Manuale d’uso / di manutenzione del prodotto ASA 5585-X del fabbricante Cisco Systems
Vai alla pagina of 754
Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco we bsite at www.cisco.com/go/ offices. Cisco A S A S eries Fire w all A SDM Conf iguration Guide Sof tw are V ersion 7 .
THE SPECIFICATION S AND INFORMAT ION REGARDING THE PRODUCTS IN THIS MA NUAL ARE SUBJ ECT TO CHANGE WITHOUT NOT ICE. ALL STATEMENTS , INFORMATION , AND RECOMMEN DATIONS I N THIS MANUA L ARE BELIEVE D TO BE ACCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED.
1 Cisco ASA Series Firewall ASDM Configuration Guide CONTENTS About This Guide 21 Document Objectives 21 Related Documentation 21 Conventi ons 22 Obtaining Documentation and Submitting a Serv ice Requ.
Contents 2 Cisco ASA Series Firewall ASDM Configuration Guide Defining Acti ons in an I nspection P olicy Map 2-3 Identifying Traffic in an Inspection Class Map 2-3 Where to Go Next 2-4 Feature History for Inspection Policy Maps 2-4 PART 2 Configuring Network Address Translation CHAPTER 3 Information About NAT (ASA 8.
Contents 3 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 4 Configuring Network Object NAT (ASA 8.3 and Later) 4-1 Information About Network Object NAT 4-1 Licensing Requirement s for Netw.
Contents 4 Cisco ASA Series Firewall ASDM Configuration Guide Monitoring Twice NAT 5-29 Configuration Examples fo r Twice NAT 5-30 Different Translation Dependin g on the Destination (Dynamic PAT) 5-3.
Contents 5 Cisco ASA Series Firewall ASDM Configuration Guide Default Settings 7-7 Configuring Access Rules 7-8 Adding an Access Rule 7-8 Adding an EtherType Rule (Transparent Mode Only) 7-9 Configuri.
Contents 6 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 10 Getting Started with Applicatio n Layer Protocol Inspection 10-1 Information about Application Layer Protocol Inspection 10-1 H.
Contents 7 Cisco ASA Series Firewall ASDM Configuration Guide ICMP Inspection 11 -39 ICMP Error Inspection 11-39 Instant Messaging Inspectio n 11-39 IM Inspection Overview 11-40 Adding a Class Ma p fo.
Contents 8 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 12 Configuring Inspection for Voic e and Video Protocols 12-1 CTIQBE Inspec tion 12-1 CTIQBE Inspection Ov erview 12-1 Limitations and Restrictions 12 -2 H.323 Insp ection 12-2 H.323 Inspection Overview 12 -3 How H.
Contents 9 Cisco ASA Series Firewall ASDM Configuration Guide SIP Class Map 12-23 Add/Edit SI P Traffi c Class Ma p 12-24 Add/Edit SIP Match Criterion 12-24 SIP Inspect Map 12-26 Add/Edit SIP Policy M.
Contents 10 Cisco ASA Series Firewall ASDM Configuration Guide Add/Edit GTP Map 14-9 RADIUS Accoun ting Inspe ction 14-10 RADIUS Accounting Inspectio n Overview 14-11 Select RADIUS Accounting Map 14-1.
Contents 11 Cisco ASA Series Firewall ASDM Configuration Guide Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the Remote-Side Certificates for the Ci.
Contents 12 Cisco ASA Series Firewall ASDM Configuration Guide Adding or Editing a Record Entry in a CTL File 17-16 Creating the Media Termination Instance 17 -17 Creating the Phone Proxy In stance 17.
Contents 13 Cisco ASA Series Firewall ASDM Configuration Guide Architecture for Cisco Unified Presence for SIP Federation Deploym ents 20-1 Trust Relationship in the Presence Federation 20 -4 Security.
Contents 14 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 22 Configuring Connection Settings 22-1 Information About Connection Settings 22-1 TCP Intercept and Limiting Embryon ic Connecti.
Contents 15 Cisco ASA Series Firewall ASDM Configuration Guide Viewing QoS Sta ndard Priority Queue Statistics 23-13 Feature History for QoS 23-14 CHAPTER 24 Troubleshooting Connections and Resources .
Contents 16 Cisco ASA Series Firewall ASDM Configuration Guide (Optional) Configuring the User Identity Monitor 25-25 Configuring the Cloud Web Security Polic y 25-26 Monitoring Cloud Web Security 25-.
Contents 17 Cisco ASA Series Firewall ASDM Configuration Guide Monitoring Basic Threat Detection Statistics 27-4 Feature History for Basic Threat Detection Statistics 27-5 Configuring Advanced Threat .
Contents 18 Cisco ASA Series Firewall ASDM Configuration Guide Feature History for URL F iltering 29-12 PART 8 Configuring Modul es CHAPTER 30 Configuring the ASA CX Module 30-1 Information About the .
Contents 19 Cisco ASA Series Firewall ASDM Configuration Guide Feature History for the ASA CX Module 30-3 3 CHAPTER 31 Configuring the ASA IPS Module 31-1 Information About the ASA IPS Module 31-1 How.
Contents 20 Cisco ASA Series Firewall ASDM Configuration Guide Connecting to the CSC SSM 32-8 Determining Service Policy Rule Actions for CSC Scanning 32-9 CSC SSM Setup Wizard 32-10 Activation/Licens.
3 Cisco ASA Series Firewall ASDM Configur ation Guide About This Guide This preface introduces Cisco ASA Series F ire wall ASDM Conf ig uration Guid e and includes th e follo wing sections: • Docume.
4 Cisco ASA Series Firewall ASDM Configuration Guide Conventions This document uses the f ollo wing con ventions: Note Means reader take note . Ti p Means the following inf ormation will help you sol ve a pr o blem . Caution Means re a d e r b e c a re f u l .
P AR T 1 Conf iguring Service P olicies.
.
CH A P T E R 1-1 Cisco ASA Series Firewall ASDM Configur ation Guide 1 Configuring a Service Policy Service poli cies pro vide a co nsistent an d flexi ble way to con figur e ASA features.
1-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Information About Service Policies Feature Directionality Actions are applied to t raf fic bid irectionally or unidir ectionally depending on the feat ure.
1-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Information About Service Policies Note When you use a global policy , all features are unidire ctional; features that are normally bidirectional when applied to a single interf ace only apply to the ingress of each interface when applied globally .
1-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Information About Service Policies For e xample, if a packet matches a ru le for connection limits, and also matches a rule for an applicatio n inspection, then both actions are applied.
1-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Licensing Requirements for Service Policies Incompatibility of Certain Feature Actions Some features are not compatible w i th each other for the same traf fic.
1-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode.
1-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Default Settings • Y ou can only apply o ne global polic y . For e xample, you cannot create a gl obal polic y that includes feature set 1, and a separate glob al polic y that incl udes feature set 2.
1-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Task Flows for Configuring Service Policies • IP Options Default Traffic Classes The configuration incl.
1-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Adding a Service Polic y Rule for Throug h Traffic Note When you click the Add b utton, and not the small arr ow on the right of th e Add b utton, you add a through traffic rule by default.
1-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Adding a Service Polic y Rule for Through Traffic • Global - ap plies to all interf aces . This option appl ies the service polic y globally to all int erfaces.
1-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Adding a Service Polic y Rule for Throug h Traffic – TCP or UDP De stinatio n Port —The class matches a single po rt or a contiguous range o f ports.
1-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Adding a Service Polic y Rule for Through Traffic Specify the address and subnet mask using pref ix/length notation, such as 1 0.1.1.0/24. If you enter an IP address withou t a mask, it is considered to be a host address, e ven if it ends with a 0.
1-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Management Traffic Add additional v alues as desired, or remov e them using the Remove b utton. Step 7 Click Next . The Add Service Polic y Rule - Rule Actions dial og box appears.
1-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Adding a Service Policy Rule for Management Traffic Identify the traf fic using one of se veral criteria: – Source and Destination IP Addr ess (uses A CL) —The class matches traf fic specif ied by an extend ed A CL.
1-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Managing the Order of Service Policy Rules Specify the address and subnet mask using pref ix/length notation, such as 1 0.1.1.0/24. If you enter an IP address withou t a mask, it is considered to be a host address, e ven if it ends with a 0.
1-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Managing the Ord er of Service Policy Ru les • If the packet matches a subsequent rule for a di f ferent feature type, ho wev er, then the ASA also applies the actions for the su bsequent rule.
1-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Feature Histo ry for Service Po licies Feature History for Service Policies Ta b l e 1 - 3 lists the release history for this feature.
1-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Feature History for Service Policies.
CH A P T E R 2-1 Cisco ASA Series Firewall ASDM Configur ation Guide 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Frame work lets you conf igure specia l actions for man y application inspections.
2-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Guidelines and Limitations policy map is that you can create more comple x match criteria and you can reuse class maps.
2-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map Note There are other default in spection polic y maps such as _default_esmtp_map .
2-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Where to Go Next Step 4 Follo w the instructions for you r inspection type in the in spection chapter .
P AR T 2 Conf iguring Network A ddress T ranslation.
.
CH A P T E R 3-1 Cisco ASA Series Firewall ASDM Configur ation Guide 3 Information About NAT (ASA 8.3 and Later) This chapter pro vides an overvi ew of h ow Netw ork Address T ranslation (N A T) works on the ASA.
3-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Terminology One of the main functions of N A T is to enable pr iv ate IP networks to conn ect to the I nternet.
3-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NAT Types • N A T T ypes Overvie w , page 3-3 • Static NA T , page 3-3 • Dyn.
3-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Figure 3-1 sho ws a typical static NA T sce nar io. The translation is al ways acti ve so both real and remote hosts can initiate co nnections.
3-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Note For ap plications that r equire ap plication i nspection for secondary channels (for example, FTP and V oIP), the ASA automatically transl ates the second ary ports.
3-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Static Interface NAT with Port Translation Y ou can configure static N A T to ma p a real address to an interface address/port combination.
3-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types For e xample, you hav e a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traf f ic to the correct web server (see Figure 3-5 ).
3-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Figure 3-6 sho ws a typical few-to-many static N A T scenario.
3-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Information About Dynamic NAT Dynamic N A T translates a group of real addresses to a pool of mapped addr esses that are routable on th e destination netw ork.
3-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Note For the duratio n of the translatio n, a remote host can initiate a connection to th e translated host if an access rule allows it.
3-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-10 sho ws a typical dyna mic P A T sc enario. Only real hosts can create a N A T session, and responding traf fic is allo wed back.
3-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT in Routed a nd Transpar ent Mode Identity NAT Y ou might ha ve a N A T configurat ion in which you need to translat e an IP address to itself.
3-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-12 sh ow s a typical N A T example in routed mode, with a pri vate network o n the inside.
3-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT in Routed a nd Transpar ent Mode Figure 3-13 NA T Exampl e: T ranspar ent Mode 1. When the inside host at 10.1.1.75 sends a packet to a w eb server , the real source address of the packet, 10.
3-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT and IPv6 NAT and IPv6 Y ou can use N A T to translate between IPv6 netw orks, and also to translate between IPv4 and IPv6 networks (rou ted mode only).
3-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) How NAT is Implemen ted • How source and destinati on N A T is implemented. – Network obj ect N A T— Each rule can apply to either the source or desti nation of a pack et.
3-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How N AT is Im plemented T wice N A T also lets you use service o bjects for static N A T with port translation; network ob ject N A T only accepts inline def inition.
3-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) How NAT is Implemen ted Figure 3-15 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices.
3-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How N AT is Im plemented Figure 3-16 sho ws a remote host con necting to a mapped host. The mapped host has a twice static N A T translation that translates the real address only for traf fic to and from the 209 .
3-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Rule Order NAT Rule Order Network ob ject N A T rules an d twice NA T r ules are stored in a single tab le that is divided into three sections.
3-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Interfaces For section 2 r ules, for example, you ha ve the foll o wing IP addresses defi ned within netw ork objects: 192.168.1.0/24 ( static) 192.
3-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) Routing NAT Packets Routing NAT Packets The ASA needs to be the destination for an y packets sent to the mapped address. The ASA also nee ds to determine the egress interface for any packets it rece i ves destined for mapped addresses.
3-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets (8.3(1), 8.3(2), an d 8.4(1)) The defau lt beha vior for identity N A T has proxy ARP d isabled. Y ou cannot conf igure this setting.
3-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) Routing NAT Packets Figure 3-1 9 Pro xy ARP and Vir tual T elnet Transparent Mode Routing Requ irements for Remote Networks When you use N A T in transparent mode,some types of traf fic req uire static routes.
3-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figur e 3-20 Routed Mode Eg r ess In terf ace Se lection NAT for VPN • N A T .
3-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT for VPN Figure 3-21 Interf ace P A T for Int er net-B ound VPN T raf fic (Intra-Interf ace) Figure 3-22 sho ws a VPN client that wants to access an inside mail server .
3-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figur e 3-22 Identity NA T for VPN Clients See the follo wing sample NA T confi.
3-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT for VPN Figur e 3-23 Interf ace P A T and Identity NA T for Sit e-to-Sit e VPN Figure 3-24 sho ws a VPN client connected to ASA 1 (Boul der), with a T elnet request for a server (10.
3-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.
3-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT for VPN Figure 3-25 sho ws a VPN client T eln etting to th e ASA inside interf ace.
3-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client w.
3-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) DNS and NAT Figure 3-26 sho ws a DNS server th at is accessi ble from the outsid e interf ace. A serv er, ftp .cisco.co m, is on the inside interface.
3-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT a static rule between the inside and DMZ, then you al so need to enable DNS reply modif ication on this rule. The DNS reply will then be modifi ed two times.
3-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) DNS and NAT Figure 3-28 sho ws an FTP server and DNS server on the outside. The ASA has a static translatio n for the outside serv er . In this case, when an in side us er requests the address for ftp.
3-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (200 1:DB8::D1A5:C8E1) you need to conf igure DNS reply modif ication for the stat ic translation.
3-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) Where to Go Next Figure 3-30 sho ws an FTP server and DNS server on the outside. The ASA has a static translatio n for the outside server . In th is case, wh en an inside user performs a rev e rse DNS lookup for 10.
CH A P T E R 4-1 Cisco ASA Series Firewall ASDM Configur ation Guide 4 Configuring Network Object NAT (ASA 8.3 and Later) All N A T rules that are configured as a paramete r of a network object are considered to be network object NAT rules.
4-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Licensing Requirements for Network Object NAT Network obj ect N A T rules are added to section 2 of the N A T rules table. For more information ab out N A T ordering, see the “NA T Rule Order” section on page 3-20 .
4-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Default Settings • When using FTP with NA T46, wh en an IPv4 FTP client connects.
4-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT instead.
4-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT • Round robin, especial ly when combined wi th extended P A T , can cons ume a large amount of memory .
4-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add A utomatic T r anslation Rules check box. Step 5 From the T ype drop-down l ist, choose Dynamic .
4-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT a.
4-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 8 (Optio nal) Cl ick Advanced , and conf igure the followin g options in the Adv anced NA T Settings dialog box.
4-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT • T o add NA T to an existin g network object, cho ose Conf iguration > Fir ewall > Objects > Network Objects/Group s , and then double- click a network o bject.
4-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add A utomatic T r anslation Rules check box. Step 5 From the T ype drop-down list, cho ose Dynamic P A T (Hide) .
4-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Note Y ou cannot specify an interface in transparent mode. • Click the bro wse button, and choose an e x isting host address fr om the Bro wse Translated Addr dialog box.
4-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • T o add a ne w network ob ject, choose Conf iguration > Firewall > NA T R ul e s , then click Add > Add Network Object N A T Rule .
4-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Step 4 Check the Add A utomatic T r anslation Rules check box. Step 5 From the T ype drop-down list, cho ose Static .
4-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • Click the bro wse button, and create a ne w address from the Bro w se T ranslated Addr dialo g box.
4-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Step 9 Click OK , and then A pply .
4-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT c. IP Address—An IPv4 or IPv6 address. If you select Range as the object ty pe, the IP Address field changes to al low you to enter a Start Address and an End address.
4-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Step 6 In the T ranslate d Addr . fiel d, do one of the follo wing: • T ype the same IP address that you used for t he real address.
4-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Configuring Per-Session PAT Rules By default, all TCP P A T traffic and all UDP DNS traf fic uses per -session P A T .
4-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Monitoring Ne twork Object NAT A permit rule uses per -session P A T ; a deny rule uses multi-session P A T . Step 3 Specify the Source Ad dress either by typing an ad dress or clicking the .
4-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT The Monitoring > Properties > Connection Graphs > Pe rfmon pane lets you vie w the performance information in a graphical format.
4-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Providing Access to an Inside Web Server (Static NAT) The follo wing example performs static N A T for an inside web serv er .
4-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 3 Config ure static N A T for .
4-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 5 Click OK to return to the Edit Net work Object dial og box, clic k OK agai n, and then clic k A pply .
4-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Figur e 4-2 Dynamic NA T for Inside.
4-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 3 Enable dynamic N A T for t.
4-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT b. Define the N A T pool addresses, and click OK . c. Choose the ne w network object by double- clicking it.
4-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 6 Click OK to return to the Edit Net work Ob ject dialog box, click then click OK again to return to the N A T Rules table.
4-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 11 Click OK to retu rn to the Edit Network Object dialog box, click OK again, and then click A pply .
4-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Figur e 4-3 Static NA T with One-.
4-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 3 Config ure static N A T for .
4-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration.
4-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Single Address for FTP, HTTP, and S.
4-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 3 Click Advanced to configure the real and mapped interf aces and port translation for FTP .
4-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 6 Click Advanced to configure the real and mapped in terfaces and port translatio n for HTTP .
4-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 9 Click Advanced to configure the real and mapped in terfaces and port translatio n for SMTP .
4-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209.
4-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 2 Define the FTP server address, and conf igure static N A T with DNS modificat ion: Step 3 Click Advanced to configure the real and mapp ed interfaces and DNS modif ication.
4-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 sho ws an FTP server and DNS server on the outs id e.
4-39 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 2 Define the FTP server address, and conf igure static N A T with DNS modificat ion: Step 3 Click Advanced to configure the real and mapp ed interfaces and DNS modif ication.
4-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT IPv4 DNS Server and FTP Server on M.
4-41 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT b. Define the FTP server address, and conf igure sta t ic N A T with DNS modification and, because this is a one-to-one translation, con figur e the one-to-one method fo r N A T46.
4-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT d. Click OK to return to the Edit Net work Object dial og box. Step 2 Configure N A T for the DNS server .
4-43 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT c. Click Advanced to conf igure the real and mapped interfaces. d. Click OK to return to th e Edit Network Ob ject dialog box.
4-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT c. Next t o the P A T Pool T ranslated Address fi eld, click the ... b utton to choose the P A T pool you created earlier , and click OK .
4-45 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Feature Hist ory for Netwo rk Object NA T e. Click OK to return to th e Edit Network Ob ject dialog box. Step 5 Click OK , and then click Appl y .
4-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT P A T pool and round robin address assignment 8.4(2)/8.5(1) Y ou can now specify a po ol of P A T addresses instead of a single address.
4-47 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Feature Hist ory for Netwo rk Object NA T P A T pool and round robin address assignment 8.4(2)/8.5(1) Y ou can now specify a pool of P A T address es instead of a single address.
4-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.
4-49 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Feature Hist ory for Netwo rk Object NA T N A T support for rev erse DNS lookups 9.
4-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT.
CH A P T E R 5-1 Cisco ASA Series Firewall ASDM Configur ation Guide 5 Configuring Twice NAT (ASA 8.3 and Later) T wice N A T lets you identify both th e source and destin ation address in a single rule.
5-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Licensing Require ments for Twice NAT T wice N A T also lets you use serv ice objects for static N A T -with-port-transl ation; network object N A T only accepts inline definition.
5-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Guidelines and Limitations IPv6 Guidelines • Supports IPv6. • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 netw orks is not supported.
5-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Default Settings Default Settings • By default, th e rule is added to the end of sectio n 1 of the N A T table. • (Routed mode) The default real and mapped interface is An y , which applies the rule to all interfaces.
5-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT • If you enable e xtended P A T for a dynamic P A T rule, then you cann ot also us e an address in the P A T pool as the P A T address in a separate static N A T with port translat ion rule.
5-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both in terfaces are set to --Any--. In tran sparent fire wall mode, you must set specific interf aces.
5-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT a. For the Match Criteria: Original P acket > Source Address, cli.
5-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 5 Choose Dynamic from the Match Criteria: Translated P ack et > Source N A T T ype drop-down list. This setting only applies to the source addr ess; the destination tran slation is alw ays static.
5-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Note The object or group cannot contain a subnet.
5-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT c. For th e Match Criteria: T ranslated Pack et > Destination Ad .
5-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 8 (Optional) Conf igure NA T options in the Options area. a. Enable rule — Enables this NA T rule. The rule i s enabled by d efault.
5-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Configuring Dynamic PAT (Hide) This section descri bes ho w to conf igure twice N A T for dynamic P A T (hide).
5-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both interfaces are set to --Any--. In transparent fi rew all mode, you must set specific interf aces.
5-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: Original P acket > Source Address, cli.
5-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 5 Choose Dynamic P A T (Hide) from the Match Criteria: T ransl ated Packet > Source N A T T y pe drop-do wn list.
5-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: T ranslated Packet > Source Address, c.
5-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Y ou can also create a new service object from the Br owse T ranslated Service dialog box and use this object as the mapped destination port.
5-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 9 Click OK . Configuring Static NAT or Static NAT-with-Port-Translation This section describes ho w to configure a static N A T rule using twice N A T .
5-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both interfaces are set to --Any--. In transparent fi rew all mode, you must set specific interf aces.
5-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: Original P acket > Source Address, cli.
5-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 5 Choose Stat ic from the Matc h Criteria : T ransl ated Packet > Source N A T T ype drop-down list. Static is the default setting.
5-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT For static N A T , the mapping is typically one-to-one, so the real addresses hav e the same quantity as the mapped addresses.
5-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 8 (Optional) For NA T46, check t he Use one-to-one address transl ation check box.
5-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 10 Click OK . Configuring Identity NAT This section descri bes ho w to conf igure an identity N A T rule using twice NA T .
5-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both interfaces are set to --Any--. In transparent fi rew all mode, you must set specific interf aces.
5-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: Original P acket > Source Address, cli.
5-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 5 Choose Stat ic from the Matc h Criteria : T ransl ated Packet > Source N A T T ype drop-down list. Static is the default setting.
5-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT For iden tity N A T for the destination address, simply use the same object or group for both the real and mapped addresses.
5-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Monitoring Twice NAT a. Enable rule — Enables this NA T rule. The rule i s enabled by d efault. b. Disable Proxy ARP on e gress interface—Disables proxy ARP for incoming p ackets to the mapp ed IP addresses.
5-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Fields • A vailable Gr aphs—Lists the components you can graph . – Xlate Utilization—Displ ays the ASA N A T utilization.
5-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Figure 5-1 T wice NA T with Dif f erent Destination A.
5-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 2 Set the source and destin ation interf aces: S.
5-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration.
5-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 6 For the T ranslated Source Address, click the browse b utton to add a new network object for th e P A T address in the Browse T ranslat ed Source Ad dress dialog box.
5-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Step 8 Click OK to add the rule to th e N A T table. Step 9 Add a N A T rule for traff i c from the inside network to DMZ network 2: By default, th e N A T rule is added to the end of section 1.
5-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 10 Set the source and destination interfaces: Step 11 For the Original Source Address, type th e name of the inside network object (myInsid eNetwork) or click the bro wse butt on to choose it.
