第1页 / 共1994页
第2页 / 共1994页
第3页 / 共1994页
第4页 / 共1994页
第5页 / 共1994页
第6页 / 共1994页
第7页 / 共1994页
第8页 / 共1994页
Cisco ASA防火墙配置手册.pdf
About This Guide
Getting Started with the ASA
Introduction to the Cisco ASA 5500 Series
Hardware and Software Compatibility
VPN Specifications
New Features
New Features in Version 8.6(1)
New Features in Version 8.4(5)
New Features in Version 8.4(4.1)
New Features in Version 8.4(3)
New Features in Version 8.4(2)
New Features in Version 8.4(1)
Firewall Functional Overview
Security Policy Overview
Permitting or Denying Traffic with Access Lists
Applying NAT
Protecting from IP Fragments
Using AAA for Through Traffic
Applying HTTP, HTTPS, or FTP Filtering
Applying Application Inspection
Sending Traffic to the IPS Module
Sending Traffic to the Content Security and Control Module
Applying QoS Policies
Applying Connection Limits and TCP Normalization
Enabling Threat Detection
Enabling the Botnet Traffic Filter
Configuring Cisco Unified Communications
Firewall Mode Overview
Stateful Inspection Overview
VPN Functional Overview
Security Context Overview
Getting Started
Accessing the Appliance Command-Line Interface
Configuring ASDM Access for Appliances
Accessing ASDM Using the Factory Default Configuration
Accessing ASDM Using a Non-Default Configuration (ASA 5505)
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
Starting ASDM
Connecting to ASDM for the First Time
Starting ASDM from the ASDM-IDM Launcher
Starting ASDM from the Java Web Start Application
Using ASDM in Demo Mode
Factory Default Configurations
Restoring the Factory Default Configuration
ASA 5505 Default Configuration
ASA 5505 Routed Mode Default Configuration
ASA 5505 Transparent Mode Sample Configuration
ASA 5510 and Higher Default Configuration
Working with the Configuration
Saving Configuration Changes
Saving Configuration Changes in Single Context Mode
Saving Configuration Changes in Multiple Context Mode
Copying the Startup Configuration to the Running Configuration
Viewing the Configuration
Clearing and Removing Configuration Settings
Creating Text Configuration Files Offline
Applying Configuration Changes to Connections
Managing Feature Licenses
Supported Feature Licenses Per Model
Licenses Per Model
License Notes
VPN License and Feature Compatibility
Information About Feature Licenses
Preinstalled License
Permanent License
Time-Based Licenses
Time-Based License Activation Guidelines
How the Time-Based License Timer Works
How Permanent and Time-Based Licenses Combine
Stacking Time-Based Licenses
Time-Based License Expiration
Shared AnyConnect Premium Licenses
Information About the Shared Licensing Server and Participants
Communication Issues Between Participant and Server
Information About the Shared Licensing Backup Server
Failover and Shared Licenses
Maximum Number of Participants
Failover Licenses (8.3(1) and Later)
Failover License Requirements and Exceptions
How Failover Licenses Combine
Loss of Communication Between Failover Units
Upgrading Failover Pairs
No Payload Encryption Models
Licenses FAQ
Guidelines and Limitations
Configuring Licenses
Obtaining an Activation Key
Activating or Deactivating Keys
Configuring a Shared License
Configuring the Shared Licensing Server
Configuring the Shared Licensing Backup Server (Optional)
Configuring the Shared Licensing Participant
Monitoring Licenses
Viewing Your Current License
Monitoring the Shared License
Feature History for Licensing
Configuring Firewall and Security Context Modes
Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
Information About the Firewall Mode
Information About Routed Firewall Mode
Information About Transparent Firewall Mode
Licensing Requirements for the Firewall Mode
Default Settings
Guidelines and Limitations
Setting the Firewall Mode
Feature History for Firewall Mode
Configuring ARP Inspection for the Transparent Firewall
Information About ARP Inspection
Licensing Requirements for ARP Inspection
Default Settings
Guidelines and Limitations
Configuring ARP Inspection
Task Flow for Configuring ARP Inspection
Adding a Static ARP Entry
Enabling ARP Inspection
Monitoring ARP Inspection
Feature History for ARP Inspection
Customizing the MAC Address Table for the Transparent Firewall
Information About the MAC Address Table
Licensing Requirements for the MAC Address Table
Default Settings
Guidelines and Limitations
Configuring the MAC Address Table
Adding a Static MAC Address
Setting the MAC Address Timeout
Disabling MAC Address Learning
Monitoring the MAC Address Table
Feature History for the MAC Address Table
Firewall Mode Examples
How Data Moves Through the ASA in Routed Firewall Mode
An Inside User Visits a Web Server
An Outside User Visits a Web Server on the DMZ
An Inside User Visits a Web Server on the DMZ
An Outside User Attempts to Access an Inside Host
A DMZ User Attempts to Access an Inside Host
How Data Moves Through the Transparent Firewall
An Inside User Visits a Web Server
An Inside User Visits a Web Server Using NAT
An Outside User Visits a Web Server on the Inside Network
An Outside User Attempts to Access an Inside Host
Configuring Multiple Context Mode
Information About Security Contexts
Common Uses for Security Contexts
Context Configuration Files
