Cisco Systems ASA 5555-X manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto Cisco Systems ASA 5555-X. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoCisco Systems ASA 5555-X vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual Cisco Systems ASA 5555-X você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual Cisco Systems ASA 5555-X, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual Cisco Systems ASA 5555-X deve conte:
- dados técnicos do dispositivo Cisco Systems ASA 5555-X
- nome do fabricante e ano de fabricação do dispositivo Cisco Systems ASA 5555-X
- instruções de utilização, regulação e manutenção do dispositivo Cisco Systems ASA 5555-X
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque Cisco Systems ASA 5555-X não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos Cisco Systems ASA 5555-X e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço Cisco Systems na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas Cisco Systems ASA 5555-X, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo Cisco Systems ASA 5555-X, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual Cisco Systems ASA 5555-X. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco we bsite at www.cisco.com/go/ offices. Cisco A S A S eries Fire w all CLI Conf iguration Guide Sof tw are V ers ion 9.1 For the AS A 5505, AS A 551 0, AS A 5520, AS A 5540, ASA 5550, AS A 5512-X, AS A 551 5-[...]

  • Página 2

    THE SPECIFICATION S AND INFORMAT ION REGARDING THE PRODUCTS IN THIS MA NUAL ARE SUBJ ECT TO CHANGE WITHOUT NOT ICE. ALL STATEMENTS , INFORMATION , AND RECOMMEN DATIONS I N THIS MANUA L ARE BELIEVE D TO BE ACCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FUL L RESPONSIBILITY FOR THEIR APPLICAT ION OF ANY[...]

  • Página 3

    iii Cisco ASA Series Firewall CLI Configuration Guide CONTENTS About This Guide xxv Document Objectives xxv Related Documentation xxv Conventi ons xxv Obtaining Documentation and Submitting a Serv ice Request xxvi PART 1 Configuring Service P olicies Using the Modul ar Policy Fram ework CHAPTER 1 Configuring a Service Policy Usin g the Modular Poli[...]

  • Página 4

    Contents iv Cisco ASA Series Firewall CLI Configuration Guide Applying Inspection and Connection Limits to HTTP Traffic to Sp ecific Servers 1-20 Applying Inspection to HTTP Traffic with NAT 1-21 Feature History for Service Policies 1-22 CHAPTER 2 Configuring Special Actions for Application Inspectio ns (Inspection Policy Map) 2-1 Information About[...]

  • Página 5

    Contents v Cisco ASA Series Firewall CLI Configuration Guide Main Differences Between Network Ob ject NAT and Twice NAT 3-13 Information About Network Object NAT 3-14 Information About Twice NAT 3-14 NAT Rule Order 3-18 NAT Interfaces 3-19 Routing NAT Packets 3-19 Mapped Addresses and Routing 3-19 Transparent Mode Routin g Requirements for Remote N[...]

  • Página 6

    Contents vi Cisco ASA Series Firewall CLI Configuration Guide DNS Server and FTP Server on Ma pped Interface, FTP Server is Translate d (Static NAT with DNS Modification) 4-25 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real In terface (Static NAT64 with DNS64 Modification) 4-26 Feature History fo r Network Object NAT 4-28 CHAP[...]

  • Página 7

    Contents vii Cisco ASA Series Firewall CLI Configuration Guide Access Rule s for Returning Traffic 6-5 Allowing Broadcast and Multicast Traffic through the Transparent Fire wall Using Access Rules 6-5 Management Access Rules 6-6 Information About EtherType Rules 6-6 Supported EtherT ypes and Other Traffic 6-6 Access Rule s for Returning Traffic 6-7[...]

  • Página 8

    Contents viii Cisco ASA Series Firewall CLI Configuration Guide Configuring a RADIUS Server to Downl oad Per-User Ac cess Control List Names 7-21 Configuring Accounting for Network Access 7-21 Using MAC Addresses to Exempt Traffic from Authentic ation and Authorization 7-23 Feature History for AAA Rules 7-25 PART 4 Configuring Applic ation Inspecti[...]

  • Página 9

    Contents ix Cisco ASA Series Firewall CLI Configuration Guide IP Options Inspec tion Overview 10-24 Configuring an IP Options Inspection Poli cy Map fo r Additional Inspection Control 10-25 IPsec Pass Thro ugh Inspection 10-25 IPsec Pass Thro ugh Inspection Ove rview 10-26 Example for Defining an IPsec Pa ss Through Parameter Map 10-26 IPv6 Inspect[...]

  • Página 10

    Contents x Cisco ASA Series Firewall CLI Configuration Guide Verifying and Monitorin g MGCP Inspection 11 -14 RTSP Inspection 11-14 RTSP Inspection Overv iew 11-15 Using RealPlayer 11-1 5 Restrictions and Limitations 11-15 Configuring an RTSP Inspection Policy Map for Additional Inspe ction Control 11 -16 SIP Inspection 11-18 SIP Inspection Overvie[...]

  • Página 11

    Contents xi Cisco ASA Series Firewall CLI Configuration Guide RSH Inspection 13-10 SNMP Insp ection 13-10 SNMP Insp ection Ove rview 13-10 Configuring an SNMP Inspection Policy Ma p for Additional Inspection Control 13-10 XDMCP Inspection 13-11 PART 5 Configuring Unified Communications CHAPTER 14 Information About Cisco Unified Communications Proxy[...]

  • Página 12

    Contents xii Cisco ASA Series Firewall CLI Configuration Guide Working with Certificates in the Unified Communication Wizard 15 -23 Exporting an Identity Certificate 15-23 Installing a Certificate 15-23 Generating a Certificate Sign ing Request (CSR) for a Unified Communicatio ns Proxy 15-24 Saving the Identity Certificate Request 15-25 Installing [...]

  • Página 13

    Contents xiii Cisco ASA Series Firewall CLI Configuration Guide Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster 16-20 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-21 Creating the Media Termination Instance 16 -23 Creating the Phone Proxy In stance 16-24 Enabling the Phone Proxy with SIP and Skinny Inspection 16-26[...]

  • Página 14

    Contents xiv Cisco ASA Series Firewall CLI Configuration Guide CTL Client Overview 17-3 Licensing for the TLS Proxy 17-5 Prerequisites for the TLS Proxy for Encrypted Voice Inspection 17-7 Configuring the TLS Proxy for Encryp ted Voice Inspection 17-7 Task flow for Configuring the TLS Pr o xy for Encrypted Voice Inspec tion 17-8 Creating Trustpoint[...]

  • Página 15

    Contents xv Cisco ASA Series Firewall CLI Configuration Guide Configuration Requirements for XMPP Federation 19-6 Licensing for Cisco Unified Presence 19 -7 Configuring Cisco Unified Presen ce Proxy for SIP Federation 19-8 Task Flow for Configuring Cisco Unified Prese nce Federation Proxy for SIP Federation 19-9 Creating Trustpoints and Generating [...]

  • Página 16

    Contents xvi Cisco ASA Series Firewall CLI Configuration Guide Configuring the Cisco UC-IMC Pro xy by usin g the UC-IME Proxy Pane 20-30 Configuring the Cisco UC-IMC Proxy by us ing the Unified Communications Wizard 20-32 Troubleshooting Cisco Intercompany Me dia Engine Proxy 20 -33 Feature History for Cisco Intercompany Media Engine Proxy 20-36 PA[...]

  • Página 17

    Contents xvii Cisco ASA Series Firewall CLI Configuration Guide Licensing Requirement s for QoS 23-5 Guidelines and Limitations 23-5 Configuring QoS 23-6 Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Configuring a Service Rule for Standard Prio rity Queuing [...]

  • Página 18

    Contents xviii Cisco ASA Series Firewall CLI Configuration Guide Cloud Web Security Actions 25-5 Bypassing Scanning with White lists 25-6 IPv4 and IPv6 Support 25 -6 Failover from Primary to Backup Proxy Server 25-6 Licensing Requirements fo r Cisco Cloud Web Security 25-6 Prerequisites for Cloud Web Security 25-7 Guidelines and Limitations 25-7 De[...]

  • Página 19

    Contents xix Cisco ASA Series Firewall CLI Configuration Guide Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 Information About the Dynamic Database 26-2 Information About the Static Database 26-3 Information About the DNS Reverse Lookup Cache and DNS Host Cache 2[...]

  • Página 20

    Contents xx Cisco ASA Series Firewall CLI Configuration Guide Configuring Advanced Threat Detection Statistics 27-6 Information About Advanced Threat Detection Statistics 27-6 Guidelines and Limitations 27-6 Default Settings 27-7 Configuring Advanced Threat Detectio n Statistics 27-7 Monitoring Advan ced Threat Detection Statistics 27-9 Feature His[...]

  • Página 21

    Contents xxi Cisco ASA Series Firewall CLI Configuration Guide Configuration Examples for Java Applet Filtering 29-5 Feature History for Java Applet Filtering 29-6 Filtering URLs and FTP Requests with an External Server 29-6 Information About URL Filtering 29-6 Licensing Requirements fo r URL Filtering 29-7 Guidelines and Limitations for URL Filter[...]

  • Página 22

    Contents xxii Cisco ASA Series Firewall CLI Configuration Guide (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module 30-12 (ASA 5585-X) Changing the ASA CX Management IP Address 30-14 Configuring Basic ASA CX Settings at the ASA CX CLI 30-15 Configuring the Security Policy on the ASA CX Module Using PRSM 30-16 (Optional) [...]

  • Página 23

    Contents xxiii Cisco ASA Series Firewall CLI Configuration Guide ASA 5512-X through ASA 5555-X (Software Mo dule) 31-9 ASA 5505 31-10 Sessioning to the M odule from the ASA 31-11 (ASA 5512-X through ASA 5555-X) Booting th e Software Module 31-11 Configuring Basic IPS Module Network Settings 31-12 (ASA 5510 and Hig her) Configuring Basic Networ k Se[...]

  • Página 24

    Contents xxiv Cisco ASA Series Firewall CLI Configuration Guide Additional References 32-18 Feature History for the CSC SSM 32-19 I NDEX[...]

  • Página 25

    xxv Cisco ASA Series Firewall CLI Configuratio n Guide About This Guide This preface introduces Cisco ASA Series F ir e wall CLI Conf igur ation Guide and includes the follo wing sections: • Document Objectiv es, page xxv • Related Documentati on, page xxv • Con v entions, page xxv • Obtaining Documentati on and Submitting a Ser vice Reques[...]

  • Página 26

    xxvi Cisco ASA Series Firewall CLI Configuration Guide Note Means reader take note . Ti p Means the following inf ormation will help you sol ve a pr o blem . Caution Means re a d e r b e c a re f u l . In this situation, you might perform an action t hat could result in equipment damage or loss of dat a. Obtaining Documentation and Submitting a Ser[...]

  • Página 27

    P AR T 1 Conf iguring Service P olicies Using the Modular P olicy F rame work[...]

  • Página 28

    [...]

  • Página 29

    CH A P T E R 1-1 Cisco ASA Series Firewall CLI Configuratio n Guide 1 Configuring a Service Policy Using the Modular Policy Framework Service polici es using Modular Pol icy Fram ew ork provide a consistent and f lexible w ay to configure ASA features. For example, you can us e a service polic y to create a time out conf iguration that is specific [...]

  • Página 30

    1-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies Supported Features Ta b l e 1 - 1 lists the features supported by Modul ar Policy Frame work. Feature Directionality Actions are applied to t raffic bid irectionally or unidir ectionall[...]

  • Página 31

    1-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Note When you use a global policy , all features are unidire ctional; features that are normally bidirectional when applied to a single interf ace only apply to the ingress of each inte[...]

  • Página 32

    1-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies For e x ample, if a packet matches a class map for co nnection limits, and also matches a class map fo r an application inspection, then both actions are applied. If a packet matches a [...]

  • Página 33

    1-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Incompatibility of Certain Feature Actions Some features are not compatible w i th each other for the same traf fic. Th e following list may not include all incompatibilities; fo r info[...]

  • Página 34

    1-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Licensing Requirement s for Service Policies class ftp inspect ftp Feature Matching for Multiple Service Policies For TCP a nd UDP traf fic (and ICMP w hen you enable stateful ICMP in spection), servi ce policies operate[...]

  • Página 35

    1-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Guidelines and Limitations • TCP normalization • TCP state bypass • User statistics for Id entity Fire wall Class Map Guidelines The maximum number of class mapsof all types is 255 in sin gle mode or per conte xt i[...]

  • Página 36

    1-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Default Settings Default Settings The follo wing topics describe the defaul t settings for Modular Polic y Framew ork: • Default Co nfiguration, page 1-8 • Default Cl ass Maps, page 1-9 Default Configuration By defau[...]

  • Página 37

    1-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es inspect ip-options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tft[...]

  • Página 38

    1-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Task Flows for Configuring Service Policies Step 1 Identify the traf fic—Identify th e traf fic on which you want t o perform Modular Polic y Framework actions by creating Layer 3/4 class maps. For e xample, you might[...]

  • Página 39

    1-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es See the “Defining Actions (Layer 3/ 4 Policy Map)” section on pa ge 1-15 and the “ Applying Actions to an Interface (Service Policy)” section on page 1-17 . Task Fl[...]

  • Página 40

    1-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) T raff ic shaping can only be applied the to class-default class map. Step 4 For the same class map, identify the prio rity polic y map that you created in Step 2 using the ser[...]

  • Página 41

    1-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Cla ss Maps) match access-list access_list_name Example: hostname(config-cmap)# match access-list udp Matches traffic specified by an extended A CL. If t he ASA is operating in transparent[...]

  • Página 42

    1-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) Examples The follo wing is an example for the class-map command: ciscoasa(config)# access-list udp permit udp any any ciscoasa(config)# access-list tcp permit tcp any any cisco[...]

  • Página 43

    1-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Defining Act ions (Layer 3/4 Poli cy Map) Detailed Steps Defining Actions (Layer 3/4 Policy Map) This section describes how to associate actions with Layer 3/4 class ma ps by creatin g a Layer 3/4 policy map. Restrictio[...]

  • Página 44

    1-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Examples The follo wing is an example of a policy-map command for con nection polic y . It limits the number of connections allo wed to the web serv er 10.1.1.1: ci[...]

  • Página 45

    1-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Applying Actions to an Interface (Service Policy) The follo wing example sho ws how traf fic matches the f irst a vail able class map, and will not match an y subsequent class maps that specify actions in the same featu[...]

  • Página 46

    1-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Monitoring Modular Policy Framework Detailed Steps Examples For e xample, the followin g command enables the inbo und_polic y policy map on the outside interf ace: ciscoasa(config)# service-policy inbound_policy interfa[...]

  • Página 47

    1-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork Applying Inspection and QoS Policing to HTTP Traffic In this e x ample (see Figure 1-1 ) , any HTTP conn ection (TCP traf fic on port 80) that enters or e xits the AS[...]

  • Página 48

    1-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Configuration Examples for Modular Policy Framework ciscoasa(config)# policy-map http_traffic_policy ciscoasa(config-pmap)# class http_traffic ciscoasa(config-pmap-c)# inspect http ciscoasa(config)# service-policy http_[...]

  • Página 49

    1-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork ciscoasa(config)# service-policy policy_serverB interface inside ciscoasa(config)# service-policy policy_serverA interface outside Applying Inspection to HTTP Traffic[...]

  • Página 50

    1-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Feature History for Service Policies Feature History for Service Policies Ta b l e 1 - 3 lists the release history for this feature. T able 1 -3 Feat ure Hist ory for Service P olicies Feature Name Releases Feature Info[...]

  • Página 51

    CH A P T E R 2-1 Cisco ASA Series Firewall CLI Configuratio n Guide 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Frame work lets you conf igure specia l actions for man y application inspections. When you enable an inspection engine in the Layer 3/4 poli c y map, you can also optionally enable act[...]

  • Página 52

    2-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Guidelines and Limitations policy map is that you can create more comple x match criteria and you can reuse class maps. Ho we ver , you cannot set different actions for dif ferent matches. Note: Not all [...]

  • Página 53

    2-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Default Inspection Policy Maps A class map is determined to be the same t ype as another class map or match command based on the lo west priority match command in the class map (th e priority is based on [...]

  • Página 54

    2-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Defining Actions in an Inspection Policy Map Note There are other default inspect ion policy maps such as _default_esmtp_map . For example, inspect esmtp implicitly uses the polic y map “_default_esmtp[...]

  • Página 55

    2-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Examples The follo wing is an example o f an HTTP inspection polic y map and the related class maps. This pol icy map is acti vated by the Laye r 3/4 polic y[...]

  • Página 56

    2-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Identifying Traffic in an Inspection Class Map Restrictions Not all application s support inspection cl ass maps. See the CLI help for class-map type inspect for a list of supported applications. Detaile[...]

  • Página 57

    2-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Where to Go Nex t Where to Go Next T o use an inspection pol icy , see Chapter 1, “Configuring a Service Poli cy Using the Modular Po licy Frame work. ” Feature History for Inspection Policy Maps Ta b[...]

  • Página 58

    2-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Feature History for Inspection Policy Maps[...]

  • Página 59

    P AR T 2 Conf iguring Network A ddress T ranslation[...]

  • Página 60

    [...]

  • Página 61

    CH A P T E R 3-1 Cisco ASA Series Firewall CLI Configuratio n Guide 3 Information About NAT This chapter pro vides an ove rview of h ow Netw ork Address T ranslation (N A T) works on the ASA. This chapter includes the following sections: • Why Use N A T?, page 3-1 • N A T T erm inology , page 3-2 • N A T T ypes, page 3-3 • N A T in Routed a[...]

  • Página 62

    3-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Terminology One of the main functions of N A T is to enable pr iv ate IP networks to conn ect to the In ternet. NA T replaces a priv ate IP address with a public IP addre ss, translating the priv ate addresses in the inter nal pri v ate network into legal, r[...]

  • Página 63

    3-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types NAT Types • N A T T ypes Overvi ew , page 3-3 • Static NA T , page 3-3 • Dynamic N A T , page 3-7 • Dynamic P A T , page 3-8 • Identity N A T , page 3-10 NAT Types Overview Y o u can implement N A T using the following meth ods: • Static N [...]

  • Página 64

    3-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Figure 3-1 sho ws a typical static NA T scenar io. The translation is always act iv e so both real and remote hosts can initiate co nnections. Figure 3-1 Static NA T Note Y ou can disable bidirect ionality if desired. Information About Static NAT with [...]

  • Página 65

    3-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Note For ap plications that r equire application i nspection for secondary channels (for example, FTP and V oIP), the ASA automatically transl ates the second ary ports. Static NAT with Identi ty Port Translation The follo wing static N A T with port t[...]

  • Página 66

    3-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types For e xample, you hav e a load balancer at 10.1.2 .27. Depending on the URL requested, it redirects traf fic to the correct web server . Information About Other Mapping Scenarios (Not Recommended) The ASA has the fle xibility to allow an y kind of stat[...]

  • Página 67

    3-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-5 sho ws a typical many-to- few static N A T scenario. Figure 3-5 Man y-t o-Few Static NA T Instead of usin g a static rule this way , we suggest that you c reate a one-to-one rule for the traff ic tha t needs bidirectional initiation, a nd th[...]

  • Página 68

    3-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Note For the duratio n of the translatio n, a remote host can initiate a connection to th e translated host if an access rule allows it. Because the address is unpr edictabl e, a connectio n to the ho st is unlikely . Nev ertheless, in this case you ca[...]

