti cs as well as CSC SSM-related features. For an intr oduction to the CSC SSM, see About the CSC SSM . Note If you ha ve not compl eted the CSC Setup W izar[...]

  • Page 1156

    47-2 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micro Content Security Live Security Events • Sho w Graphs—Click to display a ne w windo w that sho ws a Graph tab and an updated graph with the selected statistics. Clic k the Ta b l e tab to display the same information in tab ular form. • From the Graph or T able tab, click[...]

  • Page 1157

    47-3 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micr o Content Security Live Security Events Live Security Events Log The Li ve Log dialog box l ets you vie w real-time secu rity ev ent messages that ar e receiv ed from the CSC SSM. Y ou can filter security e v ent messages based on text you sp ecify . Fields • Filter By: Choos[...]

  • Page 1158

    47-4 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micro Content Security Software Update s For More Information See Managing the CSC SSM Software Updates The Software Updates pane di splays information abou t updates to the CSC SSM software. Th is pane refreshes automatically e very ten second s. T o access this pane, choose Monito[...]

  • Page 1159

    47-5 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micr o Content Security Resource Graphs Fields • A vailable Graphs—Lists the components wh ose statistics you can view in a graph. – CSC CPU, CPU Utilization—Displays st atistics for CPU usage on th e CSC SSM. • Graph W ind ow T itle—Shows the graph windo w name to which[...]

  • Page 1160

    47-6 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micro Content Security Resource Graphs • Remov e—Click to remov e the selected statis t ics type from the Selected Graphs li st. • Sho w Graphs—Click to display a ne w windo w that sho ws a Graph tab and an updated graph with the selected statistics. Clic k the Ta b l e tab [...]

  • Page 1161

    P ART 6 Reference[...]

  • Page 1162

    [...]

  • Page 1163

    A-1 Cisco ASDM User Guide OL-16647-01 APPENDIX A Feature Licenses This appendix describes feat ure licenses per mode l. This appendi x includes the follo wing sections: • ASA 5505 Feature Lice nses, page A-1 • ASA 5510 Feature Lice nses, page A-2 • ASA 5520 Feature Lice nses, page A-3 • ASA 5540 Feature Lice nses, page A-4 • ASA 5550 Feat[...]

  • Page 1164

    A-2 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses ASA 5510 Feature Licenses ASA 5510 Feature Licenses TLS Proxy for SIP and Skinny Inspectio n Supported Supported Failo ver No support Acti ve/Stan dby (no stateful f ailov er) GTP/GPRS No support No support Maximum VLANs/Zones 3 (2 regul ar zones and 1 restricted zone that can only [...]

  • Page 1165

    A-3 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses ASA 5520 Feature Licenses ASA 5520 Feature Licenses Max. VLANs 50 1 00 Concurrent Fire wal l Conns 2 50 K 130 K Max. Physical Interf aces Unlimited Unlimited Encryption Base (DES) Optional licens e: Str ong (3DES/AES ) Base (DES) Optional license: Str ong ( 3DES/AES) Min. RAM 256 MB[...]

  • Page 1166

    A-4 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses ASA 5540 Feature Licenses ASA 5540 Feature Licenses ASA 5550 Feature Licenses T able A -4 ASA 5540 A daptive Secur i ty Appliance License F eatur es ASA 5540 Base License Users, concurrent Unlimited Unlimited Security Contexts 2 Optional licenses: 5 10 20 50 VPN Sessions 1 1. Althou[...]

  • Page 1167

    A-5 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses ASA 5580 Feature Licenses ASA 5580 Feature Licenses VPN Load Balancing Supported TLS Proxy for SIP and Skinny Inspectio n Supported Failo v er Activ e/Standb y or Acti ve/Acti v e GTP/GPRS None Optional license: En abled Max. VLANs 250 Concurrent Fire wall Conns 2 650 K Max. Physica[...]

  • Page 1168

    A-6 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses PIX 515/515E Feature Licenses PIX 515/515E Feature Licenses Encryption Base (DES) Optional license: Str ong (3DES/AES) Min. RAM 4 GB (default) 1. Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessio ns, the combined sessio n s should [...]