5-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration.
5-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration.
5-39 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Different Translation Depending on the De stination Address and Port (Dynamic PAT) Figure 5-2 sho ws the use of source and destination port s.
5-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 2 Set the source and destin ation interf aces: S.
5-41 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration.
5-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 5 For the Original Service, click the brow se button to add a ne w service object for T elnet in the Bro wse Original Service dialog box.
5-43 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Step 7 For the T ranslated Source Address, click the browse b utton to add a new network object for th e P A T address in the Browse T ranslat ed Source Address dialog box.
5-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 9 Click OK to add the rule to th e N A T table. Step 10 Add a NA T rule for traf fic from the in side network to the web serv er: By default, th e N A T rule is added to the end of sect ion 1.
5-45 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Step 11 Set the real and mapped interf aces: Step 12 For the Original Source Address, type th e name of the inside network object (myInsid eNetwork) or click the bro wse butt on to choose it.
5-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT c. Choose the ne w service object by double-clicking it. Cli ck OK to return to the N A T configuration .
5-47 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration.
5-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platform re lease in which it was impl emented.
5-49 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Feature History for Twice NAT Round robin P A T pool allocation uses the same IP address for existing hosts 8.
5-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Feature History for Twice NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.
5-51 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Feature History for Twice NAT N A T support for rev erse DNS lookups 9.
5-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Feature History for Twice NAT.
CH A P T E R 6-1 Cisco ASA Series Firewall ASDM Configur ation Guide 6 Configuring NAT (ASA 8.2 and Earlier) This chapter describes Network Address Tr ansl ation, and includes the following sections: .
6-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w general operations conf iguration guide for more info rmation about security le vels. See the “N A T Control” section on page 6-4 for more i nformation about N A T control.
6-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT in Transparent Mode Using N A T in transparent mode eliminates the need fo r the upstream or downstream routers to perform N A T for thei r networks.
6-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Figure 6-2 NA T Exampl e: T ransparent Mode NAT Control N A T control requires tha.
6-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Interfaces at the same secur ity le vel are not requi red to use N A T to communicate.
6-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w NAT Types This section descri bes the av ailable N A T types, and includes the fol.
6-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figur e 6-6 Remote Host At tempts to Connect t o the Real Addr ess Figure 6-7 sho ws a remote host attempting to initiate a c onnecti on to a mapped address.
6-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Dynamic N A T has these disadvantages: • If the mapped pool has fe wer addresses than the real group, you co uld run out of addresses if the amount of traf fic is more th an expected .
6-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Static NAT Static N A T creates a f ixed translation of re al addr ess(es) to mapped address(es).W ith dynamic N A T and P A T , each host uses a different address or port for each subsequent translation.
6-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w For e x ample, if you want to provide a single address for remote user s to acces.
6-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview the other hand, lets yo u specify a parti cular interf ace on which to translate the addresses.
6-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Figure 6-9 P olicy NA T with Diff erent Destination A ddresses Figure 6-10 sho ws the use of source and destination ports . The host on the 10.
6-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For pol icy stati c N A T , both translated and remote hosts can originate traf fic.
6-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Order of NAT Rules Used to Match Real Addresses The ASA matches real addresses to N A T rules in the follo wing order: 1. N A T exemption—In ord er , until the fir st match.
6-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209.165 .
6-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Configuring NA T Control Figure 6-13 sho ws a web server and DNS server on the outs ide. The ASA has a stat ic translatio n for the outside server .
6-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Using Dynamic NAT This section describes ho w to conf igure dynamic N A T , including dynamic N A T and P A T , dynamic policy N A T and P A T , and identity NA T .
6-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic N A T rul.
6-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-15 ). Figur e 6-15 NA T Rules and Global P ools using the Same I D o.
6-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-16 Diff erent NA T IDs Multiple Addresses in the Same Global Pool Y .
6-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figur e 6-1 7 NA T and P A T T ogether Outside NAT If a N A T rule translates.
6-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figur e 6-1 8 Outside NA T and Inside NA T Combined Real Addresses in a NAT R.
6-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2 For a ne w pool, from the Interface drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3 For a n e w pool, in the Pool ID f ield, enter a number b etween 1 and 214748364 7.
6-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT T o conf igure a dynamic N A T , P A T , or identity N A T rule, perform the follo wing steps. Step 1 In the Conf iguration > Fire wall > N A T Rules pane, choose Add > Add Dynamic NA T Rule .
6-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT TCP initial sequ ence number ra ndomization ca n be disabled i f required.
6-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2 In the Original area, from the Interf ace drop-down list, choose the interf ace that is connected to the hosts with real addresses that y ou want to translat e.
6-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Note Y ou can also set these v alues using a security policy rule.
6-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Static NAT Policy N A T lets you identify real addresses for address translatio n by specifying the source and destination addresses. Y ou can also opti onally specify the source and destination ports.
6-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Step 1 In the Conf iguration > Fire wall > N A T Rules pane, choose Add > Add Static N A T Rule . The Add Static N A T Rule dialog box ap pears.
6-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Static NAT Note Y ou can also set these v alues using a security policy rule.
6-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 6-22 sho ws typical static polic y N A T , static polic y P A T , and static polic y identity N A T scenarios.
6-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Static NAT Step 6 Specify the mapped IP add ress by clicking one o f the follo wing: • Use IP Address Enter the IP address or click the ..
6-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using NAT Exemption – Y ou use a W AAS device that requires the ASA not to randomize th e sequence numbers of connections. • Maximum TCP Connections —Specif ies the maximum number of TCP connections, b etween 0 and 65,535.
6-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using NAT Exemptio n Step 3 In the Original area, from the Interf ace drop-down list, choose the interf ace that is connected to the hosts with real addresses that y ou want to e xempt.
P AR T 3 Conf iguring Access Contr ol.
.
CH A P T E R 7-1 Cisco ASA Series Firewall ASDM Configur ation Guide 7 Configuring Access Rules This chapter describes ho w to control netw ork acce ss through the ASA using access rul es and includes.
7-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Information About Access Rules General Information About Rules This section describes informati on for both a.
7-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Information About Access Rules Rule Order The order of rules is impo rtant. When the ASA decides whet her to forward or drop a packet , the ASA tests the packet ag ainst each rule in t he order in which the rules are listed.
7-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Information About Access Rules Note “Inbound” and “outbound” refer to the application of an A CL on an interface, eith er to traf fic entering the ASA on an interface or traff i c exiting the ASA on an interf ace.
7-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Information About Access Rules Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d tr ansparent f ire wall mod e.
7-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Information About Access Rules Ta b l e 7 - 1 lists common traff ic types that you can allow through the transpar ent fire wall. Management Access Rules Y ou can config ure access rules that control management traff ic destined to the ASA .
7-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Licensing Requiremen ts for Access Ru les Access Rules for Returning Traffic Because EtherT ypes are conne ctionless, you need to a pply the rule to both interf aces if you want traf fic to pass in both direct ions.
7-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Guidelines and Limitations Configuring Access Rules This section includes the following topics: • Adding an.
7-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Guidelines and Limitations Step 9 Select the service type. Step 10 (Optional) T o add a time range to your access rule that s pec ifies when traf fic can be allo wed or denied, click More Options to e xpand the list.
7-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Guidelines and Limitations Step 5 In the Action f ield, click one o f the follo wing radio buttons ne xt to the desired action: • Permit —Permits access if th e conditions are matched.
7-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Guidelines and Limitations Step 8 (Optional) Loggi ng is enabled by default. Y ou can disable logging b y unchecking the check box, or you can change the logging le vel from the drop-do wn list.
7-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Guidelines and Limitations • Alert Interv al—The amount of time (1-3600 s econds) between system log messages (n umber 106101) that identify that the maximum number of den y flows was reach ed.
7-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Guidelines and Limitations The Config uration > De vice Management > Adv anced > HTTP Redirect > Edit pane lets you change the HTTP redirect setting of an interf ace or the port from which it redi r ects HTTP connections.
7-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Feature History for Access Rules Feature History for Access Rules Ta b l e 7 - 2 lists each feature change and the platform re lease in which it was impl emented.
7-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Feature History for Access Rules Extended A C Land object enhancement to filter ICMP traf fi c by ICMP code 9.0(1) ICMP traf f ic can now be permitted/denied based on ICMP code.
7-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Feature History for Access Rules.
CH A P T E R 8-1 Cisco ASA Series Firewall ASDM Configur ation Guide 8 Configuring AAA Rules for Network Access This chapter describes ho w to enable AAA (pronounced “triple A”) for network access.
8-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode.
8-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access One-Time Authentication A user at a gi ven I P address only needs to authenticat e one time for all rules and types, u ntil the authentication sessio n expires.
8-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Note If you use HTTP authenticati on, by defau.
8-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access • For T elnet and FTP traf fic, users must log in thro ugh the cut-through proxy server and again to the T elnet and FTP servers.
8-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page.
8-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Step 3 In the AAA Server G roup drop-do wn list, choose a se rver group. T o add a AAA server to the server group, click Add Serv er .
8-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Step 3 For the Protocol, choose eit her HTTP or HTTPS . Y ou can enable both by repeating this procedure an d creating two sepa rate rul es.
8-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access This is the only method t hat protects credentials b e tween the client and the ASA, as well as betw een the ASA and the destination ser ver .
8-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access server; you are no t prompted separat ely for the HTTP server username an d password.
8-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access that requires authentication is allo wed through.
8-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring Authorization for Network Access After a user authenticates for a giv en connection, the ASA can use authorization to further control traff ic from the user .
8-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss Step 8 In the Service field, enter an IP service name or num ber for the destination service, or click the ellipsis (.
8-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring a RADIUS Server to Se nd Downloadab.
8-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss 4.
8-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access | permit udp any host 10.0.0.253 | | permit icmp any host 10.0.0.253 | | permit tcp any host 10.0.
8-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Accounting fo r Network Access The username argument is the name of the user that is being authenticated. The do wnloaded A CL on the ASA cons ists of the following lines.
8-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Accoun ting for Network Ac cess accounting information by IP address.
8-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Using MAC Addresses to Ex empt Traffi c from Authentica tion and Authorization of these users, you can enable AAA to allow only authenti cated and/or auth orized users to connect through the ASA.
8-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Feature History for AAA Rules Feature History for AAA Rules Ta b l e 8 - 1 lists each feature change and the platform re lease in which it was impl emented.
CH A P T E R 9-1 Cisco ASA Series Firewall ASDM Configur ation Guide 9 Configuring Public Servers This section descri bes ho w to conf igure public servers, and includes the follo wing topics: • Inf.
9-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Co nfiguring Public Servers Adding a Public Server that Enables Static NAT Firewall Mode Guidelines Supported in routed an d transparent f ire wall mod e.
9-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 9 Configuring Public Serv ers Editing Settings for a Public Server Step 4 In the Pri vate Service f ield, click Browse to display the Browse Service di alog box Step 5 Choose the actual service that is exposed to the outside, and click OK .
9-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Co nfiguring Public Servers Feature History for Public Servers Feature History for Public Servers Ta b l e 9 - 1 lists each feature change and the platform re lease in which it was impl emented.
P AR T 4 Conf iguring Applic ation Inspection.
.
CH A P T E R 10-1 Cisco ASA Series Firewall ASDM Configur ation Guide 10 Getting Started with Application Layer Protocol Inspection This chapter descri bes how to configure application lay er protocol i nspection.
10-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protoc ol Inspection Figure 1 0-1 How Inspecti on Engines Wor k In Figure 10-1 , operations are numbered in the order th ey occur, and are described as follows: 1.
10-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 10 Getting Started with Application Layer Protocol Inspectio n Guidelines and Limitations When you enable applicat ion inspection for a.
10-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Inspected protocols are subject to adv anced TCP-state tracking, and th e TCP s tate of these connections is not automatically replicated.