  • Página 69

    3-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-7 sho ws a typical dynamic P A T scenario. Only real hosts can crea te a NA T session, and responding traf fic is al lo wed back. The mapped addr ess is the same for each translation, b ut the port is dynamically assigned. Figur e 3-7 Dynamic [...]

  • Página 70

    3-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Identity NAT Y o u might ha ve a N A T configur ation in which you need to transl ate an IP address to itself. F or example, if you create a broad rule that applies N A T to every netw ork, but want to e x clude one network [...]

  • Página 71

    3-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-9 sho ws a typical N A T example in rou ted mode, with a pri vate netw ork on the inside. Figure 3-9 NA T Exam pl e: Routed Mode 1. When the inside host at 10.1.2.27 sends a packet to a w eb server [...]

  • Página 72

    3-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Figure 3-1 0 NA T Exampl e: T ranspar ent Mode 1. When the inside host at 10.1.1.75 sends a packet to a w eb server , the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15. 2. When [...]

  • Página 73

    3-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT and IPv6 NAT and IPv6 Y ou can use N A T to translate between IPv6 netw orks, and also to translate between IPv4 and IPv6 networks (rou ted mode only). W e recommend the followi ng best practices: • N A T66 (IPv6-to-IPv6)—W e recommend using static N A [...]

  • Página 74

    3-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted • How source and destinati on N A T is implemented. – Network obj ect N A T— Each rule can apply to either the source or desti n ation of a pack et. So two rules m ight be used, one for the source IP a ddress, and one for the desti[...]

  • Página 75

    3-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented T wice N A T also lets you use service objects for static N A T with port translation; networ k object NA T only accepts inline def inition. T o start confi guring twice N A T , see Chapter 5, “Conf iguring T wice NA T . ” Figure 3-[...]

  • Página 76

    3-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted Figure 3-12 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices. When the host accesses the server for web services, the real address is[...]

  • Página 77

    3-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented Figure 3-13 sho ws a remote host con n ecting to a mapp ed host. The mapped h ost has a twice static N A T translation that translates the real address only for traf fic to and from the 2 09.165.201.0/27 network. A translation does not [...]

  • Página 78

    3-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Rule Order NAT Rule Order Network ob ject N A T rules an d twice NA T rules a re stored in a single table that is divided into t hree sections. Sectio n 1 rules are appl ied first, then section 2, an d finally section 3, unt il a match is fo und. For e xamp[...]

  • Página 79

    3-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Interfaces For section 2 r ules, for example, you ha ve the foll ow ing IP addresses def ined within netw ork objects: 192.168.1.0/24 ( static) 192.168.1.0/ 24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 ( static) 172.16.1.0/24 (dynamic) ( object def) 172[...]

  • Página 80

    3-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Routing NAT Packets Mapped Addresses and Routing When you translate the real addres s to a mapped address, the mapped address you choose determines ho w to conf igure routing , if necessary , for the mapped address. See additional guidelines about mapped IP add[...]

  • Página 81

    3-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Routing NAT Packets Figur e 3-14 Pro xy ARP Problems with Identity NA T In rare cases, you need proxy ARP for identity N A T ; for example for virt ual T elnet. When using AAA for network access, a host needs to authenti cate with the ASA using a service like T[...]

  • Página 82

    3-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Determining the Egress Interface When the ASA receives traf fic for a mapped address, the ASA unstran slates the destination address according to the NA T rule, and then it sends the packet on to the real address. The ASA determines the egress inter[...]

  • Página 83

    3-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN NAT and Remote Access VPN Figure 3-17 sh ow s both an inside serv er (10.1.1.6) and a VPN cli ent (209.165.201.10) accessi ng the Internet. Unless you conf igure split tunnelling for the VPN client (where only specif ied traff ic goes through the VP[...]

  • Página 84

    3-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Figur e 3-18 Identity NA T for VPN Clients See the follo wing sample N A T conf iguration for the abo ve network: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, [...]

  • Página 85

    3-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figur e 3-19 Interf ace P A T and Identity NA T for Sit e-to-Site VPN Figure 3-20 sho ws a VPN clie nt connected to ASA1 (Boul der), with a T elnet request for a server (10.2.2.78) accessibl e ov er a site-to-site tunnel betw een ASA1 and ASA2 (San [...]

  • Página 86

    3-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 [...]

  • Página 87

    3-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figure 3-21 sho ws a VPN client T elnet ting to the ASA inside interface. When yo u use a management-access interface, and you configure identity N A T according to the “NA T and Remote Access VPN” or “N A T and Site-to-Site VPN” section, yo[...]

  • Página 88

    3-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup Tr[...]

  • Página 89

    3-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-22 sho ws a D NS server that is access ible from the outside interface. A serv er, ftp .cisco.com, is on the inside interface. Y ou co nfigure the ASA to st atic ally translate the ft p.cisco.com real a ddress (10.1.3.14) to a mapped addres[...]

  • Página 90

    3-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT a static rule between the inside and DMZ, then you al so need to enable DNS reply modif ication on this rule. The DNS reply will then be modif ied two times. In this case, the ASA ag ain translates t he address inside the DNS reply to 192.168.1.10 a[...]

  • Página 91

    3-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-24 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside serv er . In this case, when an inside us er requests the address fo r ftp.cisco.com from the DNS server , the DNS server responds with [...]

  • Página 92

    3-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (200 1:DB8::D1A5:C8E1) you need to conf igure DNS reply modif ication for the stat ic translation. This e xample also includes a static N A T translation for th e DNS server ,[...]

  • Página 93

    3-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Where to Go Nex t Figure 3-26 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside server . In this case, wh en an inside user performs a rev e rse DNS lookup for 10.1.2.56, the ASA modifies the re verse DNS query[...]

  • Página 94

    3-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Where to Go Next[...]

  • Página 95

    CH A P T E R 4-1 Cisco ASA Series Firewall CLI Configuratio n Guide 4 Configuring Network Object NAT All N A T rules that are configured as a paramete r of a network object are considered to be network object NAT rules. Net work object N A T is a quick an d easy way to configure N A T for a single IP address, a range of addresses, or a subnet. Afte[...]

  • Página 96

    4-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Licensing Requirements for Network Object NAT Licensing Requirements for Network Object NAT The follo wing table shows the licensing requirements for this feature: Prerequisites for Network Object NAT Depending on the conf iguration, you can conf igure [...]

  • Página 97

    4-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Default Settings Additional Guidelines • Y ou can only def ine a single NA T rule for a gi ven object; if you w ant to conf igure multiple N A T rules for an object, you need to create multiple objects with d iff erent names that specify the same IP a[...]

  • Página 98

    4-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Configuring Network Object NAT This section descri bes ho w to conf igure network object N A T and includes the follow ing topics: • Adding Netw ork Objects for Mapp ed Addresses, page 4-4 • Conf iguring Dynamic N A T [...]

  • Página 99

    4-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Detailed Steps Configuring Dynamic NAT This section descri bes ho w to conf igure network object N A T for dynamic NA T . For more information, see the “Dynamic N A T” section on page 3-7 . Detailed Steps Command Purp[...]

  • Página 100

    4-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic N A T that hides 192.168.2.0 network beh ind a range of outside addresses 10.2.2 .1 through 10.2.2.10: ciscoasa(config)# object network my-range-obj ciscoasa(config-netwo[...]

  • Página 101

    4-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT ciscoasa(config-network-object)# host 10.10.10.21 ciscoasa(config-network-object)# object-group network nat-pat-grp ciscoasa(config-network-object)# network-object object nat-range1 ciscoasa(config-network-object)# networ[...]

  • Página 102

    4-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT • If you enable e xtended P A T for a dynamic P A T rule, then you cannot also us e an address in the P A T pool as the P A T address in a separate static N A T -with-port-translation rule. F o r example, if t he P A T p[...]

  • Página 103

    4-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] dynamic { mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] | interface [ ipv6 ]} [ interface [ ipv6 ]] [ dns ] Exam[...]

  • Página 104

    4-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic P A T that hides the 192.168.2.0 netw ork behind address 10.2.2.2: ciscoasa(config)# object network my-inside-net ciscoasa(config-network-object)# subnet 192.168.2.0 255[...]

  • Página 105

    4-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT The follo wing example conf igures dynamic P A T with a P A T pool to translate the inside IPv6 network to an outside IPv4 network: ciscoasa(config)# object network IPv4_POOL ciscoasa(config-network-object)# range 203.0.[...]

  • Página 106

    4-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Step 3 { host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2 } Example: ciscoasa(config-network-object)# subnet 10.2.1.0 255.255.255.0 If you are creating a ne w network object, def ines the [...]

  • Página 107

    4-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] static { mapped_inline_ip | mapped_obj | interface [ ipv6 ]} [ net-to-net ] [ dns | service { tcp | udp } real_port mapped_port ] [ no-proxy-arp ] Example: ciscoasa(config-network[...]

  • Página 108

    4-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures static N A T for the real host 10.1.1.1 o n the inside to 10.2.2.2 on the outside with DNS rewrite enabled. ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network[...]

  • Página 109

    4-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Example The follo wing example maps a host address to it self using an inline mapped ad dress: ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)#[...]

  • Página 110

    4-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT The follo wing example maps a host address to it self using a network o bject: ciscoasa(config)# object network my-host-obj1-identity ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)# object [...]

  • Página 111

    4-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Monitoring Ne twork Object NAT Detailed Steps Examples The follo wing example creates a deny rule for H.323 traf fic, so that it uses multi-session P A T : ciscoasa(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 ciscoasa(config)# xlate [...]

  • Página 112

    4-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Configuration Examples for Network Object NAT This section includes the following conf iguration examples: • Providing Access to an Inside W eb Server (Static N A T), pa ge 4-19 • N A T for Inside Host[...]

  • Página 113

    4-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Providing Access to an Inside Web Server (Static NAT) The follo wing example performs static N A T for an inside web server . The real address is on a priv ate network, so a pu blic address is required . [...]

  • Página 114

    4-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Figur e 4-2 Dynamic NA T for Inside, Static NA T for Outside W eb Server Step 1 Create a network obj ect for the dynamic N A T pool to which you w ant to translate the insi de addresses: ciscoasa(config)# [...]

  • Página 115

    4-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) The follo wing example sho ws an inside load balancer that is translated to multiple IP addresses. When an outside host access[...]

  • Página 116

    4-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) The follo wing static N A T -with-port-translation e xample pro vides a single address for remo te users to access FTP , HTTP , and[...]

  • Página 117

    4-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 5 Create a network object for the SMTP server address: ciscoasa(config)# object network SMTP_SERVER Step 6 Defin e the SMTP server address, and co nfi gure static N A T with identity port tran slatio[...]

  • Página 118

    4-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209. 165.201.10). The ASA refers to the stat ic rule for the inside server and tr[...]

  • Página 119

    4-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 sho ws an FTP server and DNS server on the outs id e. The ASA has a static translation[...]

  • Página 120

    4-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 sho ws an FTP server and DNS server on the outside IPv4 netw ork. The ASA h[...]

  • Página 121

    4-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 2 Configure N A T for the DNS server . a. Create a network object for the DNS server address. ciscoasa(config)# object network DNS_SERVER b. Define the DNS server address, and conf ig ure static N A [...]

  • Página 122

    4-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Feature History for Network Object NAT Ta b l e 4 - 1 lists each feature change and the platfo rm release in which it was impl emented. T able 4-1 Feat ure Hist ory for Netw ork Ob ject NA T Feature Name Platform [...]

  • Página 123

    4-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T Flat range of P A T ports for a P A T pool 8.4(3) If av aila ble, the real source port number is used for the mapped port. Ho wev er , if the real port is not a v ailable, by default th e mapped ports are chose[...]

  • Página 124

    4-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network in[...]

  • Página 125

    4-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T N A T support for rev erse DNS lookups 9.0(1) N A T now supports t ranslation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for th[...]

  • Página 126

    4-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT[...]

  • Página 127

    CH A P T E R 5-1 Cisco ASA Series Firewall CLI Configuratio n Guide 5 Configuring Twice NAT T wice N A T lets you identify both the source and destin ation address in a single rule. This chapt er sho ws you how to configure twice NA T a nd includes the following sections: • Information Ab out T wice N A T , page 5-1 • Licensing Requ irements fo[...]

  • Página 128

    5-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Licensing Require ments for Twice NAT T wice N A T also lets you use service objects for static N A T -with-port-translation; netw ork object N A T only accepts inline definition. For detailed in formation about th e differences between twice N A T and network obj[...]

  • Página 129

    5-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Guidelines and Limitations • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 netw orks is not supported. T ranslating between two IPv6 networks, or between t wo IPv4 netw orks is support[...]

  • Página 130

    5-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Default Settings • Y ou can use the same objects in mul tiple rules. • The mapped IP address pool cann ot include: – The mapped interface IP address. If you specify any interf ace for the rule, then all interface I P addresses are disallowed. For interf a ce[...]

  • Página 131

    5-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Guidelines • A network ob ject group can contain objects and/or in line addresses of eith er IPv4 or IPv6 addresses. The group cannot co ntain both IPv4 and IPv6 addresses; it must co ntain one type only . • See the “Guidelines and Li[...]

  • Página 132

    5-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps (Optional) Adding Service Objec ts for Real and Mapped Ports Config ure service objects for: • Source r eal port (Static only) or Destination real port • Source mapped port (Static only) or Destination mapped port For more [...]

  • Página 133

    5-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT • Source Dynami c P A T (Hide)—Source Dynamic P A T does not support port transl ation. • Source Static N A T or Static N A T with port transl ation—A service object can contain both a source and destination port; howe ver , you sho[...]

  • Página 134

    5-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses See the “ Adding Networ k Objects for Rea[...]

  • Página 135

    5-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { real_obj | any } { mapped_obj [ interface [ ipv6 ]]} [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service mapped_dest_svc_obj [...]

  • Página 136

    5-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (Continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation only , specify the interfac e keyw ord. If you specify ipv6 , then the IPv6 address of th[...]

  • Página 137

    5-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example configures dynamic N A T for inside network 10 .1.1.0/24 whe n accessing servers on the 209.165.201 .1/27 network as well as serv ers on the 203.0.113.0/24 network: ciscoasa(config)# object network INSIDE_NW[...]

  • Página 138

    5-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT • If av ailable, the real source port number is used for the mapped port. Ho wev er, if the real port is not av ailable, by defaul t the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, a[...]

  • Página 139

    5-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses See the “ Adding Networ k Objects for [...]

  • Página 140

    5-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { real-obj | any } { mapped_obj [ interface [ ipv6 ]] | [ pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] [ interface [ ipv6[...]

  • Página 141

    5-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT (continued) For a P A T pool, you can specify one or more of t he follo wing options: -- Round robin—Th e round-r obin keyw ord enables round-robin address allocati on for a P A T pool. W ithout round robin, by defa ult all ports for a P[...]

  • Página 142

    5-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation o nly (routed mode), specify the interf ace keyw ord. If you specify ipv6 , then the IPv6[...]

  • Página 143

    5-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example conf igures interface P A T for inside network 192 .168.1.0/24 when accessi ng outside T elnet server 209.165 .201.23, and Dynamic P A T using a P A T pool when accessing any serv er on the 203.0.113.0/24 ne[...]

  • Página 144

    5-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes ho w to configure a static N A T rule using twice NA T . For more informatio n about static N A T , see the “S tatic NA T” section on page 3-3 . Detailed S[...]

  • Página 145

    5-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static real_ob [ mapped_obj | interface [ ipv6 ]] [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj m[...]

  • Página 146

    5-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Examples The following e xample shows the use of static interface N A T with port translation. Hosts on the outside access an FTP server on the inside by connecting t o the outside interf ace IP address with destin ation port 65000 through 6[...]

  • Página 147

    5-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT to the command k eyw ords; the actual source and dest ination address and port in a packet depends on which host sent the packet. In this example, connections are originat ed from outside to inside, so t he “source” address and port of[...]

  • Página 148

    5-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses ( you will typically use the same object for the sour ce mapped addresses) • Destination real addresses • Destination mapped addre[...]

  • Página 149

    5-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static { nw_obj nw_obj | any any } [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj mapped_src_real_[...]

  • Página 150

    5-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Monitoring Twice NAT Configuring Per-Session PAT Rules By default, all TCP P A T traffic and all UDP DNS traf fic uses per-session P A T . T o use multi-session P A T for traf fic, you can conf igure per-sessi on P A T rules: a permit rule uses per-sessio n P A T[...]

  • Página 151

    5-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Configuration Examples for Twice NAT This section includes the following conf iguration examples: • Different T ranslat ion Dependin g on the Desti nation (Dynami c P A T), page 5-25 • Different T ranslation Depending on [...]

  • Página 152

    5-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 4 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1 Because you do not want to t ranslate the destination ad dr[...]

  • Página 153

    5-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the De stination Address and Port (Dynamic PAT) Figure 5-2 sho ws the use of source and destination port s. The host on the 10.1.2.0/24 network accesses a single host for both web ser vices [...]

  • Página 154

    5-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 5 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not [...]

  • Página 155

    5-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platfo rm release in which it was imple mented. T able 5-1 Feature Hist ory for T wice NA T Feature Name Platform Releases Feature Information T wice N A[...]

  • Página 156

    5-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Round robin P A T pool allocation uses the same IP address for existing hosts 8.4(3) When using a P A T pool with round robin allocation, if a host has an existing con nection, then subsequent connections from that host will use the [...]

  • Página 157

    5-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network inst ead of an assign[...]

  • Página 158

    5-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT N A T support for rev erse DNS lookups 9.0(1) N A T now supports tran slation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for the N A T rule. Per-sessi[...]

  • Página 159

    P AR T 3 Conf iguring Access Contr ol[...]

  • Página 160

    [...]

  • Página 161

    CH A P T E R 6-1 Cisco ASA Series Firewall CLI Configuratio n Guide 6 Configuring Access Rules This chapter describes ho w to control netw ork acce ss through t he ASA using access rul es and includes the following sections: • Information Ab out Access Rules, page 6-1 • Licensing Requirements for Access Rules, page 6-7 • Prerequisites, page 6[...]

  • Página 162

    6-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules • Information Ab out EtherT ype Rules, page 6-6 General Information About Rules This section describes informati on for both access rules and EtherT ype rules, and it includes the follo wing topics: • Implicit Permits, page 6[...]

  • Página 163

    6-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Implicit Deny A CLs have an implicit deny at the end of the list, so un less you exp licitly permit i t, traf fic cannot pass. For e xample, if you want to allow all users to a ccess a network through the ASA except for particula[...]

  • Página 164

    6-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Figur e 6-1 Outbound ACL See the follo wing commands for this example: ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14 host 209.165.200.225 eq www ciscoasa(config)# access-list OUTSIDE extended permit tcp[...]

  • Página 165

    6-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Firewall Mode Guidelines Supported in routed an d tr ansparent f irewall mod e. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations Ev aluate the follo wing alternati ves befo re using the transactional comm it m[...]

  • Página 166

    6-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Ta b l e 6 - 1 lists common traff ic types that you can allow through the transparen t fire wa ll. Management Access Rules Y ou can config ure access rules that control management traff ic destined to the ASA. Ac cess control rul[...]