Context Configurations
System Configuration
Admin Context Configuration
How the ASA Classifies Packets
Valid Classifier Criteria
Classification Examples
Cascading Security Contexts
Management Access to Security Contexts
System Administrator Access
Context Administrator Access
Information About Resource Management
Resource Limits
Default Class
Class Members
Information About MAC Addresses
Default MAC Address
Interaction with Manual MAC Addresses
Failover MAC Addresses
MAC Address Format
Licensing Requirements for Multiple Context Mode
Guidelines and Limitations
Default Settings
Configuring Multiple Contexts
Task Flow for Configuring Multiple Context Mode
Enabling or Disabling Multiple Context Mode
Enabling Multiple Context Mode
Restoring Single Context Mode
Configuring a Class for Resource Management
Configuring a Security Context
Automatically Assigning MAC Addresses to Context Interfaces
Changing Between Contexts and the System Execution Space
Managing Security Contexts
Removing a Security Context
Changing the Admin Context
Changing the Security Context URL
Reloading a Security Context
Reloading by Clearing the Configuration
Reloading by Removing and Re-adding the Context
Monitoring Security Contexts
Viewing Context Information
Viewing Resource Allocation
Viewing Resource Usage
Monitoring SYN Attacks in Contexts
Viewing Assigned MAC Addresses
Viewing MAC Addresses in the System Configuration
Viewing MAC Addresses Within a Context
Configuration Examples for Multiple Context Mode
Feature History for Multiple Context Mode
Configuring Interfaces
Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration
Auto-MDI/MDIX Feature
Interfaces in Transparent Mode
Management Interface
Management Interface Overview
Management Slot/Port Interface
Using Any Interface for Management-Only Traffic
Management Interface for Transparent Mode
No Support for Redundant Management Interfaces
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
Redundant Interfaces
Redundant Interface MAC Address
EtherChannels
Channel Group Interfaces
Connecting to an EtherChannel on Another Device
Link Aggregation Control Protocol
Load Balancing
EtherChannel MAC Address
Licensing Requirements for ASA 5510 and Higher Interfaces
Guidelines and Limitations
Default Settings
Starting Interface Configuration (ASA 5510 and Higher)
Task Flow for Starting Interface Configuration
Converting In-Use Interfaces to a Redundant or EtherChannel Interface
Enabling the Physical Interface and Configuring Ethernet Parameters
Configuring a Redundant Interface
Configuring a Redundant Interface
Changing the Active Interface
Configuring an EtherChannel
Adding Interfaces to the EtherChannel
Customizing the EtherChannel
Configuring VLAN Subinterfaces and 802.1Q Trunking
Enabling Jumbo Frame Support (Supported Models)
Monitoring Interfaces
Configuration Examples for ASA 5510 and Higher Interfaces
Physical Interface Parameters Example
Subinterface Parameters Example
Multiple Context Mode Example
EtherChannel Example
Where to Go Next
Feature History for ASA 5510 and Higher Interfaces
Starting Interface Configuration (ASA 5505)
Information About ASA 5505 Interfaces
Understanding ASA 5505 Ports and Interfaces
Maximum Active VLAN Interfaces for Your License
VLAN MAC Addresses
Power over Ethernet
Monitoring Traffic Using SPAN
Auto-MDI/MDIX Feature
Licensing Requirements for ASA 5505 Interfaces
Guidelines and Limitations
Default Settings
Starting ASA 5505 Interface Configuration
Task Flow for Starting Interface Configuration
Configuring VLAN Interfaces
Configuring and Enabling Switch Ports as Access Ports
Configuring and Enabling Switch Ports as Trunk Ports
Monitoring Interfaces
Configuration Examples for ASA 5505 Interfaces
Access Port Example
Trunk Port Example
Where to Go Next
Feature History for ASA 5505 Interfaces
Completing Interface Configuration (Routed Mode)
Information About Completing Interface Configuration in Routed Mode
Security Levels
Dual IP Stack (IPv4 and IPv6)
Licensing Requirements for Completing Interface Configuration in Routed Mode
Guidelines and Limitations
Default Settings
Completing Interface Configuration in Routed Mode
Task Flow for Completing Interface Configuration
Configuring General Interface Parameters
Configuring the MAC Address and MTU
Configuring IPv6 Addressing
Information About IPv6
Configuring a Global IPv6 Address and Other Options
Allowing Same Security Level Communication
Monitoring Interfaces
Configuration Examples for Interfaces in Routed Mode
ASA 5505 Example
Feature History for Interfaces in Routed Mode
Completing Interface Configuration (Transparent Mode)
Information About Completing Interface Configuration in Transparent Mode
Bridge Groups in Transparent Mode
Security Levels
Licensing Requirements for Completing Interface Configuration in Transparent Mode
Guidelines and Limitations
Default Settings
Completing Interface Configuration in Transparent Mode
Task Flow for Completing Interface Configuration
Configuring Bridge Groups
Configuring General Interface Parameters
Configuring a Management Interface (ASA 5510 and Higher)
Configuring the MAC Address and MTU
Configuring IPv6 Addressing
Information About IPv6
Configuring a Global IPv6 Address and Other Options
Allