asa_84_cli_cfg

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Cisco ASA 5500 Series Configuration

Guide using the CLI

Software Version 8.4 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5585-X

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Cisco ASA 5500 Series Configuration Guide using the CLI Copyright © 2011 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

About This Guide

Document Objectives

Audience

Related Documentation

Conventions

Obtaining Documentation and Submitting a Service Request

P A R T 1

Introduction to the ASA

C H A P T E R 1

Introduction to the Cisco ASA 5500 Series

Hardware and Software Compatibility

VPN Specifications

New Features

New Features in Version 8.4(2)

New Features in Version 8.4(1)

Firewall Functional Overview

Security Policy Overview

Permitting or Denying Traffic with Access Lists

Applying NAT

Protecting from IP Fragments

Using AAA for Through Traffic

Applying HTTP, HTTPS, or FTP Filtering

Applying Application Inspection

Sending Traffic to the IPS Module

Sending Traffic to the Content Security and Control Module

Applying QoS Policies

Applying Connection Limits and TCP Normalization

Enabling Threat Detection

Enabling the Botnet Traffic Filter

Configuring Cisco Unified Communications

Firewall Mode Overview

Stateful Inspection Overview

VPN Functional Overview

C H A P T E R 2

Getting Started

Accessing the Appliance Command-Line Interface

Factory Default Configurations

Restoring the Factory Default Configuration

ASA 5505 Default Configuration

ASA 5510 and Higher Default Configuration

Working with the Configuration

Saving Configuration Changes

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline

Applying Configuration Changes to Connections

C H A P T E R 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Licenses Per Model

License Notes

VPN License and Feature Compatibility

Information About Feature Licenses

Preinstalled License

Permanent License

Time-Based Licenses

Time-Based License Activation Guidelines

How the Time-Based License Timer Works

How Permanent and Time-Based Licenses Combine

Stacking Time-Based Licenses

Time-Based License Expiration

Shared AnyConnect Premium Licenses

Information About the Shared Licensing Server and Participants

Communication Issues Between Participant and Server

Information About the Shared Licensing Backup Server

Failover and Shared Licenses

Maximum Number of Participants

Failover Licenses (8.3(1) and Later)

Failover License Requirements

Loss of Communication Between Failover Units

Upgrading Failover Pairs

No Payload Encryption Models

Licenses FAQ

Guidelines and Limitations

Configuring Licenses

Obtaining an Activation Key

Activating or Deactivating Keys

Configuring a Shared License

Configuring the Shared Licensing Server

Configuring the Shared Licensing Backup Server (Optional)

Configuring the Shared Licensing Participant

Monitoring Licenses

Viewing Your Current License

Monitoring the Shared License

Feature History for Licensing

P A R T 2

Configuring Firewall and Security Context Modes

C H A P T E R 4

Configuring the Transparent or Routed Firewall

Configuring the Firewall Mode

Information About the Firewall Mode

Information About Routed Firewall Mode

Information About Transparent Firewall Mode

Licensing Requirements for the Firewall Mode

Default Settings

Guidelines and Limitations

Setting the Firewall Mode

Feature History for Firewall Mode

Configuring ARP Inspection for the Transparent Firewall

Information About ARP Inspection

Licensing Requirements for ARP Inspection

Default Settings

Guidelines and Limitations

Configuring ARP Inspection

Task Flow for Configuring ARP Inspection

Adding a Static ARP Entry

Enabling ARP Inspection

Feature History for ARP Inspection

Customizing the MAC Address Table for the Transparent Firewall

Information About the MAC Address Table

Licensing Requirements for the MAC Address Table

Default Settings

Guidelines and Limitations

Configuring the MAC Address Table

Adding a Static MAC Address

Setting the MAC Address Timeout

Disabling MAC Address Learning

Monitoring the MAC Address Table

Feature History for the MAC Address Table

Firewall Mode Examples

How Data Moves Through the ASA in Routed Firewall Mode

An Inside User Visits a Web Server

An Outside User Visits a Web Server on the DMZ

An Inside User Visits a Web Server on the DMZ

An Outside User Attempts to Access an Inside Host

A DMZ User Attempts to Access an Inside Host

How Data Moves Through the Transparent Firewall

An Inside User Visits a Web Server

An Inside User Visits a Web Server Using NAT

An Outside User Visits a Web Server on the Inside Network

An Outside User Attempts to Access an Inside Host

C H A P T E R 5

Configuring Multiple Context Mode

Information About Security Contexts

Common Uses for Security Contexts

Context Configuration Files

Context Configurations

System Configuration

Admin Context Configuration

How the ASA Classifies Packets

Valid Classifier Criteria

Classification Examples

Cascading Security Contexts

Management Access to Security Contexts

System Administrator Access

Information About Resource Management

Resource Limits

Default Class

Class Members

Information About MAC Addresses

Default MAC Address

Interaction with Manual MAC Addresses

Failover MAC Addresses

MAC Address Format

Licensing Requirements for Multiple Context Mode

Guidelines and Limitations

Default Settings

Configuring Multiple Contexts

Task Flow for Configuring Multiple Context Mode

Enabling or Disabling Multiple Context Mode

Enabling Multiple Context Mode

Restoring Single Context Mode

Configuring a Class for Resource Management

Configuring a Security Context

Automatically Assigning MAC Addresses to Context Interfaces

Changing Between Contexts and the System Execution Space

Managing Security Contexts

Removing a Security Context

Changing the Admin Context

Changing the Security Context URL

Reloading a Security Context

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Monitoring Security Contexts

Viewing Context Information

Viewing Resource Allocation

Viewing Resource Usage

Monitoring SYN Attacks in Contexts

Viewing Assigned MAC Addresses

Viewing MAC Addresses in the System Configuration

Viewing MAC Addresses Within a Context

Configuration Examples for Multiple Context Mode

P A R T 3

Configuring Interfaces

C H A P T E R 6

Starting Interface Configuration (ASA 5510 and Higher)

Information About Starting ASA 5510 and Higher Interface Configuration

Auto-MDI/MDIX Feature

Interfaces in Transparent Mode

Management Interface

Redundant Interfaces

Redundant Interface MAC Address

EtherChannels

Channel Group Interfaces

Connecting to an EtherChannel on Another Device

Link Aggregation Control Protocol

Load Balancing

EtherChannel MAC Address

Licensing Requirements for ASA 5510 and Higher Interfaces

Guidelines and Limitations

Default Settings

Starting Interface Configuration (ASA 5510 and Higher)

Task Flow for Starting Interface Configuration

Converting In-Use Interfaces to a Redundant or EtherChannel Interface

Enabling the Physical Interface and Configuring Ethernet Parameters

Configuring a Redundant Interface

Configuring a Redundant Interface

Changing the Active Interface

Configuring an EtherChannel

Adding Interfaces to the EtherChannel

Customizing the EtherChannel

Configuring VLAN Subinterfaces and 802.1Q Trunking

Enabling Jumbo Frame Support (ASA 5580 and ASA 5585-X)

Monitoring Interfaces

Configuration Examples for ASA 5510 and Higher Interfaces

Physical Interface Parameters Example

Subinterface Parameters Example

Multiple Context Mode Example

EtherChannel Example

Where to Go Next

C H A P T E R 7

Starting Interface Configuration (ASA 5505)

Information About ASA 5505 Interfaces

Understanding ASA 5505 Ports and Interfaces

Maximum Active VLAN Interfaces for Your License

VLAN MAC Addresses

Power over Ethernet

Monitoring Traffic Using SPAN

Auto-MDI/MDIX Feature

Licensing Requirements for ASA 5505 Interfaces

Guidelines and Limitations

Default Settings

Starting ASA 5505 Interface Configuration

Task Flow for Starting Interface Configuration

Configuring VLAN Interfaces

Configuring and Enabling Switch Ports as Access Ports

Configuring and Enabling Switch Ports as Trunk Ports

Monitoring Interfaces

Configuration Examples For ASA 5505 Interfaces

Access Port Example

Trunk Port Example

Where to Go Next

Feature History for ASA 5505 Interfaces

C H A P T E R 8

Completing Interface Configuration (Routed Mode)

Information About Completing Interface Configuration in Routed Mode

Security Levels

Dual IP Stack (IPv4 and IPv6)

Licensing Requirements for Completing Interface Configuration in Routed Mode

Guidelines and Limitations

Default Settings

Completing Interface Configuration in Routed Mode

Task Flow for Completing Interface Configuration

Configuring General Interface Parameters

Configuring the MAC Address and MTU

Configuring IPv6 Addressing

Information About IPv6

Configuring a Global IPv6 Address and Other Options

Monitoring Interfaces

Configuration Examples for Interfaces in Routed Mode

ASA 5505 Example

Feature History for Interfaces in Routed Mode

C H A P T E R 9

Completing Interface Configuration (Transparent Mode)

Information About Completing Interface Configuration in Transparent Mode

Bridge Groups in Transparent Mode

Security Levels

Licensing Requirements for Completing Interface Configuration in Transparent Mode

Guidelines and Limitations

Default Settings

Completing Interface Configuration in Transparent Mode

Task Flow for Completing Interface Configuration

Configuring Bridge Groups

Configuring General Interface Parameters

Configuring a Management Interface (ASA 5510 and Higher)

Configuring the MAC Address and MTU

Configuring IPv6 Addressing

Information About IPv6

Configuring a Global IPv6 Address and Other Options

Monitoring Interfaces

Configuration Examples for Interfaces in Transparent Mode

Feature History for Interfaces in Transparent Mode

P A R T 4

Configuring Basic Settings

C H A P T E R 10

Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings

Configuring the Hostname, Domain Name, and Passwords

Changing the Login Password

Changing the Enable Password

Setting the Hostname

Setting the Domain Name

Setting the Date and Time

Setting the Time Zone and Daylight Saving Time Date Range

Setting the Date and Time Using an NTP Server

Setting the Date and Time Manually

Information About the Master Passphrase

Licensing Requirements for the Master Passphrase

Guidelines and Limitations

Adding or Changing the Master Passphrase

Disabling the Master Passphrase

Recovering the Master Passphrase

Feature History for the Master Passphrase

Configuring the DNS Server

Monitoring DNS Cache

DNS Cache Monitoring Commands

Feature History for DNS Cache

C H A P T E R 11

Configuring DHCP

Information About DHCP

Licensing Requirements for DHCP

Guidelines and Limitations

Configuring a DHCP Server

Enabling the DHCP Server

Configuring DHCP Options

Options that Return an IP Address

Options that Return a Text String

Options that Return a Hexadecimal Value

Using Cisco IP Phones with a DHCP Server

Configuring DHCP Relay Services

DHCP Monitoring Commands

Feature History for DHCP

C H A P T E R 12

Configuring Dynamic DNS

Information about DDNS

Licensing Requirements for DDNS

Guidelines and Limitations

Configuring DDNS

Configuration Examples for DDNS

Example 1: Client Updates Both A and PTR RRs for Static IP Addresses

Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN

Provided Through Configuration

Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides

Client and Updates Both RRs.

Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only;

Honors Client Request and Updates Both A and PTR RR

Example 5: Client Updates A RR; Server Updates PTR RR

DDNS Monitoring Commands

Feature History for DDNS

P A R T 5

Configuring Objects and Access Lists

C H A P T E R 13

Configuring Objects

Configuring Objects and Groups

Information About Objects and Groups

Information About Objects

Information About Object Groups

Licensing Requirements for Objects and Groups

Guidelines and Limitations for Objects and Groups

Configuring Objects

Configuring a Network Object

Configuring a Service Object

Configuring Object Groups

Adding a Protocol Object Group

Adding a Network Object Group

Adding a Service Object Group

Adding an ICMP Type Object Group

Nesting Object Groups

Removing Object Groups

Monitoring Objects and Groups

Feature History for Objects and Groups

Configuring Regular Expressions

Creating a Regular Expression

Creating a Regular Expression Class Map

Scheduling Extended Access List Activation

Information About Scheduling Access List Activation

Licensing Requirements for Scheduling Access List Activation

Guidelines and Limitations for Scheduling Access List Activation

Configuring and Applying Time Ranges

Configuration Examples for Scheduling Access List Activation

C H A P T E R 14

Information About Access Lists

Access List Types

Access Control Entry Order

Access Control Implicit Deny

IP Addresses Used for Access Lists When You Use NAT

Where to Go Next

C H A P T E R 15

Adding an Extended Access List

Information About Extended Access Lists

Licensing Requirements for Extended Access Lists

Default Settings

Configuring Extended Access Lists

Adding an Extended Access List

Adding Remarks to Access Lists

Monitoring Extended Access Lists

Configuration Examples for Extended Access Lists

Configuration Examples for Extended Access Lists (No Objects)

Configuration Examples for Extended Access Lists (Using Objects)

Where to Go Next

Feature History for Extended Access Lists

C H A P T E R 16

Adding an EtherType Access List

Information About EtherType Access Lists

Licensing Requirements for EtherType Access Lists

Guidelines and Limitations

Default Settings

Configuring EtherType Access Lists

Task Flow for Configuring EtherType Access Lists

Adding EtherType Access Lists

Adding Remarks to Access Lists

What to Do Next

Monitoring EtherType Access Lists

Configuration Examples for EtherType Access Lists

C H A P T E R 17

Adding a Standard Access List

Information About Standard Access Lists

Licensing Requirements for Standard Access Lists

Guidelines and Limitations

Default Settings

Adding Standard Access Lists

Task Flow for Configuring Extended Access Lists

Adding a Standard Access List

Adding Remarks to Access Lists

What to Do Next

Monitoring Access Lists

Configuration Examples for Standard Access Lists

Feature History for Standard Access Lists

C H A P T E R 18

Adding a Webtype Access List

Licensing Requirements for Webtype Access Lists

Guidelines and Limitations

Default Settings

Using Webtype Access Lists

Task Flow for Configuring Webtype Access Lists

Adding Webtype Access Lists with a URL String

Adding Webtype Access Lists with an IP Address

Adding Remarks to Access Lists

What to Do Next

Monitoring Webtype Access Lists

Configuration Examples for Webtype Access Lists

Feature History for Webtype Access Lists

C H A P T E R 19

Adding an IPv6 Access List

Information About IPv6 Access Lists

Licensing Requirements for IPv6 Access Lists

Prerequisites for Adding IPv6 Access Lists

Guidelines and Limitations

Default Settings

Configuring IPv6 Access Lists

Task Flow for Configuring IPv6 Access Lists

Adding Remarks to Access Lists

Monitoring IPv6 Access Lists

Configuration Examples for IPv6 Access Lists

Where to Go Next

Feature History for IPv6 Access Lists

C H A P T E R 20

Configuring Logging for Access Lists

Configuring Logging for Access Lists

Information About Logging Access List Activity

Licensing Requirements for Access List Logging

Guidelines and Limitations

Default Settings

Configuring Access List Logging

Monitoring Access Lists

Configuration Examples for Access List Logging

Feature History for Access List Logging

Managing Deny Flows

Information About Managing Deny Flows

Licensing Requirements for Managing Deny Flows

Guidelines and Limitations

Default Settings

Managing Deny Flows

Monitoring Deny Flows

Feature History for Managing Deny Flows

P A R T 6

Configuring IP Routing

C H A P T E R 21

Routing Overview

Information About Routing

Switching

Path Determination

Supported Route Types

Static Versus Dynamic

Single-Path Versus Multipath

Flat Versus Hierarchical

Link-State Versus Distance Vector

How Routing Behaves Within the ASA

Next Hop Selection Process

Supported Internet Protocols for Routing

Information About the Routing Table

Displaying the Routing Table

How the Routing Table Is Populated

Backup Routes

How Forwarding Decisions Are Made

Dynamic Routing and Failover

Information About IPv6 Support

Features That Support IPv6

IPv6-Enabled Commands

Entering IPv6 Addresses in Commands

Disabling Proxy ARPs

C H A P T E R 22

Configuring Static and Default Routes

Information About Static and Default Routes

Licensing Requirements for Static and Default Routes

Guidelines and Limitations

Configuring Static and Default Routes

Configuring a Static Route

Adding or Editing a Static Route

Configuring a Default Static Route

Limitations on Configuring a Default Static Route

Configuring IPv6 Default and Static Routes

Monitoring a Static or Default Route

Configuration Examples for Static or Default Routes

Feature History for Static and Default Routes

C H A P T E R 23

Defining Route Maps

Information About Route Maps

Permit and Deny Clauses

Match and Set Clause Values

Licensing Requirements for Route Maps

Guidelines and Limitations

Defining a Route Map

Customizing a Route Map

Defining a Route to Match a Specific Destination Address

Configuration Example for Route Maps

Feature History for Route Maps

C H A P T E R 24

Configuring OSPF

Information About OSPF

Licensing Requirements for OSPF

Guidelines and Limitations

Configuring OSPF

Customizing OSPF

Redistributing Routes Into OSPF

Configuring Route Summarization When Redistributing Routes Into OSPF

Configuring Route Summarization Between OSPF Areas

Configuring OSPF Interface Parameters

Configuring OSPF Area Parameters

Configuring OSPF NSSA

Defining Static OSPF Neighbors

Configuring Route Calculation Timers

Logging Neighbors Going Up or Down

Restarting the OSPF Process

Configuration Example for OSPF

Monitoring OSPF

Feature History for OSPF

C H A P T E R 25

Configuring RIP

Information About RIP

Routing Update Process

RIP Routing Metric

RIP Stability Features

RIP Timers

Licensing Requirements for RIP

Guidelines and Limitations

Configuring RIP

Enabling RIP

Customizing RIP

Configuring the RIP Version

Configuring Interfaces for RIP

Configuring the RIP Send and Receive Version on an Interface

Filtering Networks in RIP

Redistributing Routes into the RIP Routing Process

Enabling RIP Authentication

. Restarting the RIP Process

Monitoring RIP

Configuration Example for RIP

Feature History for RIP

C H A P T E R 26

Configuring Multicast Routing

Information About Multicast Routing

Stub Multicast Routing

PIM Multicast Routing

Multicast Group Concept

Multicast Addresses

Licensing Requirements for Multicast Routing

Guidelines and Limitations

Enabling Multicast Routing

Customizing Multicast Routing

Configuring Stub Multicast Routing and Forwarding IGMP Messages

Configuring a Static Multicast Route

Configuring IGMP Features

Disabling IGMP on an Interface

Configuring IGMP Group Membership

Configuring a Statically Joined IGMP Group

Controlling Access to Multicast Groups

Limiting the Number of IGMP States on an Interface

Modifying the Query Messages to Multicast Groups

Changing the IGMP Version

Configuring PIM Features

Enabling and Disabling PIM on an Interface

Configuring a Static Rendezvous Point Address

Configuring the Designated Router Priority

Configuring and Filtering PIM Register Messages

Configuring PIM Message Intervals

Filtering PIM Neighbors

Configuring a Bidirectional Neighbor Filter

Configuring a Multicast Boundary

Additional References

Related Documents

RFCs

Feature History for Multicast Routing

C H A P T E R 27

Configuring EIGRP

Information About EIGRP

Licensing Requirements for EIGRP

Guidelines and Limitations

Configuring EIGRP

Enabling EIGRP

Enabling EIGRP Stub Routing

Customizing EIGRP

Defining a Network for an EIGRP Routing Process

Configuring Interfaces for EIGRP

Configuring Passive Interfaces

Configuring the Summary Aggregate Addresses on Interfaces

Changing the Interface Delay Value

Enabling EIGRP Authentication on an Interface

Defining an EIGRP Neighbor

Redistributing Routes Into EIGRP

Filtering Networks in EIGRP

Customizing the EIGRP Hello Interval and Hold Time

Disabling Automatic Route Summarization

Configuring Default Information in EIGRP

Disabling EIGRP Split Horizon

Restarting the EIGRP Process

Monitoring EIGRP

Configuration Example for EIGRP

Feature History for EIGRP

C H A P T E R 28

Configuring IPv6 Neighbor Discovery

Information About IPv6 Neighbor Discovery

Neighbor Solicitation Messages

Neighbor Reachable Time

Router Advertisement Messages

Static IPv6 Neighbors

Guidelines and Limitations

Default Settings for IPv6 Neighbor Discovery

Configuring the Neighbor Solicitation Message Interval

Configuring the Neighbor Reachable Time

Configuring the Router Advertisement Transmission Interval

Configuring the Router Lifetime Value

Configuring Duplicate Address Detection Settings

Configuring IPv6 Addresses on an Interface

Suppressing Router Advertisement Messages

Configuring the IPv6 Prefix

Configuring a Static IPv6 Neighbor

Monitoring IPv6 Neighbor Discovery

Additional References

Related Documents for IPv6 Prefixes

RFCs for IPv6 Prefixes and Documentation

Feature History for IPv6 Neighbor Discovery

P A R T 7

Configuring Network Address Translation

C H A P T E R 29

Information About NAT

Why Use NAT?

NAT Terminology

NAT Types

Static NAT

Information About Static NAT

Information About Static NAT with Port Translation

Information About One-to-Many Static NAT

Information About Other Mapping Scenarios (Not Recommended)

Dynamic NAT

Information About Dynamic NAT

Dynamic NAT Disadvantages and Advantages

Dynamic PAT

Information About Dynamic PAT

Dynamic PAT Disadvantages and Advantages

Identity NAT

NAT in Routed and Transparent Mode

NAT in Transparent Mode

How NAT is Implemented

Main Differences Between Network Object NAT and Twice NAT

Information About Network Object NAT

Information About Twice NAT

NAT Rule Order

NAT Interfaces

Routing NAT Packets

Mapped Addresses and Routing

Transparent Mode Routing Requirements for Remote Networks

Determining the Egress Interface

DNS and NAT

Where to Go Next

C H A P T E R 30

Configuring Network Object NAT

Information About Network Object NAT

Licensing Requirements for Network Object NAT

Prerequisites for Network Object NAT

Guidelines and Limitations

Default Settings

Configuring Network Object NAT

Configuring Dynamic NAT

Configuring Dynamic PAT (Hide)

Configuring Static NAT or Static NAT with Port Translation

Configuring Identity NAT

Monitoring Network Object NAT

Configuration Examples for Network Object NAT

Providing Access to an Inside Web Server (Static NAT)

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)

Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)

Single Address for FTP, HTTP, and SMTP (Static NAT with Port Translation)

DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS

Modification)

DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS

Modification)

C H A P T E R 31

Configuring Twice NAT

Information About Twice NAT

Licensing Requirements for Twice NAT

Prerequisites for Twice NAT

Guidelines and Limitations

Default Settings

Configuring Twice NAT

Configuring Dynamic NAT

Configuring Dynamic PAT (Hide)

Configuring Static NAT or Static NAT with Port Translation

Configuring Identity NAT

Monitoring Twice NAT

Configuration Examples for Twice NAT

Different Translation Depending on the Destination (Dynamic PAT)

Different Translation Depending on the Destination Address and Port (Dynamic PAT)

Feature History for Twice NAT

P A R T 8

Configuring Service Policies Using the Modular Policy Framework

C H A P T E R 32

Configuring a Service Policy Using the Modular Policy Framework

Information About Service Policies

Supported Features for Through Traffic

Supported Features for Management Traffic

Feature Directionality

Feature Matching Within a Service Policy

Order in Which Multiple Feature Actions are Applied

Incompatibility of Certain Feature Actions

Feature Matching for Multiple Service Policies

Licensing Requirements for Service Policies

Guidelines and Limitations

Default Settings

Default Configuration

Default Class Maps

Task Flows for Configuring Service Policies

Task Flow for Using the Modular Policy Framework

Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping

Identifying Traffic (Layer 3/4 Class Maps)

Creating a Layer 3/4 Class Map for Management Traffic

Defining Actions (Layer 3/4 Policy Map)

Applying Actions to an Interface (Service Policy)

Monitoring Modular Policy Framework

Configuration Examples for Modular Policy Framework

Applying Inspection and QoS Policing to HTTP Traffic

Applying Inspection to HTTP Traffic Globally

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

Applying Inspection to HTTP Traffic with NAT

Feature History for Service Policies

C H A P T E R 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)

Information About Inspection Policy Maps

Default Inspection Policy Maps

Defining Actions in an Inspection Policy Map

Identifying Traffic in an Inspection Class Map

Where to Go Next

P A R T 9

Configuring Access Control

C H A P T E R 34

Configuring Access Rules

Information About Access Rules

General Information About Rules

Implicit Permits

Using Access Rules and EtherType Rules on the Same Interface

Inbound and Outbound Rules

Using Global Access Rules

Information About Extended Access Rules

Access Rules for Returning Traffic

Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access

Rules

Management Access Rules

Information About EtherType Rules

Supported EtherTypes

Access Rules for Returning Traffic

Allowing MPLS

Licensing Requirements for Access Rules

Guidelines and Limitations

Default Settings

Configuring Access Rules

Monitoring Access Rules

Configuration Examples for Permitting or Denying Network Access

Feature History for Access Rules

C H A P T E R 35

Configuring AAA Servers and the Local Database

Information About AAA

Information About Authentication

Information About Authorization

Information About Accounting

Summary of Server Support

RADIUS Server Support

Authentication Methods

Attribute Support

RADIUS Authorization Functions

TACACS+ Server Support

RSA/SDI Server Support

RSA/SDI Version Support

Two-step Authentication Process

RSA/SDI Primary and Replica Servers

NT Server Support

Kerberos Server Support

LDAP Server Support

Authentication with LDAP

LDAP Server Types

HTTP Forms Authentication for Clientless SSL VPN

Local Database Support, Including as a Falback Method

How Fallback Works with Multiple Servers in a Group

Using Certificates and User Login Credentials

Using User Login Credentials

Using Certificates

Licensing Requirements for AAA Servers

Guidelines and Limitations

Configuring AAA

Task Flow for Configuring AAA

Configuring AAA Server Groups

Configuring LDAP Attribute Maps

Adding a User Account to the Local Database

Differentiating User Roles Using AAA

Using Local Authentication

Using RADIUS Authentication

Using LDAP Authentication

Using TACACS+ Authentication

Monitoring AAA Servers

Additional References

RFCs

Feature History for AAA Servers

C H A P T E R 36

Configuring the Identity Firewall

Information About the Identity Firewall

Overview of the Identity Firewall

Architecture for Identity Firewall Deployments

Features of the Identity Firewall

Deployment Scenarios

Cut-through Proxy and VPN Authentication

Licensing for the Identity Firewall

Guidelines and Limitations

Prerequisites

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Configuring the Active Directory Domain

Configuring Active Directory Agents

Configuring Identity Options

Configuring Identity-based Access Rules

Configuring Cut-through Proxy Authentication

Configuring VPN Authentication

Monitoring the Identity Firewall

Monitoring AD Agents

Monitoring Groups

Monitoring Memory Usage for the Identity Firewall

Monitoring Users for the Identity Firewall

C H A P T E R 37

Configuring Management Access

Configuring ASA Access for ASDM, Telnet, or SSH

Licensing Requirements for ASA Access for ASDM, Telnet, or SSH

Guidelines and Limitations

Configuring Telnet Access

Using a Telnet Client

Configuring SSH Access

Using an SSH Client

Configuring HTTPS Access for ASDM

Configuring CLI Parameters

Licensing Requirements for CLI Parameters

Guidelines and Limitations

Configuring a Login Banner

Customizing a CLI Prompt

Changing the Console Timeout

Configuring ICMP Access

Information About ICMP Access

Licensing Requirements for ICMP Access

Guidelines and Limitations

Default Settings

Configuring ICMP Access

Configuring Management Access Over a VPN Tunnel

Licensing Requirements for a Management Interface

Guidelines and Limitations

Configuring a Management Interface

Configuring AAA for System Administrators

Information About AAA for System Administrators

Information About Management Authentication

Information About Command Authorization

Licensing Requirements for AAA for System Administrators

Prerequisites

Guidelines and Limitations

Default Settings

Configuring Authentication for CLI and ASDM Access

Configuring Authentication to Access Privileged EXEC Mode (the enable Command)

Configuring Authentication for the enable Command

Authenticating Users with the login Command

Limiting User CLI and ASDM Access with Management Authorization

Configuring Local Command Authorization

Viewing Local Command Privilege Levels

Configuring Commands on the TACACS+ Server

Configuring TACACS+ Command Authorization

Configuring Management Access Accounting

Viewing the Currently Logged-In User

Recovering from a Lockout

Feature History for Management Access

C H A P T E R 38

Configuring AAA Rules for Network Access

AAA Performance

Licensing Requirements for AAA Rules

Guidelines and Limitations

Configuring Authentication for Network Access

Information About Authentication

One-Time Authentication

Applications Required to Receive an Authentication Challenge

ASA Authentication Prompts

Static PAT and HTTP

Configuring Network Access Authentication

Enabling Secure Authentication of Web Clients

Authenticating Directly with the ASA

Authenticating HTTP(S) Connections with a Virtual Server

Authenticating Telnet Connections with a Virtual Server

Configuring Authorization for Network Access

Configuring TACACS+ Authorization

Configuring RADIUS Authorization

Configuring a RADIUS Server to Send Downloadable Access Control Lists

Configuring a RADIUS Server to Download Per-User Access Control List Names

Configuring Accounting for Network Access

Using MAC Addresses to Exempt Traffic from Authentication and Authorization

Feature History for AAA Rules

C H A P T E R 39

Configuring Filtering Services

Information About Web Traffic Filtering

Configuring ActiveX Filtering

Information About ActiveX Filtering

Guidelines and Limitations for ActiveX Filtering

Configuring ActiveX Filtering

Configuration Examples for ActiveX Filtering

Feature History for ActiveX Filtering

Configuring Java Applet Filtering

Information About Java Applet Filtering

Licensing Requirements for Java Applet Filtering

Guidelines and Limitations for Java Applet Filtering

Configuring Java Applet Filtering

Configuration Examples for Java Applet Filtering

Feature History for Java Applet Filtering

Filtering URLs and FTP Requests with an External Server

Information About URL Filtering

Licensing Requirements for URL Filtering

Guidelines and Limitations for URL Filtering

Identifying the Filtering Server

Configuring Additional URL Filtering Settings

Buffering the Content Server Response

Caching Server Addresses

Filtering HTTP URLs

Filtering HTTPS URLs

Filtering FTP Requests

Monitoring Filtering Statistics

Feature History for URL Filtering

C H A P T E R 40

Configuring Web Cache Services Using WCCP

Information About WCCP

Guidelines and Limitations

Licensing Requirements for WCCP

Enabling WCCP Redirection

WCCP Monitoring Commands

Feature History for WCCP

C H A P T E R 41

Configuring Digital Certificates

Information About Digital Certificates

Public Key Cryptography

Certificate Scalability

Trustpoints

Certificate Enrollment

Proxy for SCEP Requests

Revocation Checking

Supported CA Servers

CRLs

OCSP

The Local CA

Storage for Local CA Files

The Local CA Server

Licensing Requirements for Digital Certificates

Prerequisites for Local Certificates

Prerequisites for SCEP Proxy Support

Guidelines and Limitations

Configuring Digital Certificates

Configuring Key Pairs

Removing Key Pairs

Configuring Trustpoints

Configuring CRLs for a Trustpoint

Exporting a Trustpoint Configuration

Importing a Trustpoint Configuration

Configuring CA Certificate Map Rules

Obtaining Certificates Manually

Obtaining Certificates Automatically with SCEP

Configuring Proxy Support for SCEP Requests

Enabling the Local CA Server

Configuring the Local CA Server

Customizing the Local CA Server

Debugging the Local CA Server

Disabling the Local CA Server

Deleting the Local CA Server

Configuring Local CA Certificate Characteristics

Configuring the Issuer Name

Configuring the CA Certificate Lifetime

Configuring the User Certificate Lifetime

Configuring the CRL Lifetime

Configuring the Server Keysize

Setting Up External Local CA File Storage

Storing CRLs

Setting Up Enrollment Parameters

Adding and Enrolling Users

Renewing Users

Restoring Users

Removing Users

Revoking Certificates

Maintaining the Local CA Certificate Database

Rolling Over Local CA Certificates

Archiving the Local CA Server Certificate and Keypair

Monitoring Digital Certificates

Feature History for Certificate Management

P A R T 10

Configuring Application Inspection

C H A P T E R 42

Getting Started With Application Layer Protocol Inspection

Information about Application Layer Protocol Inspection

How Inspection Engines Work

When to Use Application Protocol Inspection

Guidelines and Limitations

Default Settings

Configuring Application Layer Protocol Inspection

C H A P T E R 43

Configuring Inspection of Basic Internet Protocols

DNS Inspection

How DNS Application Inspection Works

How DNS Rewrite Works

Configuring DNS Rewrite

Configuring DNS Rewrite with Two NAT Zones

Overview of DNS Rewrite with Three NAT Zones

Configuring DNS Rewrite with Three NAT Zones

Configuring a DNS Inspection Policy Map for Additional Inspection Control

Verifying and Monitoring DNS Inspection

FTP Inspection

FTP Inspection Overview

Using the strict Option

Configuring an FTP Inspection Policy Map for Additional Inspection Control

HTTP Inspection

HTTP Inspection Overview

Configuring an HTTP Inspection Policy Map for Additional Inspection Control

ICMP Inspection

ICMP Error Inspection

Instant Messaging Inspection

IM Inspection Overview

Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control

IP Options Inspection

IP Options Inspection Overview

Configuring an IP Options Inspection Policy Map for Additional Inspection Control

IPsec Pass Through Inspection

IPsec Pass Through Inspection Overview

Example for Defining an IPsec Pass Through Parameter Map

IPv6 Inspection

Configuring an IPv6 Inspection Policy Map

NetBIOS Inspection

NetBIOS Inspection Overview

Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control

PPTP Inspection

SMTP and Extended SMTP Inspection

SMTP and ESMTP Inspection Overview

Configuring an ESMTP Inspection Policy Map for Additional Inspection Control

TFTP Inspection

C H A P T E R 44

Configuring Inspection for Voice and Video Protocols

CTIQBE Inspection

CTIQBE Inspection Overview

Limitations and Restrictions

Verifying and Monitoring CTIQBE Inspection

H.323 Inspection

H.323 Inspection Overview

How H.323 Works

H.239 Support in H.245 Messages

Limitations and Restrictions

Configuring an H.323 Inspection Policy Map for Additional Inspection Control

Configuring H.323 and H.225 Timeout Values

Monitoring H.225 Sessions

Monitoring H.245 Sessions

Monitoring H.323 RAS Sessions

MGCP Inspection

MGCP Inspection Overview

Configuring an MGCP Inspection Policy Map for Additional Inspection Control

Configuring MGCP Timeout Values

Verifying and Monitoring MGCP Inspection

RTSP Inspection

RTSP Inspection Overview

Using RealPlayer

Restrictions and Limitations

Configuring an RTSP Inspection Policy Map for Additional Inspection Control

SIP Inspection

SIP Inspection Overview

SIP Instant Messaging

Configuring a SIP Inspection Policy Map for Additional Inspection Control

Configuring SIP Timeout Values

Verifying and Monitoring SIP Inspection

Skinny (SCCP) Inspection

SCCP Inspection Overview

Supporting Cisco IP Phones

Restrictions and Limitations

Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control

Verifying and Monitoring SCCP Inspection

C H A P T E R 45

Configuring Inspection of Database and Directory Protocols

ILS Inspection

SQL*Net Inspection

Sun RPC Inspection

Sun RPC Inspection Overview

Managing Sun RPC Services

Verifying and Monitoring Sun RPC Inspection

C H A P T E R 46

Configuring Inspection for Management Application Protocols

DCERPC Inspection

DCERPC Overview

GTP Inspection

GTP Inspection Overview

Configuring a GTP Inspection Policy Map for Additional Inspection Control

Verifying and Monitoring GTP Inspection

RADIUS Accounting Inspection

RADIUS Accounting Inspection Overview

Configuring a RADIUS Inspection Policy Map for Additional Inspection Control

RSH Inspection

SNMP Inspection

SNMP Inspection Overview

Configuring an SNMP Inspection Policy Map for Additional Inspection Control

XDMCP Inspection

P A R T 11

Configuring Unified Communications

C H A P T E R 47

Information About Cisco Unified Communications Proxy Features

Information About the Adaptive Security Appliance in Cisco Unified Communications

TLS Proxy Applications in Cisco Unified Communications

Licensing for Cisco Unified Communications Proxy Features

C H A P T E R 48

Configuring the Cisco Phone Proxy

Information About the Cisco Phone Proxy

Phone Proxy Functionality

Supported Cisco UCM and IP Phones for the Phone Proxy

Licensing Requirements for the Phone Proxy

Prerequisites for the Phone Proxy

Media Termination Instance Prerequisites

Certificates from the Cisco UCM

DNS Lookup Prerequisites

Cisco Unified Communications Manager Prerequisites

Access List Rules

NAT and PAT Prerequisites

Prerequisites for IP Phones on Multiple Interfaces

7960 and 7940 IP Phones Support

Cisco IP Communicator Prerequisites

Prerequisites for Rate Limiting TFTP Requests

Rate Limiting Configuration Example