10-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 10 Getting Started with Application Layer Protocol Inspectio n Default Settings and NAT Limita tions ICMP ERR OR — — — — ILS (LD AP) TCP/389 No extended P A T . No N A T64. —— Instant Messagin g (IM) V aries by client No ext ended P A T .
10-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations SIP TCP/5060 UDP/5060 No outside N A T . No N A T on same security interfaces. No ext ended P A T .
10-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 10 Getting Started with Application Layer Protocol Inspectio n Configuring Applicati on Layer Protocol In spection Configuring Application Layer Protocol Inspection This feature uses Security Policy Rules to create a se rvice policy .
10-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Applicatio n Layer Pro tocol Inspection.
CH A P T E R 11-1 Cisco ASA Series Firewall ASDM Configur ation Guide 11 Configuring Inspection of Basic Internet Protocols This chapter descri bes how to configure application lay er protocol i nspection.
11-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • Config uring DNS Inspection, page 11-1 6 Information About DN.
11-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map T o match DNS packets with certain ch aracteristics and perform special actions, create a DNS inspection policy map.
11-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • T o use one of the preset security le vels (Lo w , Medium, or High), drag the Security Le vel knob , then click OK to add the inspection polic y map.
11-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Detailed Steps—Filtering Step 1 Click the Filtering tab. Step 2 Global Settings: Drop pack ets that exceed specified maximum length (global ) —Sets the maximum DNS message length, from 512 to 65535 bytes.
11-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 2 Enable logging when DNS ID mism atch rate exceeds specif i.
11-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 2 Click Add .
11-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 3 Y ou can conf igure DNS inspectio ns using the follo wing methods: • Single Match —Match a single criterion, and id entify the action for the match.
11-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection • Enforce TSIG: Requires a TSIG resource record to be present. – Do not enforce – Drop pack et – Log – Drop packet an d log Not all combinations are v alid for all matching criteria.
11-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 5 From the Criterion drop-d ow n list, choose one of the follo wing criteria: • Header Flag : Set the follo w ing V alue parameters: – Match Option: Equals or Contains .
11-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Set the follo w ing V alue parameters: – DNS T ype Field Name —Lists the DNS types to select.
11-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Set the follo w ing V alue parameters: – DNS Class Field Name: Internet —Internet i s the only option. – DNS Class Field V alue : Va l u e —Lets you enter a v alue between 0 and 65535.
11-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection • Resource Record :.
11-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Set the follo w ing V alue parameters: – Resource Record: addi.
11-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Set the follo w ing V alue parameters: – Regular Expression —Choose an existing regular expression from the drop-down menu, or click Manage to add a ne w one.
11-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection map that ha ve the same match, then the order in t h e configu ration determines which match is used, so these buttons are enabled.
11-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection load on the ASA. For example, if the DNS serv e r is on the outside interface, you should enable DNS inspection with sn ooping for all UDP DNS traf fic on the outside interf ace.
11-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection • An FTP command must be ackno wledged before the ASA allows a ne w command. • The ASA drops connections th at send embedded commands.
11-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection Fields • FTP Strict (pre vent web bro wsers from se nding em.
11-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection • Delete—Deletes an FTP class map.
11-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection – Regular Expression Class—Lists the def ined regular e xpre ssion classes to match.
11-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection • Delete—Deletes the inspect map selec ted in the FTP Inspect Maps table. • Security Le vel—Select th e security le vel (medium or lo w).
11-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection • Description—Enter the descri ption of the FTP map, up t o 200 characters in length. • Security Le vel—Select th e security le vel (medium or lo w).
11-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Add/Edit FTP Map The Add/Edit FTP Map dialog box is accessible a.
11-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection – Manage—Opens the Manage Re gular Expression Class dialog box, whic h lets you conf igure regul ar expressi on class maps.
11-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection In conjunction with N A T , the FTP application inspection tran slates the I P address within the application payload.
11-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection The Select HTTP Map dialog box lets you select or create a ne w HTTP map. An HTTP map lets you change the configuration v alues used for HTTP ap pl ication in spection.
11-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection • Edit—Edits an HTTP class map.
11-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection cookie, date, expect, e xpires, from, host, if-mat ch, if-mod.
11-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Method—Specif ies to match on a request metho d: bcopy , bdel.
11-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection Regular Expressi on—Lists the def ined regular expression s to match. Manage—Op ens the Man age Regular Expressions di alog box, which lets you co nfigu re regu lar expressions.
11-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection HTTP Inspect Map The HTTP Inspect Map dialog box is accessible .
11-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection URI Filtering The URI Filtering dialog box is accessible as f.
11-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection URI filtering: Not configured Advan ced inspections: Not conf igured – High Protocol violation acti on: Drop connection and log Drop connections fo r unsafe methods: Allo w only GET and HEAD.
11-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection – Add—Opens the Add HTTP Insp ect dialog box to add an HTTP inspection. – Edit—Opens the Edit HTTP Inspect d ialog box to edit an HTTP inspection.
11-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Predefined—Specif ies the request heade r fiel ds: accept, ac.
11-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection Method—Specif ies to match on a request method: b copy , bd.
11-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Regular Expressi on—Lists the def ined regular expression s to match. Manage—Opens the Manage Regu lar Expressions di alog box, which let s you confi gure re gular expressions.
11-39 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s ICMP Inspection – H323 T raf fic Class—Specif ies the H TTP traff ic class match. – Manage—Opens the Manage HTTP Class Maps dial og box t o add, edit, or delete HTTP Class Maps.
11-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols Instant Messaging In spection IM Inspection Overview The IM inspect engine lets.
11-41 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection • Source IP Address—Select to match the source IP a ddress of the IM message. In the V alue fields, enter the IP address and netmask of the message source.
11-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection • End of Options List (EO OL) or IP Option 0—This opti on, which contains ju st a single zero byte, appears at the end of all opti ons to mark the end of a list of option s.
11-43 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection • Click the Use the default IP-Options inspection map radio butt on to use the def ault IP Options map.
11-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map.
11-45 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection – Allo w packets with the No Operation (NOP) optio n The Options field in the IP head er can contain zero, one, or more optio ns, which makes the total length of the f ield v ariable.
11-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IPsec Pass Through Inspection Select IPsec-Pass-Thru Map The Select IPsec-Pass-.
11-47 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection – Default Le vel—Sets the security le vel back to the def ault le vel of Low .
11-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection • Parameters—Conf igures ESP and AH parameter settings. – Limit ESP flo ws per client—Limits ESP flo ws per client.
11-49 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection Step 2 Click Add . The Add IPv6 Inspection Map dialog bo x appears. Step 3 Enter a name and descr iption for the inspectio n map.
11-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols NetBIOS Inspection Y ou can conf igure IPv6 inspection as part of a ne w se rvice policy rule, or you can edit an e xisting service policy .
11-51 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s PPTP Inspection • Add—Opens the Add Polic y Map dialog box for the inspection.
11-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection P A T is only performed for the modified v ersion of GRE [ RFC 2637 ] when negotiated o ver the PPTP TCP control channel.
11-53 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection Other extend ed SMTP commands, such as AT R N , ON EX , VERB , CHUNKING , and priv ate extensions and are not supported.
11-54 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection ESMTP Inspect Map The ESMTP Inspect Map dial.
11-55 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection – Default Le vel—Sets the security le vel back to the def ault le vel of Low .
11-56 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection Drop Connections if comman d line length is .
11-57 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection – Action—Sho ws the action if the m atch condition i s met. – Log—Sho ws the log state.
11-58 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection • Body Line Length Criterion V alues—Specifies the v alue details for body line length match.
11-59 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection 8bitmime auth binarymime checkpoint dsn ecode etrn others pipelining size vrfy – Add—Adds the sele cted parameter from the A vai lable P arameters table to the Selected Parameters table.
11-60 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion • MIME Filename Length Criteri on V alues—Specif ies the value detai ls for MIME f ilename length match. – Greater Than Length—MIME f ilename length in bytes.
11-61 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s TFTP Inspec tion The ASA inspects TFTP traff ic a nd dynamically crea tes connections and translations, if necessary , to permit file transfer between a TFTP client and serv er .
11-62 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion.
CH A P T E R 12-1 Cisco ASA Series Firewall ASDM Configur ation Guide 12 Configuring Inspection for Voice and Video Protocols This chapter descri bes how to configure application lay er protocol i nspection.
12-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Limitations and Restrictions The follo wing summarizes limitat.
12-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt appl ications such as Cisc o CallMana ger and V ocalT ec Gatekeeper .
12-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection After inspecting the H. 225 messages, the ASA opens the H.245 channel and then inspects traf fic sent ov er the H.
12-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection • Not supported with dynamic N A T or P A T . • Not supported with e xtended P A T . • Not supported with N A T between same-security-le vel i nterfaces.
12-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection • Edit—Edits an H.323 cl ass map. • Delete—Deletes an H.323 class map. Add/Edit H.323 Traffic Class Map Confi guration > Global Objects > Class Maps > H.
12-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection – Regular Expression Class—Lists the def ined regular e xpre ssion classes to match.
12-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Call P arty Number Enable d Call duration Limit 1 :00:00 R TP .
12-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Call Party Number Disabled Call duration Limit Disabled R TP c.
12-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Note Y ou can enable call setup be tween H.
12-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Add/Edit HSI Group Conf iguration > Global Objects > In.
12-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols MGCP Inspection – Regular Expression Class—Lists the def ine d regular e xpression classes to match.
12-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection Note T o av oid policy f ailure when upgrading from ASA ve rs ion 7.1, all layer 7 and layer 3 policies must ha ve distinct names.
12-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols MGCP Inspection • RestartInProgr ess The first f our commands are sent b y the call agent to th e gate way . The Notify command is sent by the gate way to the call agent.
12-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection Gateways and Call Agents Confi guration > Global Objects &g.
12-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols RTSP Inspection – Gateways—Identifies the IP address of the media ga tew ay that is co ntroll ed by the associated call agent.
12-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection • Using RealPlayer , page 12-17 • Restrictions and Limitat.
12-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols RTSP Inspection Restrictions and Limitations The follo wing restrictions apply to the RSTP inspection. • The ASA does not support multicast R TSP or R TSP messages ov er UDP .
12-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Add/Edit RTSP Policy Map Configuration > Global Objects >.
12-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection – Criterion—Sho ws the criterion of the R TSP class map. – V alue—Shows the v alue to ma tc h in the R TS P class map.
12-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • SIP Inspection Overview , page 12-21 • SIP Instant Messa .
12-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection SIP Instant Messaging Instant Messaging refers to the tran sfer of messages between users in near real-time. SIP supports the Chat feature on W indows X P using W indows Messenger R TC Client version 4.
12-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection The Select SIP Map dialog box lets you select or cr eate a n e w SIP map. A SIP map lets you chan ge the confi guration v alues used for SIP application insp ection.
12-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection Fields • Name—Sho ws the SIP class map name. • Match Conditions—Sho ws the type, match criterion, and v alue in the class map.
12-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Message Path—Match the SIP V ia header . – Request Method—Match the SIP r equest method. – Third-Pa rty Registr ation—Match the request er of a third-party re gistration.
12-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection • Message Path Criterio n V alues—Specif ies to match a SIP V ia header . Applies the re gular expression match.
12-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP instant m essaging ( IM) extensions: En abled. Non-SIP traf fic on SIP port: Permitted. Hide server ’ s and endpoint’ s IP addresses: Disabled.
12-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection – Lo w—Default . SIP instant messaging (IM) e xtensions: Enabled. Non-SIP traf fic on SIP port: Permitted. Hide server ’ s and endpoint’ s IP addresses: Disabled.
12-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • Description—Enter the descri ption of the SI P map, up to 200 characters i n length.
12-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection – Add—Opens the Add SIP Inspect dialog box to add a SIP insp ection. – Edit—Opens the Edit SIP Insp ect dialog box to edit a SI P inspection.
12-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Regular Expression Class—Lists the def ined regular e xpre ssion classes to match.
12-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection • URI Length Criterion V alues—Specifies to match a URI in the SIP headers greater than specif ied length.
12-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Normal traf fi c between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without an y special confi guration.
12-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Select SCCP (Skinny) Map Add/Edit Service P olicy Rul.
12-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Minimum pref ix length: 4 Media timeout: 00 :05:00 Signaling timeout: 0 1:00:00. R TP conformance: Not enforc ed.
12-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection • Delete—Deletes a message ID filter . • Move Up—Moves an entry up in the list. • Move Down—Mo ves an entry do wn in the list.
12-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Limit payload to audio or vi deo, based on the signal ing exchange: Y es. – Message ID Filtering—Open s the Messaging ID Filtering di alog box for co nfigu ring message ID filters.
12-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection – Edit—Opens the Edit Message ID Filterin g dialog box to edit a message ID f ilter . – Delete—Deletes a message ID filter .
CH A P T E R 13-1 Cisco ASA Series Firewall ASDM Configur ation Guide 13 Configuring Inspection of Database and Directory Protocols This chapter descri bes how to configure application lay er protocol i nspection.
13-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configurin g Inspection of Databa se and Directory Pr otocols SQL*Net Inspection During connection negotiati on time, a BIND PDU is sent from the client to the server .
13-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 13 Configuring Inspection of Database and Dir ectory Protocols Sun RPC Inspection SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t,.
13-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection The Config uration > Fire wall > Adv anced > SUNRPC Server pane sho ws which SunRPC services can tra verse the ASA an d their specif ic timeout, on a per server basis.
CH A P T E R 14-1 Cisco ASA Series Firewall ASDM Configur ation Guide 14 Configuring Inspection for Management Application Protocols This chapter descri bes how to configure application lay er protocol i nspection.
14-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols DCERPC Inspection This typically in volv es a client queryi ng a serv er called the Endpo int Mapper l istening on a we ll kno wn port number for the dynamical ly allocated network i nformati on of a re quired service.
14-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols DCERPC Inspection DCERPC inspect maps inspect for nati ve TCP commu nication between the EPM and client on well kno wn TCP port 135.
14-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols GTP Inspection Endpoint mapp er service: not enfo rced Endpoint mapper service lo okup: enabled Endpoint mapper service look up timeout: 00:05: 00 – Medium—D efault.
14-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols GTP Inspection GTP Inspection Overview GPRS pro vides uninterrupted connecti vity for mobile subscribers between GSM networks and corporate networks or the Internet.
14-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols GTP Inspection The Select GTP Map dialog box lets you select or create a new GTP map. A GTP map lets you change the conf iguration v alues used for GTP applicatio n inspection.
14-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols GTP Inspection • Default Lev el—Sets t he security level back to the d efault.
14-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols GTP Inspection Add/Edit GTP Policy Map (Details) Confi guration > Glo.
14-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols GTP Inspection Signaling—Lets you change the def ault for the maxi mum period of inacti vity before a GTP signaling is r emoved.
14-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection – Message Length—Match on the message l ength – V ersion—Match on the version. • Access Point Name Criterion V alues—Specifies an access point name to be matched.
14-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols RADIUS Accounting Inspection • Select RADIUS A ccounting Map , page.
14-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection Fields • Name—Enter the name of the pr e viously conf igured RADIUS accounting map.
14-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols RSH Inspection Fields • Name—Sho ws the name of the pre viously configured RADIUS accounting map. • Description—Enter the descri ption of the RADIUS acco unting map, up to 200 characters in length.
14-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols SNMP Inspection • “Select SNMP Map” section on page 14-14 • “.
14-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols XDMCP Inspection The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection.
14-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols XDMCP Inspection.
P AR T 5 Conf iguring Unif ied Communications.
.
CH A P T E R 15-1 Cisco ASA Series Firewall ASDM Configur ation Guide 15 Information About Cisco Unified Communications Proxy Features This chapter descri bes how to configure the ad apti ve securi ty appliance for Cisco Unif ied Communications Proxy features.
15-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information Abou t Ci sco Unified Communica tions Proxy Features Information About the A daptive Security Appliance in Cisco Unified .
15-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 15 Inform ation About Cisco Unified Co mmunications Proxy Features TLS Proxy Ap plications in Cisco Unified Communications The ASA prov ides perimeter security by en crypting signalin g connections between enterpri ses and pre venting u nathorized calls.
15-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobi lity solution , the TLS clien t is a Cisco UM A client and the TLS server is a Cisco UMA server .
15-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 15 Inform ation About Cisco Unified Co mmunications Proxy Features Licensing for Cisc o Unified Communications Proxy Features ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions.
15-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features T able 15-2 sho ws the default and maximum TLS session detai ls by platform.
CH A P T E R 16-1 Cisco ASA Series Firewall ASDM Configur ation Guide 16 Using the Cisco Unified Communication Wizard This chapter descri bes how to configure the ad apti ve securi ty appliance for Cisco Unif ied Communications Proxy features.
16-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Information about the Cis co Unified Communication Wizard The wizard simplif ies the configuration of the Unif ied Communications proxi es in the follo wing ways: • Y ou enter all required data in the wizard steps.
16-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Licensing Requirements for the Unified Communication W izard Using the ASA as a sec ur.
16-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode.
16-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard Note Any conf iguration created by the wizard should be maintained thro ugh the wizard to ensure pr oper synchronization.
16-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by u sing the Unified Communication Wizard Step 2 Specify each entity in th e network (al l Cisco UCM and TFTP serv ers) that the IP phones must trust.
16-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard statements, you.
16-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by u sing the Unified Communication Wizard Selecting the Use interface IP radio button conf igures the server to use the IP address of the public interface.
16-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard See also the Ci.
16-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by u sing the Unified Communication Wizard • PC Port •.
16-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the pri vate IP addr ess, enter the IP address on which pr i vate media traf fic terminates.
16-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configurin.
16-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to co nfigu re the Cisco Mobilit y Adv antage proxy , the wizard only supports installing self-sig ned certificates.
16-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Pr esence Federation Pr oxy by using the Unified Communication Wizard C.
16-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Presence Federation Proxy by using the Unified Communication W izard Step 3 In the FQDN f ield, enter the domain name for the Unif ied Presence server .
16-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard For th e TLS handsha.
16-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard T o config ure the Cisco Intercompan y Media Engine Proxy by using ASDM, choose Wi zards > Unif ied Communication Wi zard from the menu.
16-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Step 2 Click Next .
16-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Step 1 T o configur.
16-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Adding a Cisco Unifi.
16-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Configuring the Loc.
16-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Configuring the Remo.
16-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard Working with Certifica.
16-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Presence Federation server , and the Cisco Unifie d Communications Manager servers, respectiv ely , on the ASA.
16-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard • Remote Presence Fe.
16-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Submit the CSR to the cert ificat e authority (CA), for e xample, by pasting the CSR text into the CSR enrollment page on th e CA website.
16-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard T ypically , a certifi.
16-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard.
CH A P T E R 17-1 Cisco ASA Series Firewall ASDM Configur ation Guide 17 Configuring the Cisco Phone Proxy This chapter describes ho w to configu re the ASA for Cisco Phone Pr oxy feature.
17-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figure 1 7 -1 Phon e Pro xy Secure Deployment The phone proxy supports a Cisc o UCM cluste r in mixed mode or n onsecure mode .
17-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng.
17-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unif ied IP Phone 7941G-G E • Cisco Unif ie.
17-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions.
17-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more information about licensing, see Chapter 5, “Managing Feature Licenses. ” in the general operations conf iguration guide.
17-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy • For IP pho nes behind a router or gate way , you must also meet this prerequisite.
17-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy If N A T is conf igured for the TFTP server or Cisco UCMs, the translated “globa l” address must be used in the ACLs.
17-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Prerequisites for IP Phones on Multiple Interfaces When IP phones reside on mult iple interfaces, t he phone proxy conf iguration must hav e the correct IP address set for the Cisco UCM in the CTL file.
17-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy • The phone must be conf igured to use only the SCCP protocol because the SIP protocol does n ot support encryption on these IP phones.
17-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Rate Limiting Conf iguration Example The follo wing example describes ho w you configure rate limiti ng for TFTP requests by us ing the police command and the Modular Pol icy Frame work.
17-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng.
17-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Phone Proxy Guidelines a nd Limitations format: SEP<mac_address>.
17-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy • If you decide to conf igure a media-termination ad dress on inte.
17-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Creating the CTL File Create a Certificate T rust List (CTL) file that is re quired by the Phone Pro xy .
17-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Because the Phone Proxy generates the CTL f ile, it ne eds to create the Syste m Administrator Security T oken (SAST) ke y to sign the CTL file it self.
17-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Step 6 (Optional) In the Domain Name fi eld, specify the domain na me of the trustpoint used to create the DNS field for the trustpoint.
17-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 4 Specify the mini mum and maximum v alues for the R TP port range for the media t ermination instance. The minimum port and the maxi mum port can be a v alue from 1024 to 65535.
17-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y • T o create a new CTL f ile for the Phone Proxy , click the li nk Generate Certif icate T rust List File. The Create a Certificate T rust List (CTL) File pane opens.
17-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy The IP address you enter shou ld be the global IP address ba sed on where the IP phone and HTTP proxy server is located.
17-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Note If N A T is config ured for the TFTP server , the NA T configurati on must be conf igured prior to specif ying the TFTP server while creating the Phone Proxy instance.
17-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Feature History for the Phone Proxy Step 4 Click Sav e Settings. Port forwar ding is configured. Feature History for the Phone Proxy T able 17-3 lists the release h ist ory for this feature .
CH A P T E R 18-1 Cisco ASA Series Firewall ASDM Configur ation Guide 18 Configuring the T LS Proxy for Encrypted Voice Inspection This chapter describes ho w to configure the ASA for the TLS Proxy for Encrypted V oice Inspection feature.
18-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection Figur e 1.
18-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Pro xy for Encrypted Voice Inspection proxy , the CTL file must contain the certificate that the security appliance cr eates for the Cisco UCMs.
18-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Licensing for the TLS Proxy • Cisco Unif ied Wireless I P Phone 7925 .
18-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy T able 18-1 sho ws the default and maximu m TLS session details by platform.
18-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Prerequisites for the TLS Proxy for E ncrypted Voice Inspec tion Prerequi.
18-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider • Client Details—Lists the name an d IP address of the client. – Interface Name—Lists the def ined interface name.
18-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider Configure TLS Proxy Pane Note This feature is not supported f or the Adapti ve Secu rity Appliance v ersion 8.1.
18-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Adding a TLS Proxy Instance Note This feature is not supported f or the Adapti ve Secu rity Appliance v ersion 8.
18-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider When the Phone Proxy is operating in a mi xed-mod e CUCM cluster , you must import the CUCM certificate by clicking Add in the Manage Identify Cert ificates dialog box.
18-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider This wizard is a vailable from the Conf iguration > Firew all > Unif ied Communications > TLS Proxy pane.
18-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider T o create a ne w key p air , click New .
18-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider For informatio n on the Cisco CTL Client, see “Conf iguring the Cisco CTL Client” in Cisco Unified Cal lManag er Security Guide .
18-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider The Manage CA Certif icates dialog box opens. See th e “Guidelines and Limit ations” section on page 40-10 i n the gene ral operat ions configuration guide.
18-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Note When you are config uring the TLS Proxy for the Ph one Proxy and it is using t he mixed security mode for the CUCM cluster , you must conf igure the LDC Issuer .
18-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n TLS Proxy TLS Proxy This feature is supported o nly for ASA ve rsio ns 8.0.x prior to 8.0.4 and for v ersion 8.1. Note This feature is not supp orted for the Adapt iv e Security Appliance ver sions prior to 8.
18-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Pro xy for Encrypted Voice Inspection Certificate Authority Serv er—Specifies the certif icate authority serv er .
18-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Feature History for the TLS Proxy for Encrypted Voice In spection.
CH A P T E R 19-1 Cisco ASA Series Firewall ASDM Configur ation Guide 19 Configuring Cisco Mobility Advantage This chapter de scribes how to configure the ASA for Ci sco Unified Communic ations Mobi lity Advantage Proxy features.
19-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figure 1 9-1 MMP Stack The TCP/TLS default por t is 5443. There are no embedded N A T or secondary connections.
19-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 19 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figur e 19-2 The TLS proxy for the Cisco Mobilit y Adv antage solu tion does not supp ort client authentication because the Cisco UM A c lient cannot present a certificate.
19-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figur e 19-3 Cisco UMC/Cisco UMA .
19-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 19 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figure 19-4 sh ow s ho w you can impo rt the Cisco U MA server certif icate onto the ASA.
19-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Licensing for the Cisco M obility Advantage Proxy Feature Figure 1 9-5 How the Secur i ty Appl.
19-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 19 Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage T o conf igure for the ASA to perform TLS pro xy and MMP inspection as sho wn in Figure 19-2 and Figure 19-3 , perfor m the follo wing tasks.
19-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Feature History for Cisco Mobility Advantage.
CH A P T E R 20-1 Cisco ASA Series Firewall ASDM Configur ation Guide 20 Configuring Cisco Unified Presence This chapter descri bes how to configure the adapti v e s ecurity appliance for Cisco Unified Presence.
20-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Information About Cisco Unified Presence Figur e 20-1 T ypical Cisco Unified Pr esence/LCS Federation Scenar io In the abov e architecture, the ASA functions as a fire wall, N A T , and TLS proxy , which is the recommended architecture.
20-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For an other Cisco UP with the address 10.
20-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Information About Cisco Unified Presence http://www .
20-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e Security Certificate Exchange Between C isco UP and .
20-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Information About Cisco Unified Presence For furt her information about config uring Cisco Un ified Presence Federation for XMPP Federation, see the Integr ation Gu ide for Configurin g Cisco Un ified Pr es ence Release 8.
20-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Licensing for Cisco Unifie d Presence nat (inside,outside) source static obj_host_<private c.
20-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation For more information about licensing, see Chapter 5, “Managing Feature Licenses, ” in the general operations conf iguration guide.
20-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Feature History for Cisco Unified Presence • T ask Flow for Configuring Cisco Un ified Presen.
20-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Feature History fo r Cisco Unified Presence.
CH A P T E R 21-1 Cisco ASA Series Firewall ASDM Configur ation Guide 21 Configuring Cisco Inte rcompany Media Engine Proxy This chapter descri bes how to configure the AS A for Cisco Intercompan y Media Engine Prox y .
21-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy • W orks with existi.
21-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy On successful verif i cation, the terminating side creates a tick et that grants permission to the call originator to mak e a Cisco IM E call to a specif ic number .
21-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Figure 21 -2 Tick et V eri fication Process with Cisco Intercompan y Medi a Engine As illustr ated in Figure 21-2 .
21-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy Call Fallback to the PST.
21-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy • Cisco Intercompany.
21-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy Figur e 21 -4 Basic Depl.
21-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Licensing for Cisc o Intercompany Media En gine Figure 21 -5 Off P ath Deploymen.
21-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Guidelines and Limitations For more information about licensing, see Chapter 5, “Managing Feature Licenses, ” in the general operations conf iguration guide.
21-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Guidelines and Limitations • Having Cisco UCMs on more th an one of the A S A interfaces is not suppor ted with the Cisco Intercompany Medi a Engine Proxy .
21-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Configuring Cisco Intercompa.
21-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Or Configure P A T for the UCM server . See Config uring P A T for the Cisco UCM Server , page 21-14 .
21-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Figure 21 -7 Example for Con.
21-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy What to Do Next Create the A CLs for the Cisco Intercompany Medi a Engine Proxy .
21-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.
21-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Creating ACLs for Cisco Int.
21-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the media termination inst ance on the ASA fo r the Cisco Intercompany Media Engi ne Proxy .
21-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy What To Do Next Once you hav e created the media termination instance, create the Cisco Intercompany Med ia Engine Proxy .
21-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note Y ou cannot change an y.
21-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Step 4 hostname(config-uc-i.
21-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certif icate with a local CA trusted by the local entity .
21-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy connections between the local Cis co UCM and the local ASA.
21-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engi ne. See the “Creating the TLS Proxy” section on page 21 -24 .
21-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Creating the TLS Proxy Beca.
21-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Once you hav e cr eated the TLS prox y , enable it for SIP inspecti on.
21-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Command Purpose Step 1 host.
21-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Once you ha ve enabled the TLS proxy for SIP i nspection, if necessary , configure TLS with in the enterprise.
21-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Commands Purpose Step 1 hos.
21-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Once you ha ve co nfigu red the TLS within the enterprise, if n ecessary , configure of f path signaling for an off path deployment.
21-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy (Optional) Configuring Off Path Signaling Perform this task onl y when you are con figur ing the Cisco Intercompany Med ia Engine Proxy as part o f an of f path deployment.
21-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy This section contains the fo.
21-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Step 2 Check the Enable Cisco UC-IME prox y check box to enable the feature.
21-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note In an of f path deployment any existin g ASA that you ha ve deployed in your en vironment are not capable of transmitting Cisco Intercompan y Medi a Engine traf f ic.
21-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Step 4 Specify the public netw ork settings. Step 5 Specify the media termin ation address settings of Cisco UCM.
21-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy SIP Trunk URI: 81a985c9-f3a1-55a0-3b19-9654@UCM-30;maddr=192.
21-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Max_BLS_ms : 0 Max_PDV_usec.
21-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Feature History for Cisco In tercompany Media Eng ine Proxy Feature History for Cisco Intercompany Media Engine Proxy T able 21-1 lists the release h ist ory for this feature .
21-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy.
P AR T 6 Conf iguring Connection Set tings and QoS.
.
CH A P T E R 22-1 Cisco ASA Series Firewall ASDM Configur ation Guide 22 Configuring Connection Settings This chapter describe s how to configure connection settings for connections th at go through the A SA, or for manage ment connec tions, that go to the ASA.
22-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Information Abou t Connection Settings TCP Intercept and Limiti ng Embryonic Connections Limiting the number of embryonic connections pro tects you from a DoS att ack.
22-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Information About Connec tion Settings TCP Sequence Randomization Each TCP connection has tw o ISNs: one generated by the client and one generated by the server .
22-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Licensing Requirement s for Connection Settings fast path (an established con nection), or the co ntrol plane path (advanced inspection).
22-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d transparent mode.
22-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings Configuring Connection Settings This section includes the following.
22-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings If they ar e not put in order and passed on within th e timeou t period, then the y are dropped. The default is 4 seconds.
22-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings • Clear Selective Ack—Sets whether the select i ve-ack TCP option is allowed or cleared. • Clear TCP T imestamp—Sets whether the TCP timestamp option is allo wed or cleared.
22-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings • Send reset to TCP endpoints be fore timeou t—Specif ies that the ASA should sen d a TCP reset message to the endpoints of t he connection before freein g the connection slot.
22-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings • UDP—Modif ies the idle time until a UDP prot ocol connection closes. This durati on must be at least 1 minute. The default is 2 minutes.
22-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Feature History for Connection Setting s Note When Authentication Absolute = 0, HTTPS au thentication may not wo rk.
22-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Feature History for Connection Settings Conf igurable timeout for P A T xlate 8.
CH A P T E R 23-1 Cisco ASA Series Firewall ASDM Configur ation Guide 23 Configuring QoS Hav e you ev er participated in a long -distance phon e call that i n volved a satelli te connection? The con versation might be interrupted with brief, bu t per ceptible, gaps at odd intervals.
23-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the foll ow ing QoS features: • Policing—T o prev ent indi vidual flows fr om hogging the netw ork bandwidth, you can limit the maximum bandwidth used per flo w .
23-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Information About QoS For traf fic shapin g, a token b ucket permits b urstiness b ut bounds it.
23-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping T raff ic shaping is used to match de vice and link spee ds, thereb y controlling pack et loss, v ariable delay , and link saturation , which can cause jitter and delay .
23-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Licensing Requirements for Qo S Y ou cannot conf igure traff ic shaping and standard priority queuing for the same interf ace; only hierarchical prio rity queuing is allo wed.
23-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority q ueuing is not support ed on the Management 0/0 interface.
23-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Configuri ng QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue T o determine the priority queue and TX ri ng limits, use the wo rksheets belo w .
23-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Configuring QoS Configuring the Standard Priority Queue for an Interface If you enable standard pr iority queuing for t raff ic on a physical interface, then you need to also create the priori ty queue on each interface.
23-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Configuri ng QoS This option sets the maximum number of lo w-latency or normal priorit y packets allo wed into the Ethernet transmit dri ver before the dri ver pushes back to the queues on the interf ace to let them buf fer packets until the congestion clears.
23-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Configuring QoS Step 4 Click Finis h . The service polic y rule is added to the rule table.
23-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Monitorin g QoS • For traf fic shaping, you can only use the class-default class map, whi ch is automatically created by the ASA, and which matches all traf fic.
23-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Monitoring QoS • V iewing QoS Standard Priority Queue St atistics, page 23-13 Viewing QoS Police Statistics T o vi.
23-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Monitorin g QoS Viewing QoS Shaping Statistics T o view statistics for service policies impl ementing the shape com.
23-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Feature History for QoS Priority-Queue Statistics interface test Queue Type = BE Packets Dropped = 0 Packets Transmi.
CH A P T E R 24-1 Cisco ASA Series Firewall ASDM Configur ation Guide 24 Troubleshooting Connec tions and Resources This chapter describes ho w to troubleshoot the ASA and includes the follo wing sect.
24-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration The diagram should also include any directly connected routers and a host on the other side of the router from which you wil l ping the ASA.
24-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Figure 24-3 Ping Failur e Becau se of IP Addr e ssing Problems Step 3 Ping each ASA interf ace from a remote host.
24-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Administrators can use the ASDM Pin g interacti ve diagnostic .
24-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration • V erify that de vices in the intermediate communicat ions path, such as switches or routers, are correctly deli vering other types of netw ork traf f ic.
24-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Determining Packet R outing with Traceroute The T raceroute tool helps you to determine the r oute that pa ckets will take to their destination.
24-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Tracing Packets with Packet Tracer The packet tracer tool pro.
24-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Perfor mance • FQDN • Security T ag • Security Name Step 8 Based on the .
24-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring System Resource s Step 7 (Optiona l) Click Export to displa y the Export G raph Data dialog box. The selected performan ce statistics to export are already checked.
24-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring System Reso urces Step 9 (Optiona l) Click Save to sa ve the memory block statistics t o a text f ile (.txt) on your lo cal dri ve for future reference.
24-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring Con nections Step 2 Select one or more entries from the A vailable Graphs list, then click Add to move them to the Selected Graphs list.
24-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Per-Pro cess CPU Usage • Idle time since the last pack et was sent or recei ved • Amount of sent and recei ved traf fic on the connection Monitoring Per-Process CPU Usage Y ou can monitor the processes that run on the CPU.
P AR T 7 Conf iguring Adv anced Netw ork Pr otection.
.
CH A P T E R 25-1 Cisco ASA Series Firewall ASDM Configur ation Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud W eb Security pro vides web security and web f iltering services through the Software-as-a-Service (SaaS ) mode l.
25-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapte r includes the follo wing se.
25-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security The ASA supports the follo wing methods.
25-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more inf ormation, see the Cloud W eb Security documentation: http://www .cisco.com/en/ US/products/ps11720 /produ cts_in stallation_and_conf iguration_guides_list.
25-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security – AAA usernames, when u sing RADIUS o.
25-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Licensing Require ments for Cisco Cloud Web Se curity Bypassing Scanning with White.
25-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud W eb Security On the Cloud W eb Security side, you must purchase a Cisco Cloud W eb Security license and identi fy the number of users that the ASA handles.
25-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Clo ud W eb Security proxy serv ers goes do wn, output from the show scansafe server command sho w s both servers up for approximately 15-25 minutes.
25-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Step 1 Choose Conf iguration > Device Management > Cloud W eb Security .
25-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security (Multiple Context Mode) Allowing Cloud Web Security Per Security Context In multiple cont ext mode, you mu st allo w Cloud W eb Security per context.
25-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security When you create a new traf fic class of this type, you can only specify one access control entry (A CE) initially .
25-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 4 On the Protoc ol Inspection tab, check th e Cloud W eb Security check box. Step 5 Click Conf igure to set the traf fic action (f ail open or fail close) and add the inspection polic y map.
25-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security d. In the Name f ield, specify a name for the inspection policy map, up to 40 characters in length.
25-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security – Click Add to choose the insp ection class map you created i n the “(Optional) Conf iguring Whitelisted T raffic” section on page 25-23 .
25-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security c. On the T raff ic Classification Criteri a dialog box, choose Add Rule to Existing T raffic Class , and choose the name you created in Step 3 .
25-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security e.
25-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 10 Click Apply . Examples The follo wing example e xempts all IPv4 H TTP and HTTPS traf fic going to t he 10.
25-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 2 Add a ne w traff ic class calle d “scansafe-http, ” and specify an A CL for traf fic match ing: Step 3 Choose Match , and specify any4 for the Source and Destination.
25-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 4 Check Cloud W eb Security and click Conf igure . Step 5 Accept the default F ail Close action, and click Add .
25-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 6 Name the inspection polic y map “http-map, ” set the Default User to Bould er and the defau lt group to Cisco.
25-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 9 Click Add rule to existing traff ic class , and choose scansafe-http . Step 10 Choose Do not match , set any4 as the Source, and 10.
25-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 11 Click Finish . Step 12 Reorder the rules so the Do not match rule is abo ve the Match rule.
25-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security User traff ic is compared to thes e rule s i.
25-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1 Choose Conf iguration > Fir ewall > Objects > Class Maps > Cloud W eb Security .
25-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 11 Click OK to add the class map.
25-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Monitoring Cloud Web Security Repeat for addit ional groups.
25-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security T able 25-1 lists each feature change and the platform release in which it was imp lemented.
25-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Feature History for Cisco Cloud Web Security.
CH A P T E R 26-1 Cisco ASA Series Firewall ASDM Configur ation Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unkno wing host.
26-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter • Botnet T raff ic Filter Databases, p age 26-2 .
26-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 3.
26-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter When you add a domain name to the static datab ase, the ASA waits 1 minut e, and then sends a DNS request for that domain name an d adds th e domain name/IP address pairing to the DNS host cac he .
26-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 sho ws how the Botnet T raf fic Fil ter works with the dynamic database plus DN S inspection with Botnet T raffic Filter snooping.
26-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements fo r the Botnet Traffic Filter Licensing Requirements for the Botnet Tra.
26-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section inclu.
26-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the do wnloaded dynamic database by the ASA.
26-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter section on page 26 -13 . What to Do Next See the “ Adding Entries to the Static Database” secti on on page 26-9 .
26-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter • Y ou must first conf igure DNS inspection for traf fic that you wa nt to snoop using th e Botnet T raff ic Filter .
26-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter When an address matches, the ASA sends a syslog message. The only additional action current ly av ailable is to drop the con nection.
26-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Note W e highly recommend using the default set ting unless you ha ve strong reasons for changing the setting.
26-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter For e x ample, you receiv e the following syslog message: ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.
26-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Detailed Steps Step 1 Go to the Search Dynamic Database area: • In Single mode or within a conte xt, choose the Configuration > Fir ewall > Botnet T raffic Filter > Botnet Database Update pane.
26-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Botnet Traffic Filter Monitor Panes T o monitor the Botn.
26-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Next Where to Go Next • T o configure the syslog serv er , see Chapter 41, “Configuring Log ging, ” in the general operations config uration guide.
CH A P T E R 27-1 Cisco ASA Series Firewall ASDM Configur ation Guide 27 Configuring Threat Detection This chapter descri bes how to configure threat detection statistics and sc anning threat det ecti.
27-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detect ion statistics includ e acti vity that mi ght be re lated t o an atta ck, such as a DoS attack.
27-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics Guidelines and Limitations This section includes the guid elines and limitations for th is feature: Security Context Guidelines Supported in single mode only .
27-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics This section describes ho w to conf igure basic threat detection statistics, includin g enabling or disabling it and changing the defau lt limits.
27-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection Statistics T able 27-2 lists each feature change and the platform release in which it was imp lemented.
27-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are a vailable in multiple mode. Firewall Mode Guidelines Supported in routed an d transparent f ire wall mod e.
27-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics • Burst Threshold Rate —Sets the threshold for sysl og message generation, between 25 and 2147483647.
27-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Feature History for Advanced Threat Detection Statistics T able 27-3 lists each feature change and the platform release in which it was imp lemented.
27-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection • Feature History for Scan ning Threat Detection, page 27-11 .
27-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Default Settings T able 27-4 lists the d efault rate limits f or scanning threat detection. The burst rate is calculated as the av erage rate every N secon ds, where N is the b urst rate interval.
27-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection T able 27-5 lists each feature change and the platform release in which it was imp lemented.
27-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection.
CH A P T E R 28-1 Cisco ASA Series Firewall ASDM Configur ation Guide 28 Using Protection Tools This chapter describes some o f the many too ls av ailable to protect your netw ork and includes the fol.
28-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring the Fr agment Size • Anti-Spoof ing Enabled—Shows whet her an interface has Unicast RPF enabled, Y es or No. • Enable—Enables Unicast RPF for the selected interface.
28-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring TCP Options • T imeout— Display o nly . Displays the number of seconds to wait for an entire fragmented packet to arri ve. Th e timer starts after the f irst fragment of a packet arri ves.
28-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring TCP Options alters the pac ket to reques t 1200 bytes. Se e the “Controlling Fragment ation with the Maximum T ransmission Unit and TCP Maximum Segment Size” section on page 11-8 for mor e informatio n.
28-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature p rovides basic IPS support for the ASA t hat does not ha ve an AIP SSM.
28-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Fields • Policy Name—Sets th e IP audit polic y name. Y ou cannot edit the name after you ad d it. • Policy T ype—Sets the polic y type.
28-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1002 400002 IP options-T imestamp Informational T riggers on receipt of an IP datagram where the IP option list for th e datagram includes option 4 (T imestamp).
28-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2002 400012 ICMP Source Quench Informational T riggers when an IP datagram is recei ved with the prot ocol field of the IP header set to 1 (ICMP) and the type f ield in the ICMP header set to 4 (Source Quench).
28-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2150 400023 Fragmented ICMP T raff ic Attack T rigg ers w hen a IP.
28-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6051 400035 DNS Zone T ransfer Informational T riggers on normal DNS zone transfer s, in which the source port is 53.
28-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6180 400049 rexd (remote e xecutio n daemon) Attempt Informational T riggers when a ca ll to the rexd program i s made.
28-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support.
CH A P T E R 29-1 Cisco ASA Series Firewall ASDM Configur ation Guide 29 Configuring Filtering Services This chapter describe s how to use f iltering servic es to provide greater control over traf fic.
29-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Filtering URLs and FTP Requests with an Exter.
29-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Licensing Requirements for URL Filtering The.
29-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server • Enter the number of seconds after which the requ est to the URL fi ltering server ti mes out.
29-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server • Buff ering the Content Serv er Response,.
29-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Step 5 Click OK to close this dialog bo x.
29-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server – Enter a ho stname. – Enter an IP address and optional netw ork mask. Y ou can express the netmask in CIDR or dotted decimal nota tion.
29-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server – Enter an IP address and optional netw ork mask. Y ou can express the netmask in CIDR or dotted decimal nota tion.
29-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server >—Greater than. For e xample, >tcp/2000. - —Range. For e xample, tcp/2000-3000. – Enter a well-k no wn service n ame, such as HT TP or FTP .
29-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server – Enter a well-k no wn service n ame, such as HT TP or FTP . – Click the ellipses to display the Bro wse Serv ice dialog box.
29-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server • Click OK to close this dialo g box.
29-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Step 12 T o delete a selected filter rule, click Dele te . Defining Queries T o define qu eries, perform the follo wing steps: Step 1 Enter the IP address or host nam e of the source.
P AR T 8 Conf iguring Modules.
.
CH A P T E R 30-1 Cisco ASA Series Firewall ASDM Configur ation Guide 30 Configuring the ASA CX Module This chapter descri bes how to configure the ASA CX modul e that runs on the A SA.
30-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application fro m the ASA. Th e ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly .
30-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module Monitor-Only Mode For demonstr ation purposes, you can conf igure a service policy or a tr af fi c-forwarding int erface in monitor -only mode.
30-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module Figur e 30-3 ASA CX T raf fic-Fo rwar ding Information About ASA C.
30-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module or ASDM). Howe ver , physical characteristics (suc h as enabling the interface) are configured on the ASA.
30-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Licensing Requirements for th e ASA CX Module • Do not configure ASA inspection on HTTP traf fic. • Do not conf igure Cloud W eb Security (ScanSafe) inspection.
30-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Guidelines and Limitations Firewall Mode Guidelines Supported in rout ed and transparent f irewal l mode. T raff ic-forwarding interfaces ar e only supported in transparent mode.
30-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with A SA Features” section on pa ge 30-5 .
30-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 (ASA 5585-X) Con figur e the ASA CX module manage ment IP address for initial SSH access. See the “(ASA 5585-X) Changing the ASA CX Managemen t IP Address” section on p age 30-14 .
30-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule If you have an inside router If you ha ve an inside router , you can r.
30-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a softwa re module, and the ASA CX management interface shares the Management 0/0 interf ace with the ASA.
30-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule CX IP address for that interface. Because the AS A CX module is essentially a separate device from the ASA, you can conf igure the ASA CX management address to be on the same network as the insi de interface.
30-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module The boot softw are lets you set basic ASA CX netw ork conf iguration, partition the SSD, and do wnload the larger system softw are from a server of your choice to the SSD.
30-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule asacx-boot> system install https://upgrades.
30-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 Click Send. Single Context Mode Step 1 In ASDM, choose Wizards > Startup Wi zard . Step 2 Click Next to adv ance through the initial screens until you r each the ASA CX Basic Conf iguration screen.
30-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Step 5 Click Finish to skip the r emaining screens, or click Next to advance through the remain ing screens and complete the wizard.
30-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 4 After you complete the f inal prompt, you are presented with a sum mary of the settings. Look o ver the summary to v erify that the v alues are correct , and enter Y to apply your changed co nf iguration.
30-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule • Launch PRSM from ASDM by choosing Home > ASA CX Status , and clicking the Connect to the ASA CX application link. What to Do Next • (Optional) Configure the authen tication proxy port.
30-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 2 Enter a port greater than 1024.
30-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Detailed Steps Step 1 Choose Conf iguration > Firewall > Ser vice P olicy Rules . Step 2 Choose Add > Add Ser vice P olicy Rule .
30-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 8 Check the Enable ASA CX f or this traffic fl ow check box.
30-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section conf igures traf fic-forw arding interf aces, where all traff ic is forwarded directly to the ASA CX module.
30-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Examples The follo wing example makes Gi gabitEtherne t 0/5 a traf fic-forwardin g interface: Managing the ASA CX Module This section includes procedures that help yo u manage the module .
30-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module T o reset the module passw ord to the def ault of Admin1 23, perform the follo wing steps. Guidelines In multiple cont ext mode, perform t his procedure in the system e xecution space.