  • Page 1169

    A-7 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses PIX 525 Feature Licenses PIX 525 Feature Licenses PIX 535 Feature Licenses T able A -8 PIX 525 Secur ity Appliance License Feat ur es PIX 525 R (Restricted) UR (Unrestricted) FO ( Failover) 1 1. This license can only be used in a fail over pair with another unit with a UR li cense. [...]

  • Page 1170

    A-8 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses PIX 535 Feature Licenses T able A -9 PIX 535 Secur ity Appliance License Featur es PIX 535 R (Restricted) UR (Unrestricted) FO (Failover) 1 1. This license can only be used in a fail over pair with another unit with a UR li cense. Both units must be the same model. FO-AA (Failover A[...]

  • Page 1171

    A-9 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses PIX 535 Feature Licenses[...]

  • Page 1172

    A-10 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses PIX 535 Feature Licenses[...]

  • Page 1173

    B-1 Cisco ASDM User Guide OL-16647-01 APPENDIX B Troubleshooting This appendix describes ho w to troub leshoot the securi t y appliance, and includes the fo llo wing sections: • T esting Y our Confi guration, page B-1 • Reloading the Security Appliance , page B-6 • Performing P assword Recov ery , page B-7 • Using the R OM Monito r to Load [...]

  • Page 1174

    B-2 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Testing Your Configuration Step 1 T o show ICMP packet information for pi ngs to the security applianc e interf aces, enter the following command: hostname(config)# debug icmp trace Step 2 T o se t system log messages to be sent to T eln et or SSH sessions, enter the follow ing comma[...]

  • Page 1175

    B-3 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Testing Your Config uration Figur e B-1 Networ k Diagram with Interf aces, Routers, and Hosts Step 2 Ping each se curity appliance interface from the directly connected routers. For transparent mode, ping the manageme nt IP address. This t e st ensures that the security applia nce int[...]

  • Page 1176

    B-4 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Testing Your Configuration Figur e B-3 Ping F ailur e Because of IP Addr essing Problem s Step 3 Ping each security appliance interface f rom a remote host. For transp arent mode, ping the management IP address. This test checks whethe r the directly conn ected router can route the p[...]

  • Page 1177

    B-5 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Testing Your Config uration hostname(config-cmap)# policy-map ICMP-POLICY hostname(config-pmap)# class ICMP-CLASS hostname(config-pmap-c)# inspect icmp hostname(config-pmap-c)# service-policy ICMP-POLICY global Alternativ ely , you can also apply the IC MP access list to the destinati[...]

  • Page 1178

    B-6 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Reloading the Security Appliance Step 4 (Optional) T o disable the ICMP inspection engine, enter the fol lowing command : hostname(config)# no service-policy ICMP-POLICY Traceroute Y ou can trace the route of a packet using the traceroute feature, w hich is accessed with the tracerou[...]

  • Page 1179

    B-7 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Performing Password Recovery Performing Password Recovery This section descri bes how to recov er passwords if you ha v e forgott en them or you are locked out because of AAA settings, and ho w to disabl e password recovery for e xtra securi ty . This section includes the following to[...]

  • Page 1180

    B-8 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Performing Passwor d Recovery Step 11 When prompted for the passw ord, press Enter . The password is blank. Step 12 Access the global conf iguration mod e by entering the fol lowin g command: hostname# configure terminal Step 13 Change the passwords, as required, in t he default conf[...]

  • Page 1181

    B-9 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Performing Password Recovery Y o u can log in with th e default logi n password of “cisco” and the blan k enable password. The follo wing example sho ws password reco very on a PIX 500 series security appliance wi th the TFTP server on the outside interface: monitor> interface [...]

  • Page 1182

    B-10 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Using the ROM Monitor to Load a Software Image of the command does not change the setting . If you disable password reco ve ry when the security appliance is configured to ignore the startup conf iguratio n at startup (in preparation fo r password recov ery), then the security appli[...]

  • Page 1183

    B-11 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Erasing the Flash File System Step 6 Ping the TFTP server by entering the ping server command. rommon #7> ping server Sending 20, 100-byte ICMP Echoes to server 10.129.0.30, timeout is 4 seconds: Success rate is 100 percent (20/20) Step 7 Load the software image by entering the tf[...]

  • Page 1184

    B-12 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Other Troub leshooting Tools Other Troubleshooting Tools The security appliance pro vides other troubleshooting tools that you can use. This sectio n includes the follo wing topics: • V iewing Deb ug Messages, page B-12 • Capturing Packets, page B-12 • V iewing the Crash D ump[...]

  • Page 1185

    B-13 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Common Problems User's Identity not Preserved Across Contexts If your netw ork will be or ganized int o multiple conte xts, be aw are that, when changin g contexts, the user identity is not preserved. The user becomes a de fault (enable_15) us er in the new context, with Adminis[...]

  • Page 1186

    B-14 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Common Problems Symptom Traf f ic does not pass betw een two inte rf aces on the same security le v el. Possible Cause Y ou did not enable the feature that allows traff ic to pass between interfaces at the same security le vel. Recommended Action Enable this feature.[...]

  • Page 1187

    C-1 Cisco ASDM User Guide OL-16647-01 APPENDIX C Configuring an External Server for Authorization and Authentication This appendix descr ibes how to confi gure an e xte rnal LD AP , RADIUS, or T A CA CS+ serv er to support AAA on the security ap pliance. Before you conf igure the security appliance to use an external server , you must conf igure th[...]

  • Page 1188

    C-2 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Understanding Policy Enforcement of Permissions an d Attributes Understanding Policy Enfor cement of Permissions and Attributes The security appliance supports se v eral methods of applyi ng user authorization att ribut es (also c[...]

  • Page 1189

    C-3 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server Figure C-1 Polic y Enfor cement Flow Configuring an External LDAP Server The VPN 3000 Concen trator and the ASA/PIX 7.0 requir ed a Cisco LD AP schema for aut horization operations. Be ginning wit[...]

  • Page 1190

    C-4 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Y our LDAP con figur ation should reflect the logical hierarchy o f your or ganization. F or exampl e, suppose an employee at your company , Example Co rporation, is named T erry . T erry work[...]

  • Page 1191

    C-5 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server Binding the Security Appliance to the LDAP Server Some LD AP serv ers (including the Microsoft Acti v e Directory serv er) require the security appliance to establish a handshake v ia authenticate[...]

  • Page 1192

    C-6 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er For softw are V ersion 7.0, LDAP attr ibutes incl ude th e cVPN3000 prefix. F or V ersion 7.1 and later , this pref ix was remo ved. Supported Cisco Attributes for LDAP Authorization This sect[...]

  • Page 1193

    C-7 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server DHCP-Network-Scope Y Y Y String Single IP address DN-Field Y Y Y String Single Possible v alues: UID, OU, O, CN, L, SP , C, EA, T , N, GN, SN, I, GENQ, DNQ, SER, use-en tire-name. Fire wall-A CL-I[...]

  • Page 1194

    C-8 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er IPSec-Backup-Servers Y Y Y String Singl e 1 = Use Client-Conf igured list 2 = Disabled and clear client list 3 = Use Backup Server list IPSec-Client-Fire wall-Fil ter- Name Y String Single Spe[...]

  • Page 1195

    C-9 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server L2TP-Encryption Y Integer Sing le Bitmap: 1 = Encryption required 2 = 40 bit 4 = 128 bits 8 = Stateless-Req 15 = 40/128-Encr/ Stateless-Req L2TP-MPPC-Compression Y Integer Single 0 = Disabled 1 = [...]

  • Page 1196

    C-10 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Required-Client-Fire wa ll- Product-Code Y Y Y Integer Single Cisco Systems Products: 1 = Cisco Intrusio n Prev ention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: 1 = [...]

  • Page 1197

    C-11 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server W ebVPN-App ly-A CL-Enable Y Y Integer Single 0 = Disab led 1 = Enabled W ebVPN-Citrix-Support-En able Y Y Inte ger Single 0 = Disabled 1 = Enabled W ebVPN-Content-Filter - Parameters Y Y Inte ge[...]

  • Page 1198

    C-12 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Cisco-AV-Pair Attribute Syntax The syntax of each Cisco-A V -Pair ru le is as follows: [Prefix] [Acti on] [Protocol] [Source] [Source W ildcard Mask] [ Destination] [Destination W ildcard Mas[...]

  • Page 1199

    C-13 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server For e xample: ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log webvpn:inacl#1=permit url http://www.website.com webvpn:inacl#2[...]

  • Page 1200

    C-14 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Additional Information for using ASDM to Configure LDAP Additional informatio n on using ASDM to conf i gure LD AP is a v ailable o n Cisco.com in the documentation area fo r the security app[...]

  • Page 1201

    C-15 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server Configuring an External RADIUS Server This section presents an o ver view of t he RADIUS conf iguration procedure and defines the Cisco RADIUS attrib utes. It includes the f ollow ing topics: [...]

  • Page 1202

    C-16 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er T able C-5 Secur ity Appliance Su pport e d RADIUS At tr ibut es and V alues Attribute Name VPN 3000 ASA PIX Attr . # Syntax/ Ty p e Single or Multi- V alued Description or V alue A c c e s[...]

  • Page 1203

    C-17 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server PPTP-Encryption Y 20 Integer Single Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Required 15 = 40/128-Encr/Stateless-Req L2TP-Encryption Y 21 Integer Single Bitmap: 1[...]

  • Page 1204

    C-18 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er PPTP-MPPC-Compression Y 37 Integer Single 0 = Disabled 1 = Enabled L2TP-MPPC-Compression Y 38 Integer Single 0 = Disabled 1 = Enabled I P S e c - I P - C o m p r e s s i o n YYY3 9 I n t e [...]

  • Page 1205

    C-19 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server R e q u i r e d - C l i e n t - F i r e w a l l - P r o d u c t - C o d e YYY4 6 I n t e g e r S i n g l e C i s c o S y s t e m s P r o d u c t s : 1 = Cisco Intrusion Pre v ention Security A[...]

  • Page 1206

    C-20 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er I P S e c - B a c k u p - S e r v e r s YYY5 9 S t r i n g S i n g l e 1 = U s e C l i e n t - C o n f i g u r e d l i s t 2 = Disable and clear client list 3 = Use Backup Server list I P S[...]

  • Page 1207

    C-21 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server W ebVPN-Port-Fo rwarding-Name Y Y 79 String Single String name (exampl e, “Corporate-Apps”). This text r eplaces the default string, “ Application Access, ” on the clientless portal ho[...]

  • Page 1208

    C-22 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er W ebVPN-Port-Fo rwarding-Enable Y Y 97 Integer Single 0 = Disabled 1 = Enabled W ebVPN-Outlook-Ex change-Proxy-Enable Y Y 98 Inte ger Single 0 = Disabled 1 = Enabled W ebVPN-Port-Fo rwardin[...]

  • Page 1209

    C-23 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External TACACS+ Server Configuring an External TACACS+ Server The securit y appliance pro vides support for T A CA CS+ attrib utes. T A CA CS+ separates the functions of authentication, autho rization, and accountin[...]

  • Page 1210

    C-24 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal TACACS+ Ser ver Note T o use T ACA CS+ att ributes, mak e sure you ha ve enabled AAA services on the N AS. Ta b l e C - 6 lists supported T A CA CS+ authorization response attrib utes for cut-thr ough-pro[...]

  • Page 1211

    IN-1 Cisco ASDM User Guide OL-16647-01 INDEX Numerics 4GE SSM connector types 7-2, 8-2 fiber 7-2, 8-2 SFP 7-2, 8-2 support 1-2 802.1Q trunk 7-3, 8-5 A AAA about 14-1 accounting 23-15 authentication CLI access 16-20 network access 23-1 proxy limit 23-9 authorization command 16-23 downloadable access lists 23-10 network access 23-9 local database sup[...]

  • Page 1212

    Index IN-2 Cisco ASDM User Guide OL-16647-01 fields 12-3 Add/Edit Filterin g Entry dialog box 11-9 description 11-9 fields 11-9 Add/Edit IGMP Join Gr oup dialog box 12-4 description 12-4 fields 12-4 Add/Edit IGMP Static Gro up dialog box 12-7 description 12-7 fields 12-7 Add/Edit Multi cast Group dialog box 12-18 description 12-18 fields 12-18 Add/[...]