  • Página 167

    6-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Licensing Requiremen ts for Access Ru les Access Rules for Returning Traffic Because EtherT ypes are conne ctionless, you need to a pply the rule to both interf aces if you want traf fic to pass in both direct ions. Allowing MPLS If you allo w MPLS, ensure tha[...]

  • Página 168

    6-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Guidelines and Limitations Per-User ACL Guidelines • The per-user A CL uses the value in the timeout uauth command, b u t it can be ov erridden by the AAA per-u ser session timeout v alue. • If traf f ic is denied because of a per -user A CL, syslog messag[...]

  • Página 169

    6-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Guidelines and Limitations Detailed Steps Examples The follo wing example sho ws how to use the access-group command: hostname(config)# access-list outside_access permit tcp any host 209.165.201.3 eq 80 hostname(config)# access-group outside_access interface o[...]

  • Página 170

    6-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Monitoring Access Rule s Monitoring Access Rules T o monitor network access, enter the follo w ing command: Configuration Examples for Permitting or Denying Network Access This section includes typical conf iguration e xamples for permitting or den ying netwo[...]

  • Página 171

    6-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Feature History for Access Rules hostname (config-service)# service-object tcp source range 2000 3000 hostname (config-service)# service-object tcp source range 3000 3010 destinatio$ hostname (config-service)# service-object ipsec hostname (config-service)# s[...]

  • Página 172

    6-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Feature History for Access Rules Unif ied A CL for IPv4 and IPv6 9.0(1) A CLs now supp ort IPv4 and IPv6 addresses. Y ou can e ven specify a mix of IPv4 and IPv6 addresses fo r the source and destination. The any ke yword was chan ged to represent IPv4 and IP[...]

  • Página 173

    CH A P T E R 7-1 Cisco ASA Series Firewall CLI Configuratio n Guide 7 Configuring AAA Rules for Network Access This chapter describes ho w to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the general operations configuration guide. This chapte r includes the follo wing sections: • [...]

  • Página 174

    7-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed [...]

  • Página 175

    7-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access One-Time Authentication A user at a gi ven I P address only needs to authenticat e one time for all rules and types, u ntil the authentication session e xpires. (See the timeout uauth co mmand in t[...]

  • Página 176

    7-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Note If you use HTTP authenticati on, by defaul t the user name and passw ord are sent from the cli ent to the ASA in clear te xt; in addition, the username and password are sen t on to the destina[...]

  • Página 177

    7-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access • For T elnet and FTP traf fic, users must log in thro ugh the cut-throug h proxy server and again to the T elnet and FTP servers. • A user can specify an A ctiv e Directory domain wh ile pr ov[...]

  • Página 178

    7-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Inst ead, the ASA sends an error message to the w eb bro wser , indicating that the user [...]

  • Página 179

    7-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Configuring Network Access Authentication T o conf igure network access auth entication, perform the fo llo wing steps: Command Purpose Step 1 aaa-server Example: ciscoasa(config)# aaa-server AuthO[...]

  • Página 180

    7-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Examples The follo wing example authenticates all in side HTTP traf fic and SMTP traff ic: ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+ ciscoasa(config-aaa-server-group)# exit ciscoas[...]

  • Página 181

    7-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access The following e xample shows a typical cut-through proxy co nfigu ration to allo w a user to log in through the ASA. In this e xample, the follow ing conditions app ly: • The ASA IP address is 19[...]

  • Página 182

    7-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access For more inf ormation about authentication, see the “Info rmation About Authen tication” section on page 7-2 . Enabling Secure Authentication of Web Clients If you use HTTP authenti cation, by[...]

  • Página 183

    7-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access nat (inside,outside) static 10.132.16.200 service tcp 443 443 Authenticating Directly with the ASA If you do not w a nt to allo w HTTP , HTTPS, T elnet, or FTP through the ASA b ut want to authent[...]

  • Página 184

    7-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Authenticating Telnet Connecti ons with a Virtual Server Although you can configure network access authenti cation for an y protocol or service (see the aaa authentication match or aaa authenticat[...]

  • Página 185

    7-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Examples The follo wing example sho ws how to enable virtual T elnet together with AAA authentication for ot her services: ciscoasa(config)# virtual telnet 209.165.202.129 ciscoasa(config)# access[...]

  • Página 186

    7-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring Authorization for Network Access After a user authenticates for a giv en connection, the ASA can use authorization to further control traff ic from the user . This section includes the f[...]

  • Página 187

    7-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss T o conf igure T A CA CS+ authorization, perform the foll owing steps: Command Purpose Step 1 aaa-server Example: ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+ Identifi es your AAA se[...]

  • Página 188

    7-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Examples The follo wing example authenticates an d authorizes inside T elnet traff ic. T e lnet traf fic to serv e rs other than 209.165.201.5 can be authenticated alone, bu t traf fic to 209.165.20[...]

  • Página 189

    7-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss ciscoasa(config-aaa-server-host)# key TACPlusUauthKey ciscoasa(config-aaa-server-host)# exit ciscoasa(config)# aaa authentication match TELNET_AUTH inside AuthOutbound ciscoasa(config)# aaa author[...]

  • Página 190

    7-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access • Simplified and centralize d manage ment of ACLs—Do w nloadable ACLs enable you to w rite a set of A CLs once and apply it to many user or gro up prof iles and distrib ute it to many ASAs. This[...]

  • Página 191

    7-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss . ip:inacl# n = ACE-n ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 6. If the A CL required is more than approximately 4 KB in length, Cisco Secure A CS responds with an access-chall[...]

  • Página 192

    7-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access The do wnloaded A C L on the ASA consists of th e follo wing lines: access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 p[...]

  • Página 193

    7-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accounting fo r Network Access Converting Wildcard Netma sk Expressions in Downloadable ACLs I f a R A D I U S s e r v e r p r o v i d e s d ow n l oa d a b l e AC L s to Cisco VPN 3000 series concentrators as well as to the ASA, y[...]

  • Página 194

    7-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accoun ting for Network Ac cess T o conf igure accounting, perform the follo wing steps: Examples The follo wing example authenticates, au thorizes, and accoun ts for inside T elnet traf f ic. T elnet traf fic t o servers other than[...]

  • Página 195

    7-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Ex empt Traffi c from Authentica tion and Authorization ciscoasa(config)# aaa accounting match SERVER_AUTH inside AuthOutbound AAA provides an extra le vel of protection and cont rol for user access than using A CLs alon[...]

  • Página 196

    7-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization T o use MA C addresses to ex empt traff ic from authentication and aut horization, perform th e follo wing steps: Examples The follo wing example bypasses au thenticat[...]

  • Página 197

    7-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules The follo wing example bypasses au thentication for a a group of MAC addresses e xcept for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement [...]

  • Página 198

    7-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules[...]

  • Página 199

    P AR T 4 Conf iguring Applic ation Inspection[...]

  • Página 200

    [...]

  • Página 201

    CH A P T E R 9-1 Cisco ASA Series Firewall CLI Configuratio n Guide 9 Getting Started with Application Layer Protocol Inspection This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels [...]

  • Página 202

    9-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Information about Application Layer Protoc ol Inspection Figur e 9-1 How Inspec tion En gines W o r k In Figure 9-1 , operations are numbered in the order th ey occur , and are described as follows: 1. A TCP SYN packet arri[...]

  • Página 203

    9-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable applicat ion inspection for a service that embeds IP addres ses, the ASA t ranslates embedded addresses and up dates any checksum or other fi elds that are aff ected by the translatio[...]

  • Página 204

    9-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations Inspected protocols are subject to adv anced TCP-state tracking, and th e TCP state of these connections is not automatically replicated. Wh ile these connections are replicated to the s[...]

  • Página 205

    9-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limita tions ICMP ERR OR — — — — ILS (LD AP) TCP/389 No extended P A T . No N A T64. —— Instant Messagin g (IM) V aries by client No ext ended P A T . No N A T64. RFC 3860 — IP Options ?[...]

  • Página 206

    9-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations The default po licy conf iguration includes the follo wing commands: SIP TCP/5060 UDP/5060 No outside N A T . No N A T on same security interfaces. No ext ended P A T . No per-session P [...]

  • Página 207

    9-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum [...]

  • Página 208

    9-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Y ou can specify a match access-list command along with the match default-inspection- traffi c command to narro w the matched traff ic to specific IP addresses. Because th[...]

  • Página 209

    9-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection • H323—See the “Conf iguring an H.323 Inspection Polic y Map for Additional Inspection Cont rol” section on page 11-6 • HTTP—See the “Configuring an HTTP Insp e[...]

  • Página 210

    9-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection class in Step 5 . Do not add another class that matches SNMP . Step 5 Enable application insp ection by entering the follo wing command: ciscoasa(config-pmap-c)# inspect [...]

  • Página 211

    9-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection http [ map_name ] If you added an HTTP in spection polic y map according to the “Configuring an HTTP In specti on Policy Map fo r Additional Insp ection Control” s ectio[...]

  • Página 212

    9-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Step 6 T o acti v a te the polic y map on one or more interfaces, enter the follo wing command: ciscoasa(config)# service-policy policymap_name { global | interface inter[...]

  • Página 213

    CH A P T E R 10-1 Cisco ASA Series Firewall CLI Configuratio n Guide 10 Configuring Inspection of Basic Internet Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dyn[...]

  • Página 214

    10-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • Config uring DNS Inspection, page 10-8 • Monitoring DNS Inspecti on, page 10-9 Information About DNS Inspection • General Information A bout DNS, page 10-2 • DNS Inspection A ctions, page 10 -2 General Info[...]

  • Página 215

    10-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default inspe[...]

  • Página 216

    10-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection policy-map type inspect dns name Example: ciscoasa(config)# policy-map type inspect dns dns-map Creates an inspection polic y map in which you want t o match traf fic di rectly . Y ou can specify multiple match comma[...]

  • Página 217

    10-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 4 match [ not ] dns-class { eq { in | c_val }} | range c_val1 c_val2 } For di rect match only: { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | log } Example: ciscoasa(config-pmap)# [...]

  • Página 218

    10-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 6 match [ not ] domain-name regex { regex_id | class class_id ] For direct match only: { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | log } Example: ciscoasa(config-pmap)# match doma[...]

  • Página 219

    10-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 7 (If you are using a DNS inspection class map) policy-map type inspect dns name class class_map_name { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | mask [ log ] | log } Example: c[...]

  • Página 220

    10-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Examples The follo wing example sho ws a how to d efine a DN S inspection polic y map. regex domain_example “example.com” regex domain_foo “foo.com” ! define the domain names that the server serves class-ma[...]

  • Página 221

    10-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Examples The follo wing example sho ws a how to use a ne w inspection polic y map in the global default configuration: policy-map global_policy class inspection_default no inspect dns preset_dns_map inspect dns new[...]

  • Página 222

    10-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection For connections using a DNS serv er, the source port of the connection may be replaced by the IP address of DNS server i n the sho w conn command output. A single connection i s created for multiple DNS sess ions, a[...]

  • Página 223

    10-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection Using the strict Option Using the strict option with the inspect ftp command increases the security of protected netw orks by prev ent ing web browsers from sending embedded commands in FTP requests. Note T o spec[...]

  • Página 224

    10-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Configuring an FTP Inspection Policy Map for Additional Inspection Control FTP command fi ltering and securit y checks are pro vided using strict FTP inspection for impro ved security and contr ol. Protocol conforma[...]

  • Página 225

    10-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection d. (Optiona l) T o ma tch a file type for F TP transfe r , enter the following comm and: ciscoasa(config-cmap)# match [ not ] filetype regex [ regex_name | class regex_class_name ] Where the rege x _ n a m e is th[...]

  • Página 226

    10-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Step 5 (Optional) T o add a description to the polic y map, enter the followi ng command: ciscoasa(config-pmap)# description string Step 6 T o apply actions to mat ching traf fic, perform the follo wing steps. a. Sp[...]

  • Página 227

    10-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# mask-banner ciscoasa(config)# class-map match-all ftp-traffic ciscoasa(config-cmap)# match port tcp eq ftp ciscoasa(config)# policy-map ftp-policy ciscoa[...]

  • Página 228

    10-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection The enhanced HTTP inspection feature, wh ich is also kno wn as an application fire wall and is av ailable when you configure an HTTP map (see “Conf iguring an HTTP Inspection Polic y Map for Additional Inspection[...]

  • Página 229

    10-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-cmap)# description string c. (Optiona l) T o ma tch traffic with a content-type f ield in the HTTP response that does not match the accept field in the corresponding HTTP re quest message, enter t[...]

  • Página 230

    10-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . The length gt max_bytes is [...]

  • Página 231

    10-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection The res e t ke yword drops t h e packet, cl oses the connec tion, and sends a TCP reset to the server and/or client. The log ke yword, which you can use alone or with one o f the other ke ywords, sends a system l[...]

  • Página 232

    10-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols ICMP Inspection ICMP Inspection The ICMP inspection engine allows ICMP traff ic to ha ve a “session” so it can be inspected like TCP and UDP traf fic. W ithout the ICMP inspection engine, we recommend that you do not allow ICM[...]

  • Página 233

    10-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s Instant Messa ging Inspection Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control T o specify actions when a message violates a parame ter , create an IM inspection po licy map. Y ou can then[...]

  • Página 234

    10-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols Instant Messaging In spection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . f. (Optional)[...]

  • Página 235

    10-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection Y ou can specify multiple class or match commands in the policy map. F or information about the order of class and match commands, see the “Def ining Actions in an Insp ection Policy Map ” section on pa[...]

  • Página 236

    10-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection • IP Options Inspection Ov erview , page 10-24 • Config uring an IP Options Inspection Polic y Map for Additional Inspection Co ntrol, page 10-25 IP Options Inspection Overview Each IP pack et contains an[...]

  • Página 237

    10-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection Configuring an IP Options Inspecti on Policy Map for Additional Inspection Control Step 1 T o create an IP Options insp ection polic y map, enter the follo wing command: ciscoasa(config)# policy-map[...]

  • Página 238

    10-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection • IPsec Pass Through Insp ection Ov ervie w , page 10-26 • “Example for Def ining an IPsec Pass Throu gh Param eter Map” section on page 10-26 IPsec Pass Through Inspection Overview Internet Protocol Securi[...]

  • Página 239

    10-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection Information about IPv6 Inspection IPv6 inspection lets you selecti vely log or drop IPv6 traf fic based on the extensio n header . In addition, IPv6 inspection can check co nformance to RFC 2460 for type and o rd[...]

  • Página 240

    10-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection Detailed Steps Examples The following e xam ple creates an insp ection policy map that will dro p and log all IPv6 packets with the hop-by-hop, destinat ion-option, rout ing-address, and routin g type 0 headers: po[...]

  • Página 241

    10-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection drop log match header destination-option drop log match header routing-address count gt 0 drop log match header routing-type eq 0 drop log Configuring IPv6 Inspection T o enable IPv6 inspection, perform th e foll[...]

  • Página 242

    10-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols NetBIOS Inspection Examples The follo wing example drops all IPv6 traf fic with the hop-by-hop, destinatio n-option, routing-addr ess, and routing type 0 headers: policy-map type inspect ipv6 ipv6-pm parameters match header hop-by[...]

  • Página 243

    10-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s NetBIOS Inspection Step 4 (Optional) T o add a description to the polic y map, enter the follo wing command: ciscoasa(config-pmap)# description string Step 5 T o apply actions to matching traf fic, perform the follo wing steps. [...]

  • Página 244

    10-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols PPTP Inspection ciscoasa(config)# policy-map netbios_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect netbios netbios_map PPTP Inspection PPTP is a protocol for tunneling PPP tr af fic. A PPT[...]

  • Página 245

    10-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session b ut an ESMTP sess ion is considerably faster and of fers more op[...]

  • Página 246

    10-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection T o specify actions when a message viola tes a parame ter , create an ESMTP inspect ion polic y map. Y ou can then apply the inspection polic y map when you en able ESMTP inspection. T o create a[...]

  • Página 247

    10-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s TFTP Inspec tion Step 6 T o conf igure parameters that af fect the inspection engine, perform the follo wing steps: a. T o enter parameters conf iguratio n mode, enter the fo llo wing command: ciscoasa(config-pmap)# parameters c[...]

  • Página 248

    10-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion[...]

  • Página 249

    CH A P T E R 11-1 Cisco ASA Series Firewall CLI Configuratio n Guide 11 Configuring Inspection for Voice and Video Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on d[...]

  • Página 250

    11-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols CTIQBE Inspection Limitations and Restrictions The follo wing summarizes limitations that appl y when using CTIQBE applicat ion inspection: • CTIQBE application insp ection does not suppor t config urations with the alias comman[...]

  • Página 251

    11-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The line be ginning with RTP/R TCP: PAT xlate s: appears onl y if an internal CTI de vice has register ed with an external Call Manager and th e CTI de vice address and ports are P A T ed to that external interf a[...]

  • Página 252

    11-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt appl ications such as Cisco CallManage r and V ocalT e c Gatekeeper . H.323 is a suite of protocol s defined by the Int ernational T[...]

  • Página 253

    11-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, t he ASA opens the H.245 channel and then inspects traf fic sent ov er the H.245 channel as well. All H.245 messages passing t hrough the ASA u ndergo H .245 application inspec[...]

  • Página 254

    11-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection • Only static N A T is fully supported. Static P A T may not properly translate IP addresses embedded in optional f ields within H.323 messages. If you e xperience this kind of problem, do not use static P A T w[...]

  • Página 255

    11-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection b. (Optional) T o add a description to the class map , enter the follo wing command: ciscoasa(config-cmap)# description string Where string is th e description of the cl ass map (up to 200 characters). c. (Optiona[...]

  • Página 256

    11-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Y ou can specify multiple class or match commands in the policy map. F or information about the order of class and match commands, see the “Def ining Actions in an Insp ection Policy Map ” section on page 2-4 [...]

  • Página 257

    11-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The follo wing example sho ws how to confi g ure phone number f iltering: ciscoasa(config)# regex caller 1 “5551234567” ciscoasa(config)# regex caller 2 “5552345678” ciscoasa(config)# regex caller 3 “555[...]

  • Página 258

    11-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection 0 Concurrent Call(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.205/1720 This output indi cates that there is curr ently 1 acti ve H.323 call goin g through the ASA between the local endpoint 10.130.5 6.3 an[...]

  • Página 259

    11-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection Total: 1 GK Caller 172.30.254.214 10.130.56.14 This output sho ws that there is one acti ve registration between the gatekeeper 1 72.30.254.214 an d its client 10.130 .56.14. MGCP Inspection This section descri be[...]

  • Página 260

    11-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols MGCP Inspection MGCP transactions are composed of a command an d a mandatory response. There a re eight types of commands: • CreateConnection • ModifyConnection • DeleteCo nnection • Notifi cationRequest • Notify • Au[...]

  • Página 261

    11-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# b. T o configure the call agents, enter the follo wing command fo r each call agent: ciscoasa(config-pmap-p)# call-agent ip_address group_id Use the call-[...]

  • Página 262

    11-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection Verifying and Monitoring MGCP Inspection The show mgcp com mands command lists the number of MGCP com mands in the command queue. The show mgcp ses sions command lists the number of e xis ting MGCP sessions. The d[...]

  • Página 263

    11-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection RTSP Inspection Overview The R TSP inspection engine lets the ASA pass R TSP packets. R TSP is used by RealAudio, RealNetworks, Ap ple QuickT ime 4, Real Player, and Cisco IP/TV connections. Note For Cisco IP/TV ,[...]

  • Página 264

    11-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection • Y o u can conf igure N A T for Apple QuickT ime 4 or RealPlayer . Cisco IP/TV only works with NA T if the V iewer and Content Manager are on the ou tside network and the serv er is on the inside network. Confi[...]

  • Página 265

    11-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expression you created i n Step 1 . The class r e gex_cl ass_name is the regular e xpression class map you create d in Step 2 . Step 4 T o create an R TS[...]

  • Página 266

    11-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection ciscoasa(config-pmap-p)# url-length-limit length Where the length ar gument specifies the URL length i n bytes (0 to 6000). The follo wing example sho ws a how to d efine an R TSP inspection polic y map. ciscoasa(c[...]

  • Página 267

    11-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection T o support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connectio ns for the media must be inspected, because whil e the signaling is sent ov er a we[...]

  • Página 268

    11-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection SIP inspection has a database with indices CALL_ID/FR OM/TO from the SIP payload. These ind ices identify the call, the source, and the destination. Th is database contains the media addresses and media ports found[...]

  • Página 269

    11-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the class_map_name is the name of the class map. The match-all ke yword is the def ault, and specifies that t raff ic must match all criteria to match the class map. The match-an y keyw ord specifies that the[...]

  • Página 270

    11-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . k. (Optiona l) T o ma tch a[...]

  • Página 271

    11-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection b. T o enable or disable instant messaging, enter the f o llo wing command: ciscoasa(config-pmap-p)# im c. T o enable or disable IP address pri vacy , enter the follow ing command: ciscoasa(config-pmap-p)# ip-addre[...]

  • Página 272

    11-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Configuring SIP Timeout Values The media connections are torn do wn within two min utes after the connection becomes idle. This is, ho we ver , a configurable timeout an d can be set for a shorter or l on[...]

  • Página 273

    11-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • SCCP Inspecti on Overview , page 11-25 • Supporting Cisco IP Phon es, page 11-25 • Restrictions and Limitat ions, page 11-26 • Config uring a Skinn y (SCCP) Inspection Polic y Map for Additional[...]

  • Página 274

    11-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection When the Cisco IP Phones are on a lower security interface compared to the TFTP server , you must use an A CL to connect to the protected TF TP server on UD P port 69. While you do need a stati c entry fo[...]

  • Página 275

    11-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Step 5 T o apply actions to matching traf fic, perform the follo wing steps. a. Specify the traf fic on which you want to perf orm actions using one of the follo wing methods: • Specify the SCCP class m[...]

  • Página 276

    11-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Where the value_length ar gument is a maximum or minim u m v alue. f. T o config ure the timeout v alue for signaling and media connection s, enter the follo wing command: ciscoasa(config-pmap-p)# timeout[...]

  • Página 277

    CH A P T E R 12-1 Cisco ASA Series Firewall CLI Configuratio n Guide 12 Configuring Inspection of Database and Directory Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channel[...]

  • Página 278

    12-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols SQL*Net Inspection During connection negotiati on time, a BIND PDU is sent from the client to the server . Once a successful BIND RESPONSE from the server is receiv ed, othe r operational messages may be e xchanged (such a[...]

  • Página 279

    12-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t, Refuse, Resend, and Marker) will not be scanned for addresses to N A T nor will inspection open dynamic connections for any embedd ed ports in the pack[...]

  • Página 280

    12-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection Managing Sun RPC Services Use the Sun RPC services table to co ntrol Sun RPC traf fic through t he ASA based on established Sun RPC sessions. T o create entries in the Sun RPC services table, use th e su[...]

  • Página 281

    12-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:[...]

  • Página 282

    12-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection[...]

  • Página 283

    CH A P T E R 13-1 Cisco ASA Series Firewall CLI Configuratio n Guide 13 Configuring Inspection for Management Application Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channe[...]

  • Página 284

    13-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for nati ve TCP communication between the EPM and client on well known TCP port 135. Map a nd lookup op erations of the E PM are supported for clients. Cli ent and server can be[...]

  • Página 285

    13-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection The follo wing example sho ws how to def ine a DCERPC inspection polic y map with the timeout confi gured for DCERPC pinholes. ciscoasa(config)# policy-map type inspect dcerpc dcerpc_map ciscoasa(config-pmap[...]

  • Página 286

    13-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection Configuring a GTP Inspection Policy Ma p for Additional Inspection Control If you w ant to enforce additi onal parameters on GTP t raf fic, creat e and conf igure a GTP map. If you do not specify a map with t[...]

  • Página 287

    13-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# The mnc network_code argument is a two or th ree-digit v alue identifying the network cod e. By default, t he security appliance does not ch eck for[...]

  • Página 288

    13-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection a. Use the object-group command t o define a ne w network object group that w ill represent the SGSN that sends GTP requests to the GSN po ol. ciscoasa(config)# object-group network SGSN-name ciscoasa(config-[...]

  • Página 289

    13-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection Enter this command separately for each timeout. The gsn keyw ord specif ies the period of inacti vity after which a GSN will be remo ved. The pdp-context key word specif ies the maximum period of time allo w[...]

  • Página 290

    13-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection total created_pdpmcb 0 total deleted_pdpmcb 0 pdp_non_existent 0 Y ou can use the v e rtical bar (|) to f ilter the display . T ype ?| for more display f iltering optio ns. The follo wing is sa[...]

  • Página 291

    13-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols RADIUS Accounting Inspection RADIUS Accounting Inspection Overview One of the well kno wn problems is the over -billing attack in GPRS networks. The o ver-billi ng attack can cause consumers anger an d frustration by being[...]

  • Página 292

    13-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RSH Inspection service-policy global_policy global RSH Inspection RSH inspection is enabled by default. The RSH prot ocol uses a TCP connection from th e RSH client to the RSH server on TCP port 514. The client and serv er[...]

  • Página 293

    13-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols XDMCP Inspection ciscoasa(config-snmp-map)# deny version 2 XDMCP Inspection XDMCP inspection is enabled by def ault; howe ver , the XDMCP inspection engi ne is dependent upon proper conf iguration of the established comma[...]

  • Página 294

    13-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols XDMCP Inspection[...]

  • Página 295

    P AR T 5 Conf iguring Unif ied Communications[...]

  • Página 296

    [...]

  • Página 297

    CH A P T E R 14-1 Cisco ASA Series Firewall CLI Configuratio n Guide 14 Information About Cisco Unified Communications Proxy Features This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information Ab out the Adapti ve Securi[...]

  • Página 298

    14-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Information About the A daptive Security Appliance in Cisco U nified Communications TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encr yption ofte n leaves network s[...]

  • Página 299

    14-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features TLS Proxy Ap plications in Cisco Unified Communications The ASA prov ides perimeter security by en crypting signalin g connections between enterpri ses and pre venting unathorized calls. An ASA running the Cisco In terc[...]

  • Página 300

    14-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobi lity solution , the TLS clien t is a Cisco UM A client and the TLS server is a Cisco UMA server . The ASA is between a Cisco UM A clie[...]

  • Página 301

    14-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features Licensing for Cisc o Unified Communications Proxy Features ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 10[...]

  • Página 302

    14-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features T able 14-2 sho ws the default and maximum TLS sessio n details by platform. The follo wing table shows the Uni fied Co mmunications Proxy licen se details by pl[...]

  • Página 303

    CH A P T E R 15-1 Cisco ASA Series Firewall CLI Configuratio n Guide 15 Using the Cisco Unified Communication Wizard This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Unif ied Communication W iz[...]

  • Página 304

    15-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Information about the Cis co Unified Communication Wizard The wizard simplif ies the configuration of the Unified Communications proxi es in the follo wing ways: • Y ou enter all required data in the wizard steps. Y ou are not required t[...]

  • Página 305

    15-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Licensing Requirements for the Unified Communication W izard Using the ASA as a sec ure presence federation pr oxy , businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Ci sco or Microsoft Presence se[...]

  • Página 306

    15-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in r[...]

  • Página 307

    15-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard Note Any conf iguration created by the wizard should be maintained t hrough the wizard to ensure pr oper synchronization. F or example, if you create a ph one proxy c[...]

  • Página 308

    15-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Step 2 Specify each entity in th e network (al l Cisco UCM and TFTP servers) that the IP phones mu st trust. Click Add to add the servers. See Confi guring Serv ers for[...]

  • Página 309

    15-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard statements, you must delete them manually by using the appropriate area of AS DM or rerun the Unified Communications wizard without making any changes and apply the c[...]

  • Página 310

    15-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button conf igures the server to use the IP address of the public interface. Y ou select the publi c interface in step 4 of the wiz[...]

  • Página 311

    15-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard See also the Cisco Unif ied Communications Manage r Securit y Guide for in formation on Usin g the Certif icate Authority Proxy Function (CAPF) to instal l a locally [...]

  • Página 312

    15-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard • PC Port • V oice VL AN access • Gratuitous ARP • Span to PC Port Step 3 T o configure address translation for IP phones, check the Enable addre ss translatio[...]

  • Página 313

    15-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the pri vate IP addr ess, enter the IP ad dress on which pr i vate media traf fic terminates. The IP address must be within the same su[...]

  • Página 314

    15-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring the Topology for the Cisco Mobility Advantage Proxy When config uring the Mobility Adv antage Proxy , you specify settings to def ine the pri vate an[...]

  • Página 315

    15-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to co nfigu re the Cisco Mobilit y Adv antage proxy , the wizard only supports installing self-sig ned certificates. Step 2 Export th[...]

  • Página 316

    15-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Pr esence Federation Pr oxy by using the Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Note The Unified Commu nication W izard is supported for the AS A ve[...]

  • Página 317

    15-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Presence Federation Proxy by using the Unified Communication W izard Step 3 In the FQDN f ield, enter the domain name for the Unif ied Presence server . This domain name is incl uded in the certif icate signing request t[...]

  • Página 318

    15-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard For th e TLS handshake, t he two en tities, namely the local entity and a remote en tity , could v alidate the peer certificate via a certif icate c hain to trusted th ird[...]

  • Página 319

    15-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard T o config ure the Cisco Intercompan y Media Engine Proxy by using ASDM, choose W izards > Unif ied Communication Wi zard from the menu. The Unified Communication W iz[...]

  • Página 320

    15-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Step 2 Click Next . Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sits i n-line with the Internet f irewa ll such that all Internet tr[...]

  • Página 321

    15-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Step 1 T o configure the Cisco Interco mpany Media Engine Proxy as part of a basic de ployment, select the interface that connects to the local Cisco Unified Communicatio[...]

  • Página 322

    15-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Y ou must incl ude an entry fo r each Cisco U CM in the clust er with Cisco Inte rcompany Media E[...]

  • Página 323

    15-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard gen erates a self-signed certif icate for the ASA[...]

  • Página 324

    15-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Configuring the Remote-Side Certificat es for the Cisco Intercompany Media Engine Proxy Establishing a trust relation ship cross enterprises or across administrati ve doma[...]

  • Página 325

    15-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: • Exporting an Identit y Certif icate, page 15-23 • Installing [...]

  • Página 326

    15-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Presence Federation server , and the Cisco Unifie d Communications Manager servers, respectiv ely , on the ASA. See the documentatio n for each of these products for informat [...]

  • Página 327

    15-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard • Remote Presence Federati on serv ers for the Cisco Presence Fede ration Proxy • The remote ASAf or the Cisco In tercom pany Media Engine Prox y Before generating the C[...]

  • Página 328

    15-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Submit the CSR to the cert ificat e authority (CA), for example, by pastin g the CSR text in to the CSR enrollment page on th e CA website. When the CA returns the signed iden[...]

  • Página 329

    15-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard T ypically , a certificate aut hority returns tw o certif icates: your signed identity certif icate and the certif icate authority’ s certif icate (r eferred to as the roo[...]

  • Página 330

    15-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard[...]

  • Página 331

    CH A P T E R 16-1 Cisco ASA Series Firewall CLI Configuratio n Guide 16 Configuring the Cisco Phone Proxy This chapter describes ho w to confi gure the ASA for Cisco Phon e Proxy feature. This chapte r includes the follo wing sections: • Information Abou t the Cisco Phone Proxy , page 16-1 • Licensing Requ irements for the Pho ne Proxy , page 1[...]

  • Página 332

    16-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figur e 16-1 Phone Pro xy Secur e Deploy ment The phone proxy supports a Cisc o UCM cluste r in mixed mode or n onsecure mode . Regardless of the cluster mode , the remote phones th at are capable of encryptio[...]

  • Página 333

    16-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng. W ith LSC prov isioning you create a pass word for each remote [...]

  • Página 334

    16-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unif ied IP Phone 7941 • Cisco Unif ied IP Phone 7941G-GE • Cisco Unif ied IP Phone 7940 (SCCP p rotocol support only) • Cisco Unif ied W ireless IP Phone 7921 • Cisco Unif ied Wireless I [...]

  • Página 335

    16-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5525-X Base Lice[...]

  • Página 336

    16-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more inf ormation about licensing, see the general operati ons config uration guide. Prerequisites for the Phone Proxy This section contains the following topics: • Media T ermination Instance Prerequisites, p[...]

  • Página 337

    16-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy • For IP pho nes behind a router or gate way , you must also meet this prerequisite. On the router or gatew ay , ad d routes to the m edi a termination address on the ASA interface that the IP phones communicate [...]

  • Página 338

    16-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy If N A T is configured for the TFTP server or Cisco UCMs, the translated “globa l” address must be used in the ACLs. T able 16-1 lists the ports that are required to be conf igured on the exi sting fire wall: No[...]

  • Página 339

    16-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy host 10.0.0.2 nat (inside,outside) static interface service tcp 2443 7443 Note Both P A T configurations—for the non secure and secure ports—m ust be configured. • When the IP phones must co ntact the CAPF on[...]

  • Página 340

    16-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note If an IP phone already has an LSC installed on it from a different Cisco UCM cluster , delete the LSC from the dif ferent cluster and install an LSC from the current Cisco UCM cl uster . Note Y ou can confi gu[...]

  • Página 341

    16-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Prerequisites for Rate Limiting TFTP Requests In a remote access scenario, we recommend that you conf igure rate limiting of TFTP requests b ecause any IP phone co nnecting through the I nternet is allo wed to sen[...]

  • Página 342

    16-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations End-User Phone Provisioning The phone proxy is a tr ansparent proxy with resp ect to the TFTP and signaling t ransactions. If N A T is not configured for the Cisco UCM TFTP se rver , then th e IP phones need t[...]

  • Página 343

    16-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Phone Proxy Guidelines a nd Limitations • General Guidelines and Limitations, page 16-1 3 • Media T ermination Address Guidel ines and Limitation s, page 16-14 General Guidelines and Limitations The phone proxy has the foll ow ing general limit[...]

  • Página 344

    16-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy – T wo SIP IP phones: both in non-secure mo de T wo SCCP IP phones: one IP phone in authenti ca ted mode and one in encr ypted mode, both in authentic ated mode, bo th in encr ypted mode – T wo SIP IP phones: on e I[...]

  • Página 345

    16-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y • Creating the TLS Proxy for a Mixed-mode Ci sco UCM Cluster , page 16-21 • Creating the Media T e rmination Instance, page 16-23 • Creating the Phone Proxy Instance, page 16-24 • Enabling the Phone Proxy with S[...]

  • Página 346

    16-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 3 Click Find and it wi ll display all the certif icates. Step 4 Find the f ilename Cisco_Manuf acturing_CA . This is the certif icate need to verify the IP p hone certificate. Click the .PEM f ile Cisco_Manufacturi[...]

  • Página 347

    16-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Note For mix ed-mode clusters, the phone proxy does not support the Cisco Unif ied Call Manager using TFTP to send encrypted conf iguration fil[...]

  • Página 348

    16-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Prerequisites Import the required certif icates, whic h are stored on the Cisco UCM. See Certificates from the Cisco UCM, page 16-7 and Importing Certif icates from the Cisco UCM, page 16-15 . What to Do Next Once you h[...]

  • Página 349

    16-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Prerequisites If you are usin g domain name s for your Cisco UCM and TFTP server , you must configure DNS l ookup on the ASA. Add an entry for each of the outside in terfaces on the ASA into your DNS server , if such en[...]

  • Página 350

    16-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Using an Existing CTL File Note Only when the phone prox y is running in mix ed-mode clusters, you hav e the option to use an exi sting CTL file to install tr ustpoints. If you hav e an existing CTL file that contains t[...]

  • Página 351

    16-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What to Do Next Once you have created the TLS proxy inst ance, create the phone proxy instance. See Creating the Phone Proxy Instance, page 16-24 . Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster For mix ed mo[...]

  • Página 352

    16-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 6 hostname(config-ca-trustpoint)# subject-name X.500_name Example: hostname(config-ca-trustpoint)# subject-name cn=FW_LDC_SIGNER_172_23_45_200 Includes the indicated subj ect DN in the certificate during enrollment[...]

  • Página 353

    16-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What To Do Next Once you hav e created the TLS proxy instance a nd installe d the certificate on the Cisco Unif ied Communications Manager, create the p hone proxy instance. See Cr eating the Phon e Proxy Instan ce, pag[...]

  • Página 354

    16-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What To Do Next Once you ha ve created the media termin ation instan ce, create th e phone prox y instance. See Crea ting the Phone Proxy Instance, page 16-24 . Creating the Phone Proxy Instance Create the phone proxy i[...]

  • Página 355

    16-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Command Purpose Step 1 hostname(config)# phone-proxy phone_proxy_name Example: hostname(config)# phone-proxy myphoneproxy Creates the phone proxy instance. Only one phone proxy instance can be con fi gured on the securi[...]

  • Página 356

    16-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What to Do Next Once you ha ve created the phon e proxy instance, con figur ing SIP and Skinny for the phone proxy . See Enabling the Phon e Proxy with SIP an d Skinny Inspection, page 16-26 . Enabling the Phone Proxy w[...]

  • Página 357

    16-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Configuring Linksys Routers with UDP Po rt Forwarding for the Phone Proxy When IP phones are behind a N A T -ca pable router , the router can be co nfigured to forward the UDP ports to the IP address of the IP phone. Sp[...]

  • Página 358

    16-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Configuring Your Router Y our fire wall/router needs to be conf igured to forward a range of UDP ports to the IP pho ne. This will allow the IP phone to recei ve audio when you make/recei ve calls. Note Different C[...]

  • Página 359

    16-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-5 lists the captu re commands to use with the phone p roxy . Use the capture command on the appropriate interfaces (IP phones and Cisco UCM) to enable packet capture capabilities for pack et snif fing and [...]

  • Página 360

    16-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y T able 16-5 Security Appliance Captur e Co mmands to Use with the Phone Pro xy T o Use the Command Notes T o capture packets on the A SA interfaces. capture ca ptur e_name interface interface_name Use this command [...]

  • Página 361

    16-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-6 lists the sho w commands to use with the phone proxy . T able 16-6 Secur ity Appliance Show Com mands to Use with the Phone Pr o xy T o Use the Command Notes T o show the packets or connections dropped b[...]

  • Página 362

    16-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Debugging Information from IP Phones On the IP phone, perform th e follo wing actions: • Check the Status messages on th e IP phone by selecting the Settings b utton > Status > Status Messages and selecting[...]

  • Página 363

    16-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y • Check the Security sett ings on the IP phone by selecting the Set tings button > Secu rity Config uration. Settings fo r web access, Security mode, MIC, LSC, CTL file, tru st list, and CAPF appear . Under Sec[...]

  • Página 364

    16-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Step 2 From the ASA, verify that the CTL f ile for the phone proxy contains on e record entry for each entity in the network—Primary Cisco UCM, Secon dary Cisco UCM, TFTP serv er—by entering the fo llo wing com[...]

  • Página 365

    16-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Solution Step 1 V erify that DNS lookup is config ured on the ASA. Step 2 If DNS lookup is conf igured, determine whether you can p ing the FQDN for the Ci sco UCM from the ASA. Step 3 If ASA cannot ping the Cisco U[...]

  • Página 366

    16-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.[...]

  • Página 367

    16-37 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Step 3 If the router is a Linksys router , see Configu ring Linksys Routers wit h UDP Port Fo rwarding for t he Phone Proxy , page 16 -27 for information on the con fig uration requiremen ts. IP Phone Requesting Uns[...]

  • Página 368

    16-38 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Make sure that each media-termination instance is cr eated correctly and that th e address or addresses are set correctly . The ASA must meet specif ic criter ia for media termination. See Media T ermination Instan[...]

  • Página 369

    16-39 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y b. V erify that the list o f installed certif icates contains all required certif icates for the phone proxy . See Ta b l e 1 6 - 2 , Certificates Required by the Secu rity Appliance fo r the Phone Proxy , for infor[...]

  • Página 370

    16-40 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y SSL Handshake Failure Problem The phone proxy is not fu nctioning. Initial troub leshooting unco vered the follo wing errors in the ASA syslogs: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl h[...]

  • Página 371

    16-41 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y [3des-sha1] [des-sha1] [rc4-md5] [p ossibly others] See the command reference for more informatio n about setting ciphers wit h the ssl encry ption command. Certificate Validation Errors Problem Errors in the ASA lo[...]

  • Página 372

    16-42 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y phone-proxy mypp media-termination address 10.10.0.25 cipc security-mode authenticated cluster-mode mixed disable service-settings timeout secure-phones 0:05:00 hostname(config)# Make sure that each media-terminati[...]

  • Página 373

    16-43 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y The SAST keys can be seen via the show crypto k ey mypubkey rsa command. The SAST keys are associated with a trustpoint that is labeled _inter nal_ ctl-file _name _SAST_ X where ctl-f ile-name is the name of the CTL[...]

  • Página 374

    16-44 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy mGF/hfDDNAICBAA= hostname(config)# quit INFO: Import PKCS12 operation completed successfully hostname(config)# Step 3 Create the CTL file instance on the ne w A SA using the same name as the one used in th[...]

  • Página 375

    16-45 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-2 Nonsecure Cisco UCM clust er , Ci sco UCM and TFTP Se rver on Publisher object network obj-192.0.2.101 host 192.0.2.101 nat (inside,outside) static 10.10.0.26 access-list pp extended permit u[...]

  • Página 376

    16-46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Example 2: Mixed-mode Cisco UCM clu ster, Cisco UCM and TFTP Server on Publisher Figure 16-3 sho ws an example of the configuration fo r a mixed-mode Cisco UCM cluster using the follo wing topology . Figur[...]

  • Página 377

    16-47 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.101 interface inside tls-proxy mytls ctl-file myctl cluster-mode mixed class-map sec_sccp m[...]

  • Página 378

    16-48 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy host 192.0.2.101 nat (inside,outside) static interface udp 69 69 access-list pp extended permit udp any host 10.10.0.24 eq 69 access-group pp in interface outside crypto key generate rsa label cucm_kp modu[...]

  • Página 379

    16-49 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figure 16-5 Mixed-mode Cisco UCM cluster , Pr i mar y Cisco UCM, Secondary Cisco UCM, and TFTP Serv er on Dif f erent Serv ers object network obj-192.0.2.105 host 192.0.2.105 nat (inside,outside) static 1[...]

  • Página 380

    16-50 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my-ldc-ca.exmaple.com subject-name cn=FW_LDC_SIGNER_172_23_45_200 keypair ldc_signer_key crypto ca enroll ldc_server tls-proxy my_proxy[...]

  • Página 381

    16-51 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-6 LSC Pro visioning in Mix ed-mode Cisco UCM clust er; Cisco UCM and TFTP Serv er on Publisher object network obj-192.0.2.105 host 192.0.2.105 nat (inside,outside) static 10.10.0.26 object netw[...]

  • Página 382

    16-52 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.25 interface in[...]

  • Página 383

    16-53 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-7 VLAN T ransv ersal Between CIPC Softphon es on the Da ta VLAN and Har d Phones on the V oice VLAN object network obj-10.130.50.0 subnet 10.130.50.0 255.255.255.0 nat (data,voice) dynamic 192.[...]

  • Página 384

    16-54 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Feature History for the Phone Proxy class sec_sip inspect sip phone-proxy mypp service-policy pp_policy interface data Feature History for the Phone Proxy T able 16-7 lists the release h ist ory for this feature . T able 16-7 Feat ure Hist ory for [...]

  • Página 385

    CH A P T E R 17-1 Cisco ASA Series Firewall CLI Configuratio n Guide 17 Configuring the T LS Proxy for Encrypted Voice Inspection This chapter describes ho w to configure t he ASA for the TLS Proxy for Encrypted V oice Inspection feature. This chapter includ es the follo wing sections: • Information ab out the TLS Proxy for En crypted V oice Insp[...]

  • Página 386

    17-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection The security appliance acts as a TLS proxy betwee n the Cisco IP Phone an d Cisco UCM. The proxy is transparent for the voice calls be tween the pho ne and theC[...]

  • Página 387

    17-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Information about the TLS Pro xy for Encrypted Voice Inspection • Cisco Unif ied IP Phone 7941G-GE • Cisco Unif ied IP Phone 7940 • Cisco Unif ied Wirel ess IP Phone 7921 • Cisco Unif ied Wirel ess IP Phone 7925 • [...]

  • Página 388

    17-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection Figure 1 7 -2 CTL Client TLS Pro xy Featur es — ASA IP Address or Domain Name Figure 17-2 sh ow s support for entering the security app liance IP address or d[...]

  • Página 389

    17-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Licensing for the TLS Proxy Figure 1 7 -4 CTL Client TLS Pro xy Featur es — CTL File Installed on the ASA The security appliance does not store the raw CTL file in the flash, rather , it parses the CTL file and installs ap[...]

  • Página 390

    17-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Licensing for the TLS Proxy ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 20 00, 3000, 5000, or 10,000 sessions. 2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100[...]

  • Página 391

    17-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Prerequisites for the T LS Prox y for Encrypted Voice Inspection T able 17-1 sho ws the default and maximum TLS sessio n details by platform. For more inf ormation about licensing, see the general operations con figurat ion [...]

  • Página 392

    17-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n • Creating T rustpoints and Generating Certif icates, page 17-9 • Creating an Intern al CA, page 17-10 • Creating a CTL Provider Instance, page 17-11 • Creat[...]

  • Página 393

    17-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection Step 8 Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL f ile and install the CTL file on the secu rity appliance. See the Ci[...]

  • Página 394

    17-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you have created the tr ustpoints and generate d th e certificates, create the internal CA to sign the LDC for Cisco IP Phones. See Creating an[...]

  • Página 395

    17-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you ha ve created the internal CA, create the CTL provider instance. See Creating a CTL Provider Instance, page 17-11 . Creating a CTL Provider [...]

  • Página 396

    17-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you hav e created the CTL provider instance, create the TLS proxy instance. See Creating the TLS Proxy Instance, page 17-12 . Creating the TLS [...]

  • Página 397

    17-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you hav e created TLS proxy ins tance, enab le the TLS proxy instance fo r Skinny and SIP inspection. See Enabling the TLS Proxy Instance f or S[...]

  • Página 398

    17-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n Command Purpose Step 1 hostname(config)# class-map class_map_name Example: ciscoasa(config)# class-map sec_skinny Configures the se cure Skin ny class of traff ic t[...]

  • Página 399

    17-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Monitoring the TLS Proxy Monitoring the TLS Proxy Y ou can enable TLS proxy d ebug flag s along with SSL syslogs to deb ug TLS proxy connection problems. F or example, using th e follo wing commands to enable TLS proxy-rela[...]

  • Página 400

    17-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Monitoring the TLS Proxy Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Data channel ready for the Client Apr 17 2007 23:13:47: %ASA-7-725013: SSL Server inside:195.168.2.201/5061 choose cipher : AES128-SHA Apr 17 2007[...]

  • Página 401

    17-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Feature History for the TLS Pro xy for Encrypted Voice Inspection Public Key Type: RSA (1024 bits) Issuer Name: cn=TLS-Proxy-Signer Subject Name: cn=SEP0002B9EB0AAD o=Cisco Systems Inc c=US Validity Date: start date: 09:25:[...]

  • Página 402

    17-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Feature History for the TLS Proxy for Encrypted Voice Inspection[...]

  • Página 403

    CH A P T E R 18-1 Cisco ASA Series Firewall CLI Configuratio n Guide 18 Configuring Cisco Mobility Advantage This chapter de scribes how to configure the ASA for Ci sco Unified Communic ations Mobi lity Advantage Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Mobility Adv antage Proxy Feature, page [...]

  • Página 404

    18-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature The TCP/TLS default por t is 5443. There are no embedded N A T or secondary connections. Cisco UMA client and server communications can be proxied via TLS, w hich decrypts the data, pa[...]

  • Página 405

    18-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figur e 18-1 Securi ty Appliance as Fir ewall wi th Mobility A dvantag e Proxy and MMP Inspection In Figure 18-1 , the ASA performs static N A T by translating the Cisco UMA serv er [...]

  • Página 406

    18-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figur e 1 8-2 Cisco UMC/Cisco UMA Ar chitect ure – Scenar io 2: Secur ity Appliance as Mobility Adv antage Pr oxy Only Mobility Advantage Pr oxy Using NAT/PAT In both scenarios ( Fig[...]

  • Página 407

    18-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Trust Relationships for Cisco UMA Deployments T o establish a trust relatio nship between the Cisco U MC client and the ASA, t he ASA uses the Cisco UMA server certificate and ke ypa[...]

  • Página 408

    18-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Licensing for the Cisco M obility Advantage Proxy Feature Figure 1 8-4 How the Secur ity Applia nce Repr es ents Cisco UMA – Cer tificat e Impersonation A trusted relationship betw ee n the ASA and the Cisco UMA se rver can be established wi t[...]

  • Página 409

    18-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage • Enabling the TLS Proxy for MMP Insp ection, page 18-9 Task Flow for Configuring Cisco Mobility Advantage T o conf igure for the ASA to perfo rm TLS proxy and MMP inspection as sh own i n Figure 18-1 and F[...]

  • Página 410

    18-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuring Cisc o Mobility Advantage What to Do Next Once you hav e created the trustpoints and installed the Cisco UMA cer tificate on the ASA, create the TLS proxy instance. See Creating t he TLS Proxy Instance, page 18-8 . Creating the TLS P[...]

  • Página 411

    18-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage What to Do Next Once you ha ve created the TLS proxy inst ance, enable it for MMP inspection. See Enabling the TLS Proxy for MMP Inspection , page 18-9 . Enabling the TLS Proxy for MMP Inspection Cisco UMA cl[...]

  • Página 412

    18-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Monitoring for Ci sco Mobility Advantage Monitoring for Cisco Mobility Advantage Mobility adv antage proxy can be deb ugged the same w a y as IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy conne[...]

  • Página 413

    18-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage • Example 1: Cisco UMC/Cisco UMA Architecture – Secur ity Appliance as Fire wall with TLS Proxy and MMP Inspection, page 18 -11 • Examp[...]

  • Página 414

    18-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuration Examples for Cisco Mobility Advantage object network obj-10.1.1.2-01 host 10.1.1.2 nat (inside,outside) static 192.0.2.140 crypto ca import cuma_proxy pkcs12 sample_passphrase <cut-paste base 64 encoded pkcs12 here> quit ! f[...]

  • Página 415

    18-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Figur e 18-6 Cisco UMC/Cisco UMA Arc hitectur e – Scenario 2: Secur ity Appliance as TLS Pro xy Only object network obj-172.16.27.41-01 host 172.16.27.41 nat (inside,outside) static 192.0.2.1[...]

  • Página 416

    18-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Feature History for Cisco Mobility Advantage tls-proxy cuma_proxy server trust-point cuma_proxy no server authenticate-client client cipher-suite aes128-sha1 aes256-sha1 class-map cuma_proxy match port tcp eq 5443 policy-map global_policy class[...]

  • Página 417

    CH A P T E R 19-1 Cisco ASA Series Firewall CLI Configuratio n Guide 19 Configuring Cisco Unified Presence This chapter descri bes how to configure the adapti v e security applia nce for Cisco Unified Presence. This chapter includ es the follo wing sections: • Information Abo ut Cisco Unified Presenc e, page 19-1 • Licensing for Cisco Unified P[...]

  • Página 418

    19-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence Figur e 19-1 T ypical Cisco Unified Pr esence/LCS Federation Scenar io In the abov e a rchitecture, the ASA functions as a fire wall, N A T , and TLS proxy , which is the recommended architecture. Howe ver ,[...]

  • Página 419

    19-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For an other Cisco UP with the address 10.0 .0.3, you must use a d if ferent set of P A T ports, such as 45062[...]

  • Página 420

    19-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence http://www .cisco.com/en/ US/products/ps6837/produc ts_i nstallation_and_co nfiguration_guid es_list.ht ml Trust Relationship in the Presence Federation W ithin an enterprise, setting up a tru st relationshi[...]

  • Página 421

    19-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e Security Certificate Exchange Between C isco UP and the Security Appliance Y ou need to generate the ke ypai r for the certificate ( such as cup_proxy_key ) used by the A SA, and confi gure a trustpoint [...]

  • Página 422

    19-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence For furt her information about config uring Cisco Un ified Presence Federation for XMPP Federation, see the Integr ation Gu ide for Configurin g Cisco Un ified Pr esen ce Release 8.0 for Interdomain F ed era[...]

  • Página 423

    19-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Licensing for Cisco Unifie d Presence nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<privat[...]

  • Página 424

    19-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation For more inf ormation about licensing, see the general operati ons config uration guide. Configuring Cisco Unified Presence Proxy for SIP Federation This section contains the following to[...]

  • Página 425

    19-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation • Creating T rustpoints and Generating Certif icates, page 19-9 • Installing Certif icates, page 19-10 • Creating the TLS Proxy Instance, page 19-12 • Enabling the TLS Proxy for[...]

  • Página 426

    19-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity . See the “ Installing Ce r[...]

  • Página 427

    19-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation Command Purpose Step 1 hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export ent_y_proxy identity-certificate Export the ASA se[...]

  • Página 428

    19-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Once you hav e created the trustpoi nts and installed the certif icates for the local and remote entities on the ASA, create the TLS proxy instance. Se e Creating the TLS[...]

  • Página 429

    19-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation What to Do Next Once you ha ve created the TLS proxy i nst ance, enable it for SIP inspection. See Enabli ng the TLS Proxy for SIP Inspection, page 19-13 . Enabling the TLS Proxy for S[...]

  • Página 430

    19-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Monitoring Cisco Unified Presence Monitoring Cisco Unified Presence Debug ging is similar to deb ugging TLS proxy for IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy connection problems. For e xampl[...]

  • Página 431

    19-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Example A CL Configuration for XMPP Federat ion, page 19-17 • Example NA T Configuration for XMPP Federation, pa ge 19-18 Example Configuration for SIP Federation Deployments The follo wing [...]

  • Página 432

    19-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence Figur e 19-5 T ypical Cisco Unified Pr esence/LCS Federation Scenar io object network obj-10.0.0.2-01 host 10.0.0.2 nat (inside,outside) static 192.0.2.1 service tcp 5061 5061 object network obj-10[...]

  • Página 433

    19-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence quit ! for Entity Y’s CA certificate crypto ca trustpoint ent_y_ca enrollment terminal crypto ca authenticate ent_y_ca Enter the base 64 encoded CA certificate. End with a blank line or the word[...]

  • Página 434

    19-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence The follo wing values are used in th is sample conf iguration: • Priv ate XMPP federation Cisco Unified Presence Release 8.0 IP address = 1.1.1.1 • Priv ate second Cisco Uni fied Presence Relea[...]

  • Página 435

    19-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Pri vate third Cisco Unifi ed Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening po rt = 5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serv[...]

  • Página 436

    19-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Feature History fo r Cisco Unified Presence Feature History for Cisco Unified Presence T able 19-1 lists the release h ist ory for this feature . T able 19-1 Feat ure Hist ory for Cisco Unified Pr esence Feature Name Releases Feature Information C[...]

  • Página 437

    CH A P T E R 20-1 Cisco ASA Series Firewall CLI Configuratio n Guide 20 Configuring Cisco Inte rcompany Media Engine Proxy This chapter descri bes how to configure the AS A for Cisco Intercompan y Media Engine Proxy . This chapter includ es the follo wing sections: • Information About Cisco Intercom pany Media Engi ne Proxy , page 20-1 • Licens[...]

  • Página 438

    20-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Cisco Intercompany Media Engine h as the follo wing ke y features: • W orks with existi ng phone numbers: Cisco Intercompan y Media Engine works with the phone numbers an [...]

  • Página 439

    20-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy On successful verif ica tion, the terminating side creates a tick et that grants permission to the call originator to mak e a Cisco IM E call to a specif ic number . See Tick [...]

  • Página 440

    20-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy As illustr ated in Figure 20-1 . Enterprise B makes a P STN call to enterprise A. That call compl etes successfully . Later , Enterprise B Cisco Intercompa ny Media Engine s[...]

  • Página 441

    20-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy The TLS signaling connections from the Cisco UCM are terminated on the adapti ve security appliance and a TCP or TLS connecti on is initiated to the Cisco UCM. SR TP (media) s[...]

  • Página 442

    20-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Figur e 20-2 Cisco Inter compan y Media En gine Ar chit ectur e in a Basic Deplo yment Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sit[...]

  • Página 443

    20-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Licensing for Cisc o Intercompany Me dia Engine Off Path Deployment In an of f path deployment, inbound and outbound Cisco Intercom pany Media Engine calls pass t hrough an adapti ve securi ty appliance enab led with the Ci sco Inte[...]

  • Página 444

    20-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Guidelines and Limitations For more information about licensing, see Chapter 4, “Managing Feature Licenses, ” in the general operations conf iguration guide. Guidelines and Limitations Context Mode Guidelines Supported in singl[...]

  • Página 445

    20-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Guidelines and Limitations • Stateful failover of Cisco Unified Intercomp any Media Engine is no t supported. Durin g failover , existi ng calls tra versing the Cisco In tercompany Medi a Engine Proxy disconnect; ho wever , new ca[...]

  • Página 446

    20-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Assume for e x ample, the ASA is conf igured to hav e a maximum of 100 TLS pro xy sessions and IME calls between SCCP IP phon es establish 101 TLS proxy sessions. In t his ex ampl[...]

  • Página 447

    20-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note Step 1 through Step 8 apply to both basic (in- line) and of f path deployments and Step 9 applies onl y to of f path deployment. T o confi gure a Ci sco Intercompan y Media E[...]