30-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off without losing confi guration data.
30-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image T o uninstall a software module image and associat ed confi guration, perform th e follo wing steps.
30-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module Use T ools > Command Line Interface to use moni toring commands.
30-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module Showing Module Status See the “ ASA CX Stat us T ab” sectio n on page 4-30 in the general operations confi guration guide.
30-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Examples The follo wing is sample output from the show asp table classi.
30-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module in id=0x7ffedb4ada00, priority=50, domain=cxsc, deny=false hits=0, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.
30-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module ciscoasa# show asp drop Frame drop: CXSC Module received packet with ba.
30-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Troublesho oting the ASA CX Module Capturing Module Traffic T o configure and vie w packet captures f.
30-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module ciscoasa# show running-config cxsc cxsc auth-proxy port 2000 2.
30-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module Monitor -only mode for demonstration purposes ASA 9.
CH A P T E R 31-1 Cisco ASA Series Firewall ASDM Configur ation Guide 31 Configuring the ASA IPS Module This chapter describes h ow to config ure the ASA IPS modul e. The ASA IPS modul e might be a hardw are module or a so ftware module, d epending on your ASA model.
31-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application fro m the ASA.
31-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS M odule Operating Modes Y ou can send traf f ic to the ASA IPS module usin g one of the follo wing modes: • Inline mode—This mode places the ASA IPS module directly in the traff ic flow (see Figure 31-1 ).
31-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module Figur e 31 -3 Secur ity Contexts and V irt ual Sensors Figure 31-4 sho ws a single mode ASA paired with multiple vi rtual sensors (in inlin e mode); each def ined traf fic flo w goes to a dif ferent sensor .
31-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirement s for the ASA IPS module See the follo wing information abo ut the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X —The IPS management interf ace is a separate external Gig abit Ethernet interf ace.
31-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Default Settings http://www .cisco.com/en/US/docs/securi t y/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple conte xt mode, so multiple conte xt features, such as virtual sensors, are not supported on th e AIP SSC.
31-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section descri bes ho w to conf ig.
31-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to pro viding .
31-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside netw ork, then you canno t also hav e a separate managemen t network, whic h would require an inside r outer to route between the netw orks.
31-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside netw ork, then you cannot also ha ve a separate mana gement network.
31-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA (May Be Required) T o access the IPS module CLI from the ASA, you can session from the ASA.
31-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module (ASA 5512-X through ASA 5555-X) Booting the Software Module Y our ASA typically ships with IPS mod ule software present on Disk0.
31-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Confi guring Basic Network Settings In single conte xt mode, you can use the Startup W izard in ASDM to conf igure basic IPS network confi guration.
31-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps—Multiple Mode Using the CLI (ASA 5505) Configuri ng Basic Network Settings An ASA IPS module on the ASA 5 505 does not ha ve an y external interfaces.
31-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module b. Enter the IPS management IP address. Make sure thi s address is on the same subnet as t he ASA VLAN IP address. For example, if you assigned 10.
31-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Step 3 Enter the IP address, username and passw ord that you set in the “Conf iguring Basic IPS Module Net work Settings” section on page 31-12 , as well as the port.
31-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module What to Do Next • For the ASA in mult iple contex t mode, see the “ Assigning V irtual Sensors to a Security Conte xt (ASA 5510 and High er)” section on page 3 1-17 .
31-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not specify a senso r name when you config ure IPS within the conte xt configuration, th e context uses this default sen sor .
31-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Step 3 Complete the Service Polic y dialog box as desired. See the ASDM online help for more information about these screens.
31-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module This section includes proc edures that help you recover or trou bleshoo.
31-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Detailed Steps Command Purpose Step 1 For a hardware module (for example.
31-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off without losing confi guration data.
31-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Resetting the Password Y ou can reset the module password to the default . For the user cisco , the default passw ord is cisco .
31-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI .
31-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module Feature History for the ASA IPS module T able 31-2 lists each feature change and the platform release in which it was imp lemented.
31-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Feature History for the ASA IPS module.
CH A P T E R 32-1 Cisco ASA Series Firewall ASDM Configur ation Guide 32 Configuring the ASA CSC Module This chapter descri bes how to configure the Conten t Security and Control (CSC) appl ication that is installed in a CSC SSM in the ASA.
32-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Figur e 32-1 Flo w of Scanned T raffic with the CS C SSM Y ou use ASDM for system setup and mo nitoring of th e CSC SSM.
32-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Information Ab out the CSC SSM Figur e 32-2 CSC SSM Deplo yment with a Management Netw ork Determinin.
32-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Based on the conf iguration shown in F igure 32-3 , conf igure the ASA .
32-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside- policy , outside-class matches SMTP tr af fic from an y outside source to the DMZ network.
32-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Guidelines and Limitations – Domain name and hostname for t he CSC SSM. – An e-mail address and an SMTP server IP addr ess and port numb er for e-mail notif ications.
32-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section descri bes ho w to conf igure the CSC SS.
32-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, v e rify the clock settings, including t ime zone. Choose Conf iguration > Pr operties > De vice Administration > Clock .
32-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM T o connect to the CSC SSM, perform the follo wing steps: Step 1 In the ASDM main application windo w , click the Content Security tab .
32-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard Step 4 Click the Cr eate a new traff i c class option, type a name for the traff ic class in the adjacent field, check the Any traff ic check box, and then click Next .
32-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Activation/License The Acti v ation/License pane lets you re view or re ne w acti v a tion code s for the CSC SSM Ba sic License and the Plus License.
32-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard Step 3 Set parameters of the DNS servers for the network th at includ es the managemen t IP address of th e CSC SSM. • Enter the IP address of the primary DNS server .
32-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard What to Do Next See the “Management Acce ss Host/Networks” section on page 32-13 .
32-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard Ti p Whenever the connection to the CSC SSM is drop ped, you can reestablish it. T o do so, click the Connection to De vice icon on the status ba r to display the Connection to De vice dialog box, and then click Reconnect .
32-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Step 4 After you ha ve reset the passw ord, you should change it to a unique v alue. What to Do Next See the “Password” section on page 32-13 .
32-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard IP Configuration T o display the IP conf iguration settings th.
32-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard Management Access Configuration T o display the subn et and ho.
32-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard The traf fic selection for CSC scanning con figur ation settings t hat you ha ve entered for the CSC SSM appear , including the follo wing: • The interface to the CSC SSM that you hav e chosen from the drop-do wn list.
32-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard Summary T o revi ew the settings that you ha ve made with the CSC Setup W izard, perform the follo wing steps: Step 1 Choose Conf iguration > T rend Micro Content Security > CSC Setup > Summary .
32-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Using the CSC SSM GUI What to Do Next See the “Using the CSC SSM GUI” section on page 32 -20 .
32-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI Step 6 Click Conf igure W eb Reputation to open a screen fo r configuring the W e b Reputat ion service on the CSC SSM. What to Do Next See the “Mail” section on page 32-21 .
32-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Using the CSC SSM GUI Step 7 The Global Appro ved List area is di splay-only and sho ws whether or not the SMTP global approv ed list feature is enabled on the CSC SSM.
32-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI The File Scanning area is display-o nly and sho ws whether or not FTP file scanning i s enabled on the CSC SSM.
32-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitor ing the CSC SSM” se ction on pa ge 32-24 . Monitoring the CSC SSM ASDM lets you monitor the CSC SSM stat isti cs as well as CSC SSM-related features.
32-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM Step 4 T o remove the selected statistics type from the Selected Graphs list, click Remove .
32-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Monitoring the CSC SSM • The subject of e-mails that include a threat, or the names of FTP f iles that incl ude a threat, or block ed or fi ltered URLs.
32-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module What to Do Next See the “CSC CPU” section on page 32-27 . Resource Graphs The ASA lets you monitor CSC SSM status, incl uding CPU resources and memory usage.
32-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module • Resetting the Password, page 3 2-29 • Reloading or Resetting th.
32-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Resetting the Password Y ou can reset the module password to the default. The def ault password is cisco. After resetting the password, you sho uld change it to a unique v alue using the module application.
32-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI .
32-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Additional References Additional References For additi onal information r elated to implemen ting th.
32-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Feature History for the CSC SSM CSC syslog format 8.3(1) CSC syslog format is consis tent with the AS A syslog format. Syslog message explanations ha ve been added to the Cisco Content Securit y and Contr ol SSM Administrator Guide .
IN-1 Cisco ASA Series Firewall ASDM Configuration Guide INDEX A AAA accounting 8-17 authentication network access 8-2 proxy limit 8-11 authorization downloadable access lists 8-13 network access 8-12 .
Index IN-2 Cisco ASA Series Firewall ASDM Configuration Guide attacks DNS HINFO reques t 28-10 DNS request for all records 28-10 DNS zone transfer 28-10 DNS zone transfer from high port 28-10 fragment.
Index IN-3 Cisco ASA Series Firewall ASDM Configuration Guide C call agents MGCP application insp ection 12-15, 12-16 CDUP command , denied request 11-24 certificate Cisco Unified Mobi lity 19-4 Cisco Unifi ed Presence 20-4 Cisco IP Communicator 17-10 Cisco IP Phones, application inspection 12-32 Cisco UMA.
Index IN-4 Cisco ASA Series Firewall ASDM Configuration Guide password confi guratrion 32-17 specifying traffic for CSC Scanning 32-18 summary 32-19 traffic se lection for CSC Scan 32-17 CSC software .
Index IN-5 Cisco ASA Series Firewall ASDM Configuration Guide E EIGRP 7-6 EtherType access list compatibilty wi th extended access lists 7-2 implicit deny 7-3 F failover guidelines 32-6 Fibre Channel .
Index IN-6 Cisco ASA Series Firewall ASDM Configuration Guide signatures 28-6 IP fragment attack 28-7 IP fragment database, displaying 28-2 IP fragment database, editing 28-3 IP impossib le packet att.
Index IN-7 Cisco ASA Series Firewall ASDM Configuration Guide default polic y 1-7 feature directionality 1-3 features 1-1 flows 1-5 matching multiple policy maps 1-5 See also class map See also policy map MPLS LDP 7-7 router-id 7-7 TDP 7-7 multi-session PAT 4-19 N NAT about 3-1, 6-1 about (8.
Index IN-8 Cisco ASA Series Firewall ASDM Configuration Guide about (8.2 and earlier) 6-9 configuring (8.2 and earl ier) 6-27 network object NAT 4-12 twice NAT 5-18 static PAT about (8.2 and earlier) 6-9 static with port translation about 3-4 terminol ogy 3-2 transparent mode 3-13 transparent mode (8.
Index IN-9 Cisco ASA Series Firewall ASDM Configuration Guide policy map inspection 2-3 Layer 3/4 about 1-1 feature directionality 1-3 flows 1-5 policy NAT, about (8.
Index IN-10 Cisco ASA Series Firewall ASDM Configuration Guide maximum and minimum 28-4 shun duration 27-10 signatures attack and informational 28-6 SIP inspection about 12-21 configuring 12-20 instan.
Index IN-11 Cisco ASA Series Firewall ASDM Configuration Guide TCP Intercept 22-5 TCP normalization 22-5 unsupported features 22-5 TCP SYN+FIN flags attack 28-9 testing confi guration 24-1 threat dete.
Index IN-12 Cisco ASA Series Firewall ASDM Configuration Guide virtual HTTP 8-3 virtual sensors 31-17 VoIP proxy servers 12-21 VPN client NAT rules 3-20 W web clients, secure authentication 8-8 Websen.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Cisco Systems ASA 5585-X è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Cisco Systems ASA 5585-X - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Cisco Systems ASA 5585-X imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Cisco Systems ASA 5585-X ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Cisco Systems ASA 5585-X, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Cisco Systems ASA 5585-X.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Cisco Systems ASA 5585-X. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Cisco Systems ASA 5585-X insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.