  • Page 1213

    Index IN-3 Cisco ASDM User Guide OL-16647-01 application firewall 24-95 application inspection about 24-2 applying 24-4 configuring 24-4 described 24-60 enabling for dif ferent protocols 24-29 security le vel requ irements 7-4, 8-8 Apply button 1-13 Area/Networks tab 11-5 description 11-5 fields 11-5 area border router 11-2 ARP inspection configuri[...]

  • Page 1214

    Index IN-4 Cisco ASDM User Guide OL-16647-01 B backed up configurations restoring 3-29 backing up configurati ons 3-26 bandwid th 1-19 banner, view/configu re 35-25 Basic tab IPSec LAN-to-LAN, General tab 35-71 basic threat detection See threat detection bridging MAC address table learning, disabling 30-6 overview 30-4 static entry 30-6 management [...]

  • Page 1215

    Index IN-5 Cisco ASDM User Guide OL-16647-01 code-signer certificate 33-18 command authorization about 16-23 configuring 16-23 multiple contexts 16-24 configuration context files 10-2 factory default 4-1 configurations, backing up 3-26 Configure IGMP Parameters d ialog box 12-5 description 12-5 fields 12-5 configuring CSC activation 29-10 CSC email[...]

  • Page 1216

    Index IN-6 Cisco ASDM User Guide OL-16647-01 CSC software updates monitoring 47-4 CSC SSM getting started 29-4 overview 29-2 support 1-2 what to scan 29-6 CSC threats monitoring 47-1 CSC update s configuring 29-25 CSC Web configuring 29-21 CTIQBE application inspection, enabling 24-29 cut-through prox y 23-1 D data flo w routed firewall 18-1 transp[...]

  • Page 1217

    Index IN-7 Cisco ASDM User Guide OL-16647-01 downloadable access lists configuring 23-11 converting netmask expressio ns 23-15 DSCP preservati on 25-5 duplex interface 9-13 duplex, configu ring 7-2, 8-2 dynamic NAT See NAT E Easy VPN client Xauth 35-85 Easy VPN, advanced properties 35-86 Easy VPN client 35-84 Easy VPN Remote 35-84 ECMP 11-40 Edit D[...]

  • Page 1218

    Index IN-8 Cisco ASDM User Guide OL-16647-01 system 8-2 key 15-15, 15-26 make active 46-4 make standby 46-4 monitoring 46-1 monitor ing inter faces 15-19 redundant interfaces 7-2, 8-4 reload standby 46-4 reset 46-4, 46-8 stateful 15-3 Stateful Fa ilover 15-27 statel ess 15-3 status 46-1 failover groups about 15-29 adding 15-30 editing 15-30 monitor[...]

  • Page 1219

    Index IN-9 Cisco ASDM User Guide OL-16647-01 limitatio ns 24-13 H225 application inspection, enabling 24-29 H323 RAS application inspection, enabling 24-29 Hardware Client tab 35-31 Help button 1-13 HELP command , denied request 24-82 Help menu 1-10 hierarchical policy, traffi c shaping and priority queueing 25-8 history metrics 6-6 HSRP 18-8 HTTP [...]

  • Page 1220

    Index IN-10 Cisco ASDM User Guide OL-16647-01 ASA 5505 MAC addresses 9-4 maximum VLANs 9-2 duplex 7-2, 8-2 enabled status 8-2 fiber 7-2, 8-2 jumbo frame support multiple mode 8-7 single mode 7-8 monitoring 41-5 redundant 8-3 SFP 7-2, 8-2 speed 7-2, 8-2 subinterfaces 8-5 intrusion preven tion configuration 28-4 IP address 6-1 configuration 9-8 confi[...]

  • Page 1221

    Index IN-11 Cisco ASDM User Guide OL-16647-01 See transparent firewall Layer 3/4 matching multiple policy maps 22-5 LDAP application inspection 24-14 attribute mapping 14-22 Cisco-AV-pair C-12 configuring 14-9 configuring a AAA server C-3 to ?? directory search C-4 hierarchy example C-4 SASL 14-6 server type 14-7 user authorization 14-7 LLQ See low[...]