  • Página 448

    20-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Figure 20-6 Exampl e for Configur in g NA T for a Deployment T o configure auto N A T rules for the Cisc o UCM server , perform the following steps: Local Cisco UCMs Local ASA Cor[...]

  • Página 449

    20-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the A CLs for the Cisco Intercompany Media Engine Proxy . See Creating A CLs for Cisco Intercompany Medi a Engine Proxy , page 20-15 . Configuring PAT for t[...]

  • Página 450

    20-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Confi gures a network object for the outside IP add[...]

  • Página 451

    20-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating ACLs for Cisco Intercompany Media Engine Proxy T o conf igure A CLs for the Cisco Intercompany Media Engine Prox y to reach the Cisco UCM serv er, perform the follo wing [...]

  • Página 452

    20-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the media termination inst ance on the ASA fo r the Cisco Intercompany Media Engi ne Proxy . See Creating the Media T e rmination Instance, page 20-16 . Cre[...]

  • Página 453

    20-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What To Do Next Once you hav e created the media termination instance, c reate the Cisco Intercompan y Media Engine Proxy . See Creating the Cisco Intercompany Media Engine Pro xy[...]

  • Página 454

    20-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note Y ou cannot change an y of the conf iguration settings for the Cisco Intercompan y Media Engine Proxy described in this pr ocedure when the pr oxy is enabled for SIP inspecti[...]

  • Página 455

    20-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 4 hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket ep och and password f[...]

  • Página 456

    20-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity . Creating Trustpoints[...]

  • Página 457

    20-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy connections between the local Ci sco UCM and the local ASA. The instructions in that task describe ho w to create tr ustpoint s between the local Cisc o UCM and t he local A SA. P[...]

  • Página 458

    20-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engi ne. See the “Creating the TLS Proxy” section on page 20 -23 . Step 4 hostname(config-ca-trustpoint)#[...]

  • Página 459

    20-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating the TLS Proxy Because either enterprise, n amely the local or remote Cisco UCM servers, can in itiate the TLS handshake (unlik e IP T elephony or Ci sco Mobility Adv anta[...]

  • Página 460

    20-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you hav e created the TLS prox y , enable it for SIP inspect ion. Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Enable the TLS proxy f[...]

  • Página 461

    20-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inboun d Cisco Intercompany Media E[...]

  • Página 462

    20-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve enabled the TLS proxy for SIP i nspection, if necessary , configur e TLS within the enterprise. See (Optional) Config uring TLS within the Local Ent[...]

  • Página 463

    20-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Commands Purpose Step 1 hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enrol[...]

  • Página 464

    20-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve conf igured the TLS within the enterprise, if ne cessary , configure of f path signaling for an off path deployment. See (Optional) Conf iguring Off[...]

  • Página 465

    20-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy (Optional) Configuring Off Path Signaling Perform this task only w hen you are conf iguring the Cisco Intercompan y Media Engine Proxy as part of an of f path deployment. Y ou mig[...]

  • Página 466

    20-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy This section contains the follo wing sections: • Config uring the Cisco UC-IMC Proxy by using th e UC-IME Proxy P ane, page 20-30 • Config uring the Cisco UC-IMC Proxy by usin[...]

  • Página 467

    20-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 2 Check the Enable Cisco UC-IME prox y check box to enable the feature. Step 3 In the Unif ied CM Server s area, enter an IP addre s s or hostname for t he Cisco Unified Comm[...]

  • Página 468

    20-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note In an of f path deployment any e xisting ASA that you ha ve deployed in your en vironment are not capable of transmitting Cisco Intercompan y Medi a Engine traf fic. Of f-pat[...]

  • Página 469

    20-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Step 4 Specify the public netw ork settings. Step 5 Specify the media termin ation address settings of Cisco UCM. Step 6 Configure the local-side certif icate management, nam[...]

  • Página 470

    20-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Troublesho oting Cisco Intercom pany Medi a Engine Proxy Local SRTP key set : Remote SRTP key set Remote Media (audio) conn: 192.168.10.51/19520 to 192.168.10.3/30930 Call-ID: ab6d7980-a7d11b08-50-1e0aa8c0@192.168.10.30 FB Sensiti[...]

  • Página 471

    20-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Sum_all_packets : 20196 Codec_payload_format : 9 RTP_ptime_ms : 20 Max_RBLR_pct_x100 : 0 Max_ITE_count_in_8_sec : 0 Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_av[...]

  • Página 472

    20-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy T able 20-1 lists the release h ist ory for this feature . T able 20-1 Feat ure Hist ory for Cisco Phone Pr oxy Fe[...]

  • Página 473

    P AR T 6 Conf iguring Connection Set tings and QoS[...]

  • Página 474

    [...]

  • Página 475

    CH A P T E R 22-1 Cisco ASA Series Firewall CLI Configuratio n Guide 22 Configuring Connection Settings This chapter describe s how to configure connection settings for connections th at go through the A SA, or for manage ment connec tions, that go to the ASA. Co nnection sett ings include: • Maximum connection s (TCP and UDP connect ions, embryo[...]

  • Página 476

    22-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Information Abou t Connection Settings TCP Intercept and Limiti ng Embryonic Connections Limiting the number of embryonic connections pro tects you from a DoS att ack. The ASA uses the per -client limits and the embryon ic connection limi t to trigger[...]

  • Página 477

    22-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Information About Connec tion Settings TCP Sequence Randomization Each TCP connection has tw o ISNs: one generated by the client and one generated by the server . The ASA randomizes the ISN of the TCP S YN passing in both the inbound and outb ound di[...]

  • Página 478

    22-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Licensing Requirement s for Connection Settings fast path (an established con nection), or the co ntrol plane path (advanced inspection). See the “Stateful Inspection Ov erview” section on page 1-17 in the general operations con figur ation guide [...]

  • Página 479

    22-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d transparent mode. Failover Guidelines Failo ver is supported. TCP State B[...]

  • Página 480

    22-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings no check-retransmission no checksum-verification exceed-mss allow queue-limit 0 timeout 4 reserved-bits allow syn-data allow synack-data drop invalid-ack drop seq-past-window drop tcp-options range 6 7 clear tcp-option[...]

  • Página 481

    22-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Step 2 (Optional) Conf igure the TCP map criteria by entering one o r more of the follo wing commands (see T able 22-1 ). If you w ant to customize some settings, th en the d e faults are used for any commands you do [...]

  • Página 482

    22-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings T able 22-1 tcp-map Commands Command Notes check-retransmission Pre vents inconsistent TCP retransmissions. checksum-verif ication V erifies the checksum. exceed-mss { allow | drop } Sets the action for packets whose d[...]

  • Página 483

    22-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings queue-limit pkt_num [ timeout seconds ] Sets the maximum number of out - of-order packets that can be buf fered and put in order for a TCP connection, between 1 and 250 packets. The default is 0, whi ch means this set[...]

  • Página 484

    22-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings synack-data { allow | dr op } Sets the action for TCP SYNA C K packets that contain data. The allow k eyword allows TCP SYN A C K packets that contain data. (Default) The drop ke yword drops TCP SYN A CK packets that [...]

  • Página 485

    22-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Configuring Connection Settings T o set connection sett ings, perform the foll ow ing steps. Detailed Steps urgent-flag { allo w | clear } Sets the action for packets with the URG flag. The URG flag is used to indica[...]

  • Página 486

    22-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings Step 3 policy-map name Example: ciscoasa(config)# policy-map tcp_bypass_policy Adds or edits a polic y map that sets the actions to take with the class map traf fic. Step 4 class name Example: ciscoasa(config-pmap)# c[...]

  • Página 487

    22-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings set connection {[ conn-max n ] [ embryonic-conn-max n ] [ per-client-embryonic-max n ] [ per-client-max n ] [ random-sequence-number { enable | disable }]} Example: ciscoasa(config-pmap-c)# set connection conn-max 25[...]

  • Página 488

    22-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings set connection timeout {[ embryonic hh : mm : ss ] { idle hh : mm : ss [ reset ]] [ half-closed hh : mm : ss ] [dcd hh : mm : ss [ max_retries ]]} Example: ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 em[...]

  • Página 489

    22-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Monitoring Con nection Settings Monitoring Connection Settings T o monitor TCP state byp ass, perform one of the follo wing tasks: Configuration Examples for Connection Settings This section includes the following topics: • Config uration Examples[...]

  • Página 490

    22-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuration Exampl es for Connection Settings ciscoasa(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000 ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd ciscoasa(config-pmap-c)# [...]

  • Página 491

    22-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Feature History for Connection Setting s Feature History for Connection Settings T able 22-2 lists each feature change and the plat form release in which it w as implemented. T able 22-2 Featur e History for Connection Set tings Feature Name Platfor[...]

  • Página 492

    22-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Feature History for Connection Settings Increased maximum connection limi ts for service polic y rules 9.0(1) The maximum number of conn ections for service polic y rules was increased from 65 535 to 2000000. W e modif ied the follo wing commands: se[...]

  • Página 493

    CH A P T E R 23-1 Cisco ASA Series Firewall CLI Configuratio n Guide 23 Configuring QoS Hav e you ev er participated in a long-distance phon e call that in volv ed a satellite connection? The con versation might be interrup ted with brief, b ut per ceptible, gaps at odd intervals. Those gaps are the time, called the latency , between the arriv al o[...]

  • Página 494

    23-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the foll ow ing QoS features: • Policing—T o prev ent indi vidual flows fr om hogging the netw ork bandwidth, you can limit the maximum bandwidth used per flo w . See the “Information About Pol icing?[...]

  • Página 495

    23-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Information About QoS For traf fic shap ing, a token b ucket permits b urstiness but bounds i t. It guarantees that the bu rstiness is bounded so that the flo w will nev er send faster than the tok en b ucket capacity , divi ded by the time interv al, plus the establ[...]

  • Página 496

    23-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping T raff ic shaping is used to match de vice and link spee ds, ther eby controlling pack et loss, variable delay , and link saturation , which can cause jitter and delay . Note T raff ic shaping is only suppor ted [...]

  • Página 497

    23-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Licensing Requirements for Qo S Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical prio rity queuing is allo wed. For e xample, if you conf igure standard pr iority queuing for the global p olicy , and the[...]

  • Página 498

    23-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority q ueuing is not support e d on the Management 0/0 interface. • (ASASM) Only policing is suppo rted. Additional Guidelines and Limitations • QoS is applied unidirect ionally; only traf fic that enters (or[...]

  • Página 499

    23-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue T o determine the priority queue and TX ri ng limits, use the w orksheets belo w . T able 23-1 sho ws how to calculate the prio rity queue size. Because queues are not of infinite[...]

  • Página 500

    23-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Configuring the Standard Priority Queue for an Interface If you enable standard pr iority queuing for t raff ic on a physical interface, then you need to also create the priori ty queue on each interface. Each physical interf ace us es two queues: one [...]

  • Página 501

    23-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples The follo wing example establishes a priority queue on interface “out side” (the GigabitEthernet0/1 interface), with th e default queue-li mit and tx-ring-limit: ciscoasa(config)# priority-queue outside The follo wing example establishes[...]

  • Página 502

    23-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Restrictions • Y ou cannot use the class-default class map for priority traf fic. • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priori ty queuing is allo wed. • (ASASM) The ASA[...]

  • Página 503

    23-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples Example 23-1 Class Map Exam ples for VPN T r affic In the follo wing example, the class-map command classifies all non-tunn eled TCP traf fic, using an A CL named tc p_traff ic: ciscoasa(config)# access-list tcp_traffic permit tcp any any S[...]

  • Página 504

    23-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS ciscoasa(config)# class-map tcp_traffic ciscoasa(config-cmap)# match access-list tcp_traffic In the follo wing example, other , more specif ic match criteria are used for classifying traffi c for specific, security-r elated tunne l groups. These speci[...]

  • Página 505

    23-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Example 23-2 Prior ity and P olicing Exa mple In this exampl e, the maximum rate for traf fic of the tcp_traf fic class is 56,00 0 bits/second and a maximum b urst size of 10,500 bytes per second. F o r the TC1-BestEf fort class, the maximum rate is[...]

  • Página 506

    23-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • For hierarchical pr iority queuing, you do not need to create a priority queue on an interface. Restrictions • For hierarchical priority queuing, for encrypted VP N traf fic, you can only match traf fic based on the DSCP or precedence setting; y[...]

  • Página 507

    23-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priority queui ng is allowed. See the “Ho w QoS Features Interac t” section on page 23-4 for information about v alid QoS config[...]

  • Página 508

    23-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS ciscoasa(config-cmap)# match access-list ike ciscoasa(config-cmap)# class-map voice_traffic ciscoasa(config-cmap)# match dscp EF AF13 ciscoasa(config-cmap)# policy-map qos_class_policy ciscoasa(config-pmap)# class voice_traffic ciscoasa(config-pmap-c)#[...]

  • Página 509

    23-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Monitorin g QoS Viewing QoS Standard Priority Statistics T o view statistics for service policies implementi ng the priority command, use the show service-policy command with the priority ke yword: ciscoasa# show service-policy priority The follo wing is sample outp[...]

  • Página 510

    23-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS Service-policy: voip Class-map: voip Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: class-default queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts ou[...]

  • Página 511

    23-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Feature History for QoS Feature History for QoS T able 23-3 lists each feature change and the plat form release in which it w as implemented. T able 23-3 Featur e History for QoS Feature Name Platform Releases Feature Information Priority queuing and pol icing 7.0(1[...]

  • Página 512

    23-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Feature History for QoS[...]

  • Página 513

    CH A P T E R 24-1 Cisco ASA Series Firewall CLI Configuratio n Guide 24 Troubleshooting Connec tions and Resources This chapter describes ho w to troubleshoot the ASA and includes the follo wing sections: • T esting Y our Confi guration, page 24 -1 • Monitoring Per -Process CPU Usage, page 24-7 Testing Your Configuration This section descri bes[...]

  • Página 514

    24-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Debugging messages and syslog messages can help you troubleshoot why yo ur pings are not successful. The ASA only shows ICMP deb ugging messa ges for pings to t[...]

  • Página 515

    24-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Pinging ASA Interfaces T o test whether the ASA interfaces are up and r unning and that the ASA and connected routers are operating correctly , you ca n ping the ASA interfaces. T o ping the ASA interfaces, perfo[...]

  • Página 516

    24-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Figur e 24-2 Ping Failur e at the ASA Int er f ace If the ping reaches the ASA, and it r e sponds, debu gging messages similar to the follo wing appear: ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209[...]

  • Página 517

    24-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Passing Traffic Through the ASA After you successfully ping the ASA interf aces, make sure that traff ic can pass successfully through the ASA. By defaul t, you can ping from a high securit y interface to a lo w [...]

  • Página 518

    24-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Disabling the Test Configuration After you complete your testing, d isable the test c onf iguration that allo ws ICMP to and through the ASA and that prints debugging messages. If you lea ve this co nf iguration i[...]

  • Página 519

    24-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring Per-Process CPU Usage Determining Packet R outing with Traceroute Y ou can trace the route of a packet using the traceroute feature, w hich is accessed with the traceroute command. A traceroute w orks by sending UDP pack ets to a[...]

  • Página 520

    24-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Per-Pro cess CPU Usage[...]

  • Página 521

    P AR T 7 Conf iguring Adv anced Netw ork Pr otection[...]

  • Página 522

    [...]

  • Página 523

    CH A P T E R 25-1 Cisco ASA Series Firewall CLI Configuratio n Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud W eb Security pro vides web security and web f iltering services through the Software-as-a-Service (SaaS ) mode l. Enterpr ises with the A SA in thei r network c an use Cloud W eb Security services without having to i[...]

  • Página 524

    25-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapte r includes the follo wing sections: • Information Abo ut Cisco Cl oud W eb Se curity , page 25 -2 • Licensing Requ irements for C isco Cloud W eb Secu rity , page 25-6 • Pre[...]

  • Página 525

    25-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security The ASA supports the follo wing methods of determining the identi ty of a user, or of providin g a default identity: • AAA rules—When the ASA performs user authe n tication using a AAA r[...]

  • Página 526

    25-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more inf ormation, see the Cloud W eb Security documentation: http://www .cisco.com/en/ US/products/ps11720/produ ct s_installation_and_conf iguration_guides_list.h tml . ScanCenter Polic[...]

  • Página 527

    25-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security – AAA usernames, when u sing RADIUS or T ACA CS+, are sent in the follo wing format: LOCAL username – AAA username s, when using LD AP , ar e sent in the fo llowing format: domain-nam e[...]

  • Página 528

    25-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Licensing Require ments for Cisco Cloud Web Se curity Bypassing Scanning with Whitelists If you use AAA rules o r IDFW , you can configu re th e ASA so that web traff ic from specific users or groups that otherwise match the serv ice [...]

  • Página 529

    25-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud W eb Security On the Cloud W eb Security side, you must purchase a Cisco Cloud W eb Security license and identi fy the number of users that the ASA handles. Then log into ScanCenter , and generate your authenti[...]

  • Página 530

    25-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Clo ud W eb Security proxy serv ers goes down, output fro m the show scansafe server command sho ws both servers up for appro ximately 15-25 minutes. Th is condition may occur because the [...]

  • Página 531

    25-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Examples The follo wing example conf igures a primary and backup server: scansafe general-options server primary ip 10.24.0.62 port 8080 server backup ip 10.10.0.7 port 8080 retry-c[...]

  • Página 532

    25-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Note Y ou must confi gure a route pointing to the Scansafe to wers in both; the admin context an d the specif ic context. This ensures that the Scansafe to wer does not become un reac hable in the[...]

  • Página 533

    25-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Command Purpose Step 1 policy-map type inspect scansafe name1 Example: ciscoasa(config)# policy-map type inspect scansafe cws_inspect_pmap1 Creates an inspection policy map so you [...]

  • Página 534

    25-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 7 policy-map type inspect scansafe name2 parameters default { [user user ] [ group group ]} class whitelist_name2 whitelist Example: ciscoasa(config)# policy-map type inspect scansafe cws_ins[...]

  • Página 535

    25-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 10 match access-list acl1 Example: ciscoasa(config-cmap)# match access-list SCANSAFE_HTTP Specifies an A CL created in Step 8 . Although you can use other match st atements for thi s rule, w[...]

  • Página 536

    25-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Examples The follo wing example conf igures two classes: one for HTTP and one for HTTPS. Each A CL exempts traf fic to www .cisco.com and to tools.cisco.com, and to the DMZ netw ork, for both HTTP[...]

  • Página 537

    25-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security (Optional) Configuring Whitelisted Traffic If you use user authenti cation, you can e xempt some traf fic from being f iltered by Cloud W eb Security based on the username and/or gro upname. When[...]

  • Página 538

    25-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security hostname(config-pmap-p)# https hostname(config-pmap-p)# default group2 default_group2 hostname(config-pmap-p)# class whitelist1 hostname(config-pmap-c)# whitelist (Optional) Configuring the User I[...]

  • Página 539

    25-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Se curity Monitoring Cloud Web Security The show scansafe s erv er command shows whether or not the Cloud W eb Security proxy serv ers are reachable: hostname# show scansafe server ciscoasa# Primary: proxy197.sca[...]

  • Página 540

    25-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security • Single Mode Example, page 25-18 • Multiple Mode Example, page 25-19 • Whitelist Example, page 25 -19 • Directory Integr[...]