  • Page 1222

    Index IN-12 Cisco ASDM User Guide OL-16647-01 CSC threats 47-1 DHCP interface lease 41-2 IP addresses 41-2 server 41-2 statistics 41-3 failover 46-1, 46-6 failover groups 46-9 history metrics 6-6 interfaces 41-5 MAC address table 41-4 routes 43-8 monitor ing inter faces 15-19 monitoring switch traffi c, ASA 5505 9-4 MPF about 22-1 default polic y 2[...]

  • Page 1223

    Index IN-13 Cisco ASDM User Guide OL-16647-01 NetFlow event matching to configured collectors 17-19 Network Admission Cont rol uses, requirements, and limitations 34-24 New Authenticatio n Server Group panel, VPN wizard 32-9 NTLM support 14-5 NT serve r configuring 14-9 support 14-5 O Options menu 1-8 OSPF about 11-1 adding an LSA filter 11-9 authe[...]

  • Page 1224

    Index IN-14 Cisco ASDM User Guide OL-16647-01 platform model 1-18 PoE 9-4 policy, QoS 25-1 policy map Layer 3/4 feature directionality 22-3 flows 22-5 policy NAT about 21-10 Port Forwarding configuring client applications 37-6 port forwarding entry 38-19 posture validation uses, requirements, and limitations 34-24 Posture Validation Ex ception, add[...]

  • Page 1225

    Index IN-15 Cisco ASDM User Guide OL-16647-01 recurring time range, ad d or edit 35-13 redirect, ICMP message 16-8 Redistrib ution pane l 11-14 description 11-14 fields 11-15 redundant interfaces configuring 8-5 failover 7-2, 8-4 MAC address 7-3, 8-4 reloading security appliance B-6 Remote Access Client panel, V PN wizard 32-6 Remote Si te Peer pan[...]

  • Page 1226

    Index IN-16 Cisco ASDM User Guide OL-16647-01 SDI configuring 14-9 support 14-5 Secure Computing SmartFilter filtering server supported 26-1 URL for website 26-1 Secure Copy configure server 16-5 security appliance reloading B-6 security contexts admin context overview 10-1 cascading 10-7 classifier 10-2 command authorization 16-24 configuration fi[...]

  • Page 1227

    Index IN-17 Cisco ASDM User Guide OL-16647-01 stateful application inspection 24-60 Stateful Fa ilover 15-3 enabling 15-16 Logical Updates Statistics 46-7, 46-9 settings 15-27 stateful fail over interface system 8-2 stateful inspection 2-19 stateless failover 15-3 Static Group p anel 12-6 description 12-6 fields 12-6 static NAT See NAT Static Neigh[...]

  • Page 1228

    Index IN-18 Cisco ASDM User Guide OL-16647-01 basic drop types 27-2 enabling 27-2 overview 27-2 rate intervals 27-2 system pe rformance 27-2 scanning default limits, changi ng 27-4 enabling 27-3 host databa se 27-3 overview 27-3 shunning attackers 27-4 system pe rformance 27-4 scanning s tatistics enabling 27-4 system pe rformance 1-20, 27-5 shun d[...]

  • Page 1229

    Index IN-19 Cisco ASDM User Guide OL-16647-01 U UDP application inspection 24-60 bomb attack 27-16 chargen DoS attack 27-16 connection stat e information 2-20 snork attack 27-16 Unicast Reverse Path Forwarding 27-20 unreachable messages ICMP type 16-8 required for MTU discovery 16-7 uptime 1-18 URL filtering benefits of 26-6 configuring 26-8 URLs f[...]

  • Page 1230

    Index IN-20 Cisco ASDM User Guide OL-16647-01 W web browsing with Clientless SSL VPN 37-4 web clients, secure authentication 23-5 Websense fi ltering serv er 26-1, 26-5 WebVPN use suggestion s 37-2 Window menu 1-10 Wizards menu 1-10 X Xauth, Easy VPN clie nt 35-85 XDMCP application inspection, enabling 24-30 Z Zone Labs Integrity Server 35-82[...]