  • Página 541

    25-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(cfg-scansafe)# server primary ip 192.168.115.225 web 8080 hostname(cfg-scansafe)# retry-count 5 hostname(cfg-scansafe)# license 366C1D3F5CE67D33D3E9ACEC265261E5 Multiple Mo[...]

  • Página 542

    25-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security parameters default user user1 group group1 https class whiteListCmap whitelist After creating this inspect policy , attach it to the policy map to be assigned to the ser vice group:[...]

  • Página 543

    25-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuring the Active Di rectory Agent Using RADIUS The follo wing example sho ws how to confi g ure the Acti ve Directory Agent on y our ASA using RADIUS: hostname(config)# aaa-se[...]

  • Página 544

    25-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(config)# user-identity inactive-user-timer minutes 60 hostname(config)# user-identity action netbios-response-fail remove-user-ip hostname(config)# user-identity user-not-f[...]

  • Página 545

    25-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security domain-name uk.scansafe.net enable password liqhNWIOSfzvir2g encrypted passwd liqhNWIOSfzvir2g encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 19[...]

  • Página 546

    25-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout si[...]

  • Página 547

    25-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp policy[...]

  • Página 548

    25-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security T able 25-1 lists each feature change and the plat form release in which it w as implemented. Related Documents URL Cisco ScanSafe Clo ud W eb Security [...]

  • Página 549

    CH A P T E R 26-1 Cisco ASA Series Firewall CLI Configuratio n Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unkno wing host. Malware that attempts netw ork activ ity such as sending priv ate data (passwords, cred it card numbers, ke y strokes, or proprietary data) can be detected by the Botnet[...]

  • Página 550

    26-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter • Botnet T raff ic Filter Actions for Kno wn Addresses, page 26-2 • Botnet T raff ic Filter Databases, p age 26-2 • How the Botnet T raff ic Filter W orks, page 26-5 Botnet Traffic Filter Address[...]

  • Página 551

    26-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 2. When the infected hos t starts a connection to the IP address of the malw are site, then the ASA sends a syslog message informing you o f the suspicious act iv ity and optionally d rops the traf fic[...]

  • Página 552

    26-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter When you add a domain name to the static datab ase, the ASA waits 1 minut e, and then sends a DNS request for that domain name an d adds th e domain name/IP address pairing to the DNS host cac he . (Th[...]

  • Página 553

    26-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 sho ws how the Botnet T raf fic Filter works with the dynamic database pl us DNS inspection with Botnet T raffic Filter snooping. Figur e 26-1 How the Bo[...]

  • Página 554

    26-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements fo r the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The follo wing table shows the licensing requirements for this feature: Prerequisites for the Botnet Traffic Filter T o use the dynamic dat[...]

  • Página 555

    26-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: • T ask Flow for Configuring the Botnet Traf fic Filter , page 26-7 • Config uring the Dynamic Database, page 26 -8 • E[...]

  • Página 556

    26-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the do wnloaded dynamic database by the ASA. In multiple conte xt mode, the system downloads the database for[...]

  • Página 557

    26-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter ciscoasa(config)# dynamic-filter use-database What to Do Next See the “ Adding Entries to the Static Datab ase” section on page 26-9 . Adding Entries to the Static Database The static database lets you a[...]

  • Página 558

    26-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing example creates entrie s for the blacklist and whi telist: ciscoasa(config)# dynamic-filter blacklist ciscoasa(config-llist)# name bad1.example.com ciscoasa(config-llist)# name bad2.[...]

  • Página 559

    26-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Default DNS Inspection Configura tion and Recommended Configura tion The default conf iguration for DNS inspection inspec t s all UDP DNS traf fic on all interfaces, and does not have DNS snooping enabled .[...]

  • Página 560

    26-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing recommended confi guration creates a cl ass map for all UDP DNS traf fic, enable s DNS inspection and Botnet T raf fic Fil ter snooping with the d efault DNS in spection polic y map,[...]

  • Página 561

    26-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Recommended Configuration Although DNS snoopi ng is not required, we recommen d conf iguring DNS snooping for maximum use of the Botnet T raffic Filter (see the “Enabling DNS Snoopi ng” section on p age[...]

  • Página 562

    26-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Step 3 (Optional) dynamic-filter drop blacklist [ interface name ] [ action-classify-list subset_access_list ] [ threat-level { eq level | range min max }] Example: ciscoasa(config)# dynamic-filter drop bla[...]

  • Página 563

    26-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Examples The follo wing recommended confi guration monitors all traf fic on the outside in terface and drops all traff ic at a threat lev el of moderate or higher: ciscoasa(config)# dynamic-filter enable in[...]

  • Página 564

    26-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Note A CLs block all future connections. T o block the cu rrent connection, if it is still acti ve, enter the clear c onn command. F or example, t o clear only the connection list ed in the syslog message, [...]

  • Página 565

    26-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter bad.example.net Found more than 2 matches, enter a more specific string to find an exact match Monitoring the Botnet Traffic Filter Whene ver a kno wn address is classified by the Botnet T raff ic Filter , t[...]

  • Página 566

    26-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Examples The follo wing is sample output from the show dynamic-filter statistics command: ciscoasa# show dynamic-filter statistics Enabled on interface outside Total conns classified 11, ingress 11, egress 0 [...]

  • Página 567

    26-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter horrible.example.net(10.232.224.2) 2 2 3 Botnet nono.example.org(209.165.202.130) 1 1 3 Virus Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009 The follo wing is sample outp[...]

  • Página 568

    26-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside ciscoasa(config)# dynamic-filter[...]

  • Página 569

    26-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Nex t ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0 ciscoasa/context1(config-llist)# dynamic-filter whitelist ciscoasa/context1(config-llist)# name good.example.com ciscoasa/context1(config-llist)# name great.examp[...]

  • Página 570

    26-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Feature History for t he Botnet Traffic Filter Feature History for the Botnet Traffic Filter T able 26-1 lists each feature change and the plat form release in which it w as implemented. T able 26-1 Featur e History for the Botnet T r affic Filt[...]

  • Página 571

    CH A P T E R 27-1 Cisco ASA Series Firewall CLI Configuratio n Guide 27 Configuring Threat Detection This chapter descri bes how to configure threat detection statistics and sc anning threat det ection and includes th e following sections: • Information About Threat Detection, page 27-1 • Licensing Requ irements for Threat D etection, page 27-1[...]

  • Página 572

    27-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detect ion statistics includ e acti vity that mi ght be re lated t o an atta ck, such as a DoS attack. This section includes the following topics: ?[...]

  • Página 573

    27-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics For each recei ved event, the ASA checks the a verage an d b urst rate limits; if bot h rates are e xceeded, then the ASA sends two separate system messages, wi th a maximum of one message for each rate [...]

  • Página 574

    27-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics This section describes ho w to conf igure basic threat detection statistics, includ ing enabling or disabli ng it and changing the defau lt limits. Detailed Step[...]

  • Página 575

    27-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics Monitoring Basic Threat Detection Statistics T o monitor basic threat detection stati stics, perform one of the follo wing tasks: Examples The follo wing is sample output from the show threat-detection r[...]

  • Página 576

    27-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Basic Threat Detection Statistics T able 27-2 lists each feature change and the plat form release in which it w as implemented. Configuring Advanced Threat Detection Statistics Y ou c[...]

  • Página 577

    27-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are a vailable in multiple mode. Firewall Mode Guidelines Supported in routed an d transparent f irewall mod e. Types of Traffic Monitored Only t[...]

  • Página 578

    27-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Step 3 threat-detection statistics host [ number-of-rate { 1 | 2 | 3 }] Example: ciscoasa(config)# threat-detection statistics host number-of-rate 2 (Optional) Enables statist ics for hosts. The number -[...]

  • Página 579

    27-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Monitoring Advanced Threat Detection Statistics The display output sho ws the follo wing: • The av erage rate in events/sec o ver f ixed time periods. • The current b urst rate in e vents/sec o ver t[...]

  • Página 580

    27-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics The ASA stores the count at the end of each b urst period, for a total of 30 com pleted burst intervals. The unfinished burst interv al presently occurring is no t included in the av erage ra te. For e [...]

  • Página 581

    27-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics T o monitor adv anced threat detection statistics, perform one of the fo llo wing tasks: Command Purpose show threat-detection statistics [ min-display-rate min_display_rate ] top [[ access-list | host [...]

  • Página 582

    27-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Examples The follo wing is sample output from the show threat-detection statistics host command: ciscoasa# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.0.[...]

  • Página 583

    27-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics fw-drop Sho ws the number of f irewall d rops. Fire wall drops is a combined rate that includes all f irewall-r elated packet dro ps tracked in basic threat detection, including A CL denials, bad packet[...]

  • Página 584

    27-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Advanced Threat Detection Statistics T able 27-4 lists each feature change and the plat form release in which it w as implemented. 20-min, 1-hour , 8-hour , and 24-hour Sho ws statis[...]

  • Página 585

    27-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection This section includes the following topics: • Information Ab out Scanning Threat Detection, page 27-15 • Guidelines and Limit ations, page 27-16 • Default Setti ngs, pag[...]

  • Página 586

    27-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Guidelines and Limitations This section includes the guid elines and limitations for th is feature: Security Context Guidelines Supported in single mode only . Multiple mode is not supported. Firewall Mode Guidelin[...]

  • Página 587

    27-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection Detailed Steps Monitoring Shunned Hosts, Attackers, and Targets T o monitor shunned hosts and at tackers and tar gets, perform one of the follo wing tasks: Command Purpose Ste[...]

  • Página 588

    27-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Examples The follo wing is sample output from the show threat-detection shun command: ciscoasa# show threat-detection shun Shunned Host List: 10.1.1.6 192.168.6.7 T o release the host at 10.1 .1. 6, enter the f oll[...]

  • Página 589

    27-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuration Examples for Threat Detection Configuration Examples for Threat Detection The follo wing example conf igures basic threat detect ion statistics, and changes the D oS attack rate settings. All adv anced threat detection statistics are ena[...]

  • Página 590

    27-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuration Examples for Threat Detection[...]

  • Página 591

    CH A P T E R 28-1 Cisco ASA Series Firewall CLI Configuratio n Guide 28 Using Protection Tools This chapter describes some o f the many too ls av ailable to protect your netw ork and includes the follo wing sections: • Pre venting IP Spoof ing, page 28-1 • Config uring the Fragment Size, page 28-2 • Blocking Unwan ted Connections, page 28-2 ?[...]

  • Página 592

    28-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring the Fr agment Size Configuring the Fragment Size By default, th e ASA allo ws up to 24 fragments per IP p acket, and up to 200 frag ments awaiting reassembly . Y ou might need to let fragments on your netw ork if you hav e an application that routi [...]

  • Página 593

    28-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature p rovides basic IPS support for the ASA t hat does not ha ve an AIP SSM. It supp orts a basic list of signatures, and you can conf igure the ASA to perfo[...]

  • Página 594

    28-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support IP Audit Signature List T able 28-1 lists supp orted signatures and system message nu mbers. T able 28-1 Signatur e IDs and Syst em Message Numbers Signature ID Message Number Signature T itle Signature T ype Descripti[...]

  • Página 595

    28-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1103 400009 IP Overlapp ing Fragments (T eardrop) At tack T riggers when two fragments contained within the same IP datagram ha ve of fsets that indicat e that they sha re positio ning wi thin the datagram. This could[...]

  • Página 596

    28-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2008 400018 ICM P T ime stamp Reply I nformational T riggers when a IP da tagram is receiv ed with the protocol f ield of the IP header set to 1 (ICMP) and the typ e fiel d in the ICMP header set to 14 (T imestamp Repl[...]

  • Página 597

    28-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 3042 400028 TCP FIN only flags A ttack T riggers when a single orphaned TCP FIN packet is sent to a pri vileged por t (hav ing port number less than 1024) on a specific host. 3153 400029 FTP Improper Address Sp ecifie[...]

  • Página 598

    28-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6152 400044 yppasswdd (YP passwo rd daemon) Portmap Request Informational T riggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. 6153 400045 ypupdated (YP update daem on) Portma[...]

  • Página 599

    CH A P T E R 29-1 Cisco ASA Series Firewall CLI Configuratio n Guide 29 Configuring Filtering Services This chapter describe s how to use f iltering servic es to provide greater control over traf fic passing through the ASA and includes the follo wing sections: • Information Abou t W eb Traf fic Filtering, page 29 -1 • Config uring Activ eX Fil[...]

  • Página 600

    29-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring ActiveX Filtering Configuring ActiveX Filtering This section includes the following topics: • Information Ab out Acti veX Filtering, page 29-2 • Licensing Requirements for ActiveX Filter ing, page 29-2 • Guidelines and Limit ations for[...]

  • Página 601

    29-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mo[...]

  • Página 602

    29-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring Java Applet Filtering Feature History for ActiveX Filtering T able 29-1 lists the release histor y for Active X Filtering. ASDM is backwards-compatibl e with multi ple platform releases, so the specific ASDM rele ase in which support wa s ad[...]

  • Página 603

    29-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Configuring Java Applet Filtering Guidelines and Limitations for Java Applet Filtering This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guid[...]

  • Página 604

    29-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server The follo wing example remov es the co nfiguration for do wnloading Ja va applets to a host on a protected network: ciscoasa(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 This comma[...]

  • Página 605

    29-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Note URL caching will only work if the version of th e URL server software from the URL server v endor supports it. Although ASA perf ormance is less af fected when us ing an external server , yo[...]

  • Página 606

    29-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Identifying the Filtering Server Y o u can identify up to four f iltering server s per contex t. The ASA uses the serv ers in order until a serv er responds. In single mode, a maximum o f 16 of th[...]

  • Página 607

    29-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server For W eb s en s e: hostname(config)# url-server ( if_name ) host local_ip [ timeout seconds ] [ protocol TCP | UDP version [1|4] [ connections num_conns ]] Example: ciscoasa(config)# url-server ([...]

  • Página 608

    29-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Configuring Additional URL Filtering Settings After you hav e acce ssed a website, the filtering server can allo w the A SA to cache the server address for a certain period of time, as long as ea[...]

  • Página 609

    29-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Caching Server Addresses After you access a website, the filtering server can allo w the ASA to cache the server address for a certain period of time, as long as each website host ed at the addr[...]

  • Página 610

    29-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Enabling HTTP Filtering Y ou must identify and enable the URL fi ltering server bef ore enabling HTTP f iltering. When the f iltering server appro ves an HTTP connection requ est, the ASA all ows[...]

  • Página 611

    29-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Truncating Long HTTP URLs By default, if a URL e xceeds the maximum permitted size, then it is dropped. T o av oid this occurrence, truncate a long URL by ente ring the follo wing command: Exemp[...]

  • Página 612

    29-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server T o enable HTTPS f iltering, enter the follo wing command: Filtering FTP Requests Y ou must identify and enable the URL filtering serv er before enabling FTP filtering. Note W ebsense and Se cu r[...]

  • Página 613

    29-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Monitoring Filtering Statistics T o monitor f iltering statistics, ent er one of the f ollo wing commands: Examples The follo wing is sample output from the show url-server command: ciscoasa# show url-server url-serve[...]

  • Página 614

    29-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST 0 NA Errors: ------- RFC noncompliant GET method 0 URL buffer update failure 0 The follo wing is sample output from the show url-block command: ciscoasa# show[...]

  • Página 615

    29-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Feature History for URL Filtering T able 29-5 lists the release h istory for URL f iltering. ASDM is backwards-compatibl e with multiple platform releases, so the specific ASDM rele ase in which support wa s added is [...]

  • Página 616

    29-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics[...]

  • Página 617

    P AR T 8 Conf iguring Modules[...]

  • Página 618

    [...]

  • Página 619

    CH A P T E R 30-1 Cisco ASA Series Firewall CLI Configuratio n Guide 30 Configuring the ASA CX Module This chapter descri bes how to configure the ASA CX modul e that runs on the A SA. • Information Ab out the ASA CX Module, page 30-1 • Licensing Requirements for the ASA CX Module, page 30-6 • Guidelines and Limit ations, page 30-6 • Defaul[...]

  • Página 620

    30-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application fro m the ASA. Th e ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly . Any[...]

  • Página 621

    30-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module Monitor-Only Mode For demonstr ation purposes, you can conf igure a service policy or a traf fic-forwarding interface in monitor -only mode. For guideli nes and limitations fo r monitor -only mode, see the “Gui del[...]

  • Página 622

    30-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module Figur e 30-3 ASA CX T raf fic-Forwar ding Information About ASA CX Management • Initial Conf iguration, page 30-4 • Policy Co nfiguration and Management, page 30 -5 Initial Configuration For ini tial conf iguratio[...]

  • Página 623

    30-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module or ASDM). Howe ver , physic al characteristics (suc h as enabling the interface) are configured on the ASA. Y ou can remove the ASA interface conf iguratio n (specifical ly the interface name) to dedicate this inter [...]

  • Página 624

    30-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Licensing Requirements for th e ASA CX Module • Do not configure ASA inspection on HTTP traf fic. • Do not conf igure Cloud W eb Security (ScanSafe) inspection. If you conf igure both the ASA CX action and Cloud W eb Security inspection for the same[...]

  • Página 625

    30-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Guidelines and Limitations Firewall Mode Guidelines Supported in rout ed and transparent f irew all mode. T raff ic-forwarding interf aces are only supported in transparent mode. Failover Guidelines Does not support failo ver directly; when the ASA fa [...]

  • Página 626

    30-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with A SA Features” section on pa ge 30-5 . • Y ou cannot change the softw a re type installed on th e hardware module; if you purchase an ASA CX module, you cannot [...]

  • Página 627

    30-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 (ASA 5585-X; Opti onal) Conf igure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the A SA CX Management IP Address” section on page 30-14 . Step 4 On the ASA CX m[...]

  • Página 628

    30-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule If you have an inside router If you ha ve an inside router , you can route betwee n the management networ k, which can include both the ASA Mana gement 0/0 a nd ASA CX Ma nagement 1/0 interfaces, and the ASA inside networ[...]

  • Página 629

    30-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a softwa re module, and the ASA CX management interface shares the Management 0/0 interf ace with the ASA. F or initial setup, you can [...]

  • Página 630

    30-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule CX IP address for that interface. Because the AS A CX module is essentially a separate device from the ASA, you can conf igure the ASA CX management address to be on the same network as t he inside interface. Note Y ou mu[...]

  • Página 631

    30-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module http://www .cisco.com/cisco/software/r elease.html?mdf id=284325223&softwareid=2 84399946 The boot softw are lets you set basic ASA CX netw ork configuration, partit ion the SSD, and downlo ad the larger system softw [...]

  • Página 632

    30-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Username: buffy Password: angelforever Verifying Downloading Extracting Package Detail Description: Requires reboot: Cisco ASA CX System Upgrade Yes Do you want to continue with upgrade? [n]: Y Warning: Please do not inte[...]

  • Página 633

    30-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Configuring Basic ASA CX Settings at the ASA CX CLI Y ou must conf igure basic network settin gs and othe r parameters on the ASA CX module before you can confi gure your security pol icy . Detailed Steps Step 1 Do one of[...]

  • Página 634

    30-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Applying... Done. Generating self-signed certificate, the web server will be restarted after that ... Done. Press ENTER to continue... asacx> Note If you change the h ost name, the prompt does not sho w the ne w name u[...]

  • Página 635

    30-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module What to Do Next • (Optional) Configure the authen tication proxy port. See the “(Opt ional) Conf iguring the Authentication Proxy Port” section on page 30-17 . • Redirect traff ic to the A SA CX module. See the ?[...]

  • Página 636

    30-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Redirecting Traffic to the ASA CX Module Y ou can redirect traffic to the ASA CX module by creating a service polic y that identifies sp ecific t raffic. For demonstr ation purposes only , you can also enable monitor-on l[...]

  • Página 637

    30-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map cx_class Creates a class map to identify the traf fic f o r which you want to send to the ASA CX module. If you want t o send multi[...]

  • Página 638

    30-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section conf igures traf fic-forw arding interfaces, where all traff ic is forwarded directly to the ASA CX module. This method is for demonstration purpo[...]

  • Página 639

    30-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Step 8 Repeat for any additional interfaces. Step 9 Click Send . Examples The follo wing example makes Gi gabitEtherne t 0/5 a traf fic-forwar ding interface: interface gigabitethernet 0/5 no nameif traffic-f[...]

  • Página 640

    30-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module Resetting the Password Y ou can reset the module password to the default. F or the user admin , the default password is Admin123 . After resetting the password , you should chan ge it to a unique v alue using the module appl[...]

  • Página 641

    30-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically[...]

  • Página 642

    30-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image T o uninstall a software module image and associat ed confi guration, perform th e follo wing steps. Guidelines In multiple cont ext mode, perform t his pr[...]

  • Página 643

    30-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module • Showing Module Status, pa ge 30-25 • Sho wing Module St atistics, page 30- 26 • Monitoring Modu le Connections, page 30-27 • Capturing M odule Traf fic, page 30-30 • [...]

  • Página 644

    30-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module T o check the status of a module, ent er one of the follo wing commands: Examples The follo wing is sample output from the sho w module command for an ASA with an ASA CX SSP installed: hostname# show module Mod Card Type Mo[...]

  • Página 645

    30-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module The follo wing is sample output from the show service-policy command sho wing the ASA CX polic y and the current statistics as well as th e module status when the authent ication proxy is enabled; in th is case, the proxie[...]

  • Página 646

    30-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module Examples The follo wing is sample output from the show asp table classify domain cxsc command: ciscoasa# show asp table classify domain cxsc Input Table in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false hits=154856[...]

  • Página 647

    30-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module dst ip/id=172.23.58.52, mask=255.255.255.255, port=2000, dscp=0x0 input_ifc=mgmt, output_ifc=identity in id=0x7ffed86caa80, priority=121, domain=cxsc-auth-proxy, deny=false hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flag[...]

  • Página 648

    30-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Troublesho oting the ASA CX Module cxsc-msg 1 0 1 0 1 0 The follo wing is sample output from the show conn detail command: ciscoasa# show conn detail 0 in use, 105 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - in[...]

  • Página 649

    30-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Troubleshooting the ASA CX Module When you enable the authentica tion pro xy , t he ASA generate s a debug messge when it se nds an authentication pro xy TL V to the ASA CX module, gi ving IP and port details: DP CXSC Event: Sent Auth proxy tlv for ad[...]

  • Página 650

    30-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuration Examples for the ASA CX Module 2. Check the ou tput of the show service-policy cxsc command to see if an y packets were prox ied. 3. Perform a pack et capture on the backp lane, and chec k to see if tr af fic is being re directed on the c[...]

  • Página 651

    30-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module ciscoasa(config-pmap)# class my-cx-class2 ciscoasa(config-pmap-c)# cxsc fail-open auth-proxy ciscoasa(config-pmap-c)# service-policy my-cx-policy interface outside Feature History for the ASA CX Module T able 30-2[...]

  • Página 652

    30-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module Monitor -only mode for demonstration purposes ASA 9.1(2) ASA CX 9.1(2) For de monstration purposes o nly , you can enable monitor -only mode for the service policy , which forwards a copy of traf fic to the ASA CX [...]

  • Página 653

    30-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module Multiple conte xt mode support for the ASA CX module ASA 9.1(3) ASA CX 9.2(1) Y ou can no w configure ASA CX service po licies per contex t on the ASA. Note Although you can conf igure per conte xt ASA service pol[...]

  • Página 654

    30-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module[...]

  • Página 655

    CH A P T E R 31-1 Cisco ASA Series Firewall CLI Configuratio n Guide 31 Configuring the ASA IPS Module This chapter describes h ow to config ure the ASA IPS modul e. The ASA IPS modul e might be a hardw are module or a so ftware module, d epending on your ASA model. For a list of supported ASA I PS modules per ASA model, see the Cisco ASA Compatibi[...]

  • Página 656

    31-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application fro m the ASA. The ASA IPS module might in clude an external management interf ace so you can connect to the ASA I PS module d[...]

  • Página 657

    31-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS M odule Operating Modes Y ou can send traf fic to the ASA IPS modu le using one of the follo wing modes: • Inline mode—This mode places the ASA IPS module directly in the traf fic f low (see Figure 31-1 ). No traff ic [...]

  • Página 658

    31-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module Figur e 31 -3 Securi ty Contexts and V irtual Sen sors Figure 31-4 sho ws a single mode ASA paired with multiple vi rtual sensors (in inline mode); each def ined traf fic flo w goes to a dif ferent sensor . Figur e [...]

  • Página 659

    31-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirement s for the ASA IPS module See the follo wing information about the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X —The IPS management interf ace is a separate external Gig abit Ethernet interf ace. ?[...]

  • Página 660

    31-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Default Settings http://www .cisco.com/en/US/docs/securi t y/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple conte xt mode, so multiple conte xt features, such as virtual sensors, are not supported on th e AIP SSC. • The AS[...]

  • Página 661

    31-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section descri bes ho w to conf igure the ASA IPS module and includes the fol lo wing topics: • T ask Flow for the ASA IPS Module, page 31-7 • Connecting the ASA IPS Management Inte[...]

  • Página 662

    31-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to pro viding management access to the IPS module, the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can do wn[...]

  • Página 663

    31-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you canno t also hav e a separate m anagemen t network, which would require an inside r outer to route between the netw orks. In this case, y[...]

  • Página 664

    31-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you cannot also ha ve a separate mana gement network. In th is case, you can manage the ASA from the inside interface instead of the Managem[...]

  • Página 665

    31-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA T o access the IPS module CLI from the ASA, you can session from the ASA. F or software modules, you can either session to the mo dule (using T elnet) or create a virtual console ses[...]

  • Página 666

    31-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Do one of the foll o wing: • New ASA wit h IPS pre-installed—T o vie w the IPS module software f ilename in flash memory , enter:. ciscoasa# dir disk0: For e xample, look for a f ilename lik e I[...]

  • Página 667

    31-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Confi guring Basic Network Settings Session to the module from the ASA an d config ure basic settings using the setup command. Note (ASA 5512-X through ASA 5555-X) If you cannot session to the mo du[...]

  • Página 668

    31-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Restrictions Do not conf igure N A T for the management address if you intend t o access it using ASDM. F o r initial setup with ASDM, you need to acce ss the real address. After initial setup (where you set the password[...]

  • Página 669

    31-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example conf igures VLAN 20 as the I PS management VLAN. Only the host at 10.1.1.30 can access the IPS management IP address. VLAN 20 is assigned to switch port Ethernet 0/0. When you connect to A[...]

  • Página 670

    31-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Access the ASA IPS module CLI usi ng one of the follo wing methods: • Session from the ASA to the ASA IPS modu le. See the “Sessioning to the Mod ule from the ASA” section on page 31 -11 . •[...]

  • Página 671

    31-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 context name Example: ciscoasa(config)# context admin ciscoasa(config-ctx)# Identif ies the context you wa nt to conf igure. Enter this command in the system ex ecution space. Step 2[...]

  • Página 672

    31-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example assigns sensor1 and sensor2 t o conte xt A, and sensor1 a nd sensor3 to conte xt B. Both context s map the sensor names to “ips1” and “i ps2. ” In conte xt A, sensor1 is set as the[...]

  • Página 673

    31-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map ips_class Creates a class map to identify the traf fic f o r which you want to send to the ASA IPS module. If you want t o send mu[...]

  • Página 674

    31-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Step 5 ips { inline | promiscuous } { fail-close | fail-open } [ sensor { sensor_name | mapped_name }] Example: ciscoasa(config-pmap-c)# ips promiscuous fail-close Specif ies that the traf fic shoul d be sent to the ASA [...]

  • Página 675

    31-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Managing the ASA IPS module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Installing and Boot ing an Image on the Module, page 31-2 1 • Shuttin[...]

  • Página 676

    31-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Note Before you do wnload the IPS software to disk0, make sure at least 50% of the flash memory is free. When you install IPS, IPS reserves 50 % of the internal flas h memory for its f ile system. Detailed Steps Command Pu[...]

  • Página 677

    31-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically shu t down, so[...]

  • Página 678

    31-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Resetting the Password Y ou can reset the module password to the default . For the user cisco , the default passw ord is cisco . After resetting the password, yo u should change it to a u n ique v alue using the module app[...]

  • Página 679

    31-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI. Detailed Steps Monitoring the ASA IPS module T o check the status of a module, ent er one of the foll[...]

  • Página 680

    31-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuration Examples for the ASA IPS module Serial Number: JAB11370240 Firmware version: 1.0(14)3 Software version: 6.2(1)E2 MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832 App. Name: IPS App. Status: Up App. Status Desc: Not Applicable App. Ver[...]

  • Página 681

    31-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module ciscoasa(config)# class-map my-ips-class ciscoasa(config-cmap)# match access-list my-ips-acl ciscoasa(config)# class-map my-ips-class2 ciscoasa(config-cmap)# match access-list my-ips-acl2 ciscoasa(config-cmap)# p[...]

  • Página 682

    31-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Feature History for the ASA IPS module Support for Dual SSPs for SSP-40 an d SSP-60 8.4(2) For SSP-40 and SSP-60, you can use two SSPs of the same le vel in the same chassi s. Mixed-le vel SSPs are not supported (for example, an SSP- 40 with an SSP-60[...]

  • Página 683

    CH A P T E R 32-1 Cisco ASA Series Firewall CLI Configuratio n Guide 32 Configuring the ASA CSC Module This chapter descri bes how to configure the Conten t Security and Control (CSC) appl ication that is installed in a CSC SSM in the ASA. This chapte r includes the follo wing sections: • Information About the CSC SSM, page 32-1 • Licensing Req[...]

  • Página 684

    32-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Figur e 32-1 Flow of Scanned T raf fic with the CSC SSM Y ou use ASDM for system setup and mo nitoring of th e CSC SSM. For adv a nced co nfiguration of cont ent security policies in the CS C SSM software, you ac cess the [...]

  • Página 685

    32-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Information Ab out the CSC SSM Figur e 32-2 CSC SSM Deployment with a Manage ment Networ k Determining What Traffic to Scan The CSC SSM can scan FTP , HTTP/HTTPS, POP3, and SMTP traf fic only when the destinat ion port of the packet requestin g the con[...]

  • Página 686

    32-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Based on the conf iguration shown in Figure 32-3 , conf igure the ASA to di vert to the CSC SSM only requests from clients o n the inside netw ork for HTTP , FTP , and POP3 connections to the outside network, and incoming [...]

  • Página 687

    32-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside- policy , outside-class matches SMTP tr af fic from an y outside source to the DMZ network. This setting protects the SMTP serv er and inside us ers who do wnload e-mail from the SMTP serv er on the[...]

  • Página 688

    32-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Guidelines and Limitations – Domain name and hostname for t he CSC SSM. – An e-mail address and an SMTP server IP addr ess and port numb er for e-mail notif ications. – E-mail address(es) for product l icense rene wal notificatio ns. – IP addre[...]

  • Página 689

    32-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section descri bes ho w to conf igure the CSC SSM and includes the followi ng topics: • Before Conf iguring the CSC SSM, page 32-7 • Connecting to the CSC SSM, page 32-8 • Div erting Traf fic t[...]

  • Página 690

    32-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, v erify the clock settings, includi ng time zone. Choose Conf iguration > Pr operties > Device Administration > Clock . • If you are using NTP , verify the NTP con figu ratio[...]

  • Página 691

    32-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM T o connect to the CSC SSM, perform the follo wing steps: Step 1 In the ASDM main application windo w , click the Content Security tab . Step 2 In the Connecting to CSC dial og box, click one of th e follo wing radio b uttons: ?[...]

  • Página 692

    32-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM What to Do Next See the “Div erting Traf fic to the CSC SSM” section on page 32-10 . Diverting Traffic to the CSC SSM Y o u use Modular Polic y Framew ork commands to conf igure the ASA to div ert traff ic to the CSC SSM. P[...]

  • Página 693

    32-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Step 6 set connection per-client-max n Example: ciscoasa(config-pmap-c)# set connection per-client-max 5 Lets you conf igure limits to thw art DoS attacks. The per -client-max parameter limits the maximum number of connections [...]

  • Página 694

    32-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM Step 7 csc { fail-close | fail-open } Example: ciscoasa(config-pmap-c)# csc {fail-close | fail-open} Enables traf fic scanning with the CSC S SM and assigns the traf fic identif ied by the class map as traff ic to be sent to th[...]

  • Página 695

    32-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitorin g the CSC SSM” sect ion on page 32-13 . Monitoring the CSC SSM T o check the status of a module, ent er one of the follo wing commands: Examples The follo wing is sample output from the sho[...]

  • Página 696

    32-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module Port Mask: 255.255.224.0 Gateway IP Address: 209.165.200.254 Troubleshooting the CSC Module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Inst[...]

  • Página 697

    32-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Detailed Steps Resetting the Password Y ou can reset the module passwor d to the default. The def ault password is cisco. After resetting th e password, you sho uld change it to a unique v alue using the module applicati[...]

  • Página 698

    32-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module T o reset the module passw ord to the def ault of cisco, perform th e follo wing steps. Detailed Steps Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CL[...]

  • Página 699

    32-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuration Exa mples for the CSC SSM Shutting Down the Module If you restart the ASA, the module is not automatica lly rest arted. T o shut do wn the module, perform th e follo wing steps at th e ASA CLI. Detailed Steps Configuration Examples for t[...]

  • Página 700

    32-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Additional References ciscoasa(config-pmap)# class csc_inbound_class ciscoasa(config-pmap-c)# csc fail-close ciscoasa(config-pmap-c)# service-policy csc_in_policy interface outside The follo wing example shows ho w to use an A CL to exempt the traf fi[...]

  • Página 701

    32-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Feature History for the CSC SSM Feature History for the CSC SSM T able 32-2 lists each feature change and the plat form release in which it w as implemented. Instructions on use of the CSC SSM GUI. Additional licensi ng requirements of specif ic windo[...]

  • Página 702

    32-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Feature History for the CSC SSM[...]

  • Página 703

    IN-1 Cisco ASA Series Firewall CLI Configuration Guide INDEX A AAA accounting 7-21 authentication network access 7-2 authorization downloadable access lists 7-17 network access 7-14 performance 7-1 web clients 7-10 access lists downloadable 7-17 global access rules 6-2 implicit deny 6-3 inbound 6-3 outbound 6-3 phone prox y 16-7 ActiveX filtering 2[...]

  • Página 704

    Index IN-2 Cisco ASA Series Firewall CLI Configuration Guide IP fragment 28-4 IP impossib le packet 28-4 large ICMP traffic 28-6 ping of death 28-6 proxied RPC request 28-7 statd buffer overflow 28-8 TCP FIN only flags 28-7 TCP NULL flags 28-6 TCP SYN+FIN flags 28-6 UDP bomb 28-7 UDP chargen DoS 28-7 UDP snork 28-7 authentication FTP 7-4 HTTP 7-3 n[...]

  • Página 705

    Index IN-3 Cisco ASA Series Firewall CLI Configuration Guide required by phone prox y 16-16 Cisco IP Communicator 16-10 Cisco IP Phones, application inspection 11-25 Cisco UMA. See Cisco Unified Mo bility. Cisco Unified Mobilit y architecture 18-2 ASA role 14-2, 14-3, 15-2 certificate 18-5 functionality 18-1 NAT and PAT requirements 18-3, 18-4 trus[...]

  • Página 706

    Index IN-4 Cisco ASA Series Firewall CLI Configuration Guide DNS request for all records attack 28-7 DNS zone transfer attack 28-7 DNS zone transfer from high port attack 28-7 downloadable access lists configuring 7-17 converting netmask expressio ns 7-21 DSCP preservati on 23-5 dynamic NAT about 3-7 network object NAT 4-5 twice NAT 5-7 dynamic PAT[...]

  • Página 707

    Index IN-5 Cisco ASA Series Firewall CLI Configuration Guide inspection_default cl ass-map 1-9 inspection engines See application inspection Instant Messaging inspection 11-19 interfaces default settings 6-8, 32-6 IP fragment attack 28-4 IP impossible packet attack 28-4 IP overlapping fragme nts attack 28-5 IP phone phone prox y provisioning 16-12 [...]

  • Página 708

    Index IN-6 Cisco ASA Series Firewall CLI Configuration Guide default polic y 1-8 examples 1-18 feature directionality 1-3 features 1-2 flows 1-6 matching multiple policy maps 1-6 service poli cy, applying 1-17 See also class map See also policy map MPLS LDP 6-7 router-id 6-7 TDP 6-7 multi-session PAT 4-16 N NAT about 3-1 bidirection al initiation 3[...]

  • Página 709

    Index IN-7 Cisco ASA Series Firewall CLI Configuration Guide dynamic NAT 5-7 dynamic PAT 5-11 examples 5-25 guidelines 5-2 identity NAT 5-21 monitoring 5-24 prerequis ites 5-2 static NAT 5-18 types 3-3 VPN 3-22 VPN client rules 3-18 network object NAT about 3-14 comparison with t wice NAT 3-13 configuring 4-1 dynamic NAT 4-5 dynamic PAT 4-7 example[...]

  • Página 710

    Index IN-8 Cisco ASA Series Firewall CLI Configuration Guide CSC SSM 32-5 presence_proxy_remotecert 15-15 proxied RPC request attack 28-7 proxy servers SIP and 11-18 PRSM 30-5 Q QoS about 23-1, 23-3 DiffServ preservation 23-5 DSCP preservati on 23-5 feature interaction 23-4 policies 23-1 priority qu eueing IPSec anti-replay window 23-13 statistics [...]

  • Página 711

    Index IN-9 Cisco ASA Series Firewall CLI Configuration Guide management defaults 31-6 password reset 31-24, 32-15 reload 31-25, 32-16 reset 31-25, 32-16 routing 31-10 sessioning to 31-13 shutdown 31-23, 32-17 Startup Wiza rd licensing requ irements 15-3 statd buffer overflow attack 28-8 stateful inspection bypassing 22-3 static NAT about 3-3 few-to[...]

  • Página 712

    Index IN-10 Cisco ASA Series Firewall CLI Configuration Guide applications supported by A SA 14-3 Cisco Unified Presence architecture 19-1 configuring for Cisco Un ified Presence 19-8 licenses 14-4, 17-5, 18-6, 19-7, 20-7 tocken bucket 23-2 traffic shaping overview 23-4 transmit queue ring l imit 23-2, 23-3 transparent firewall DHCP packet s, allow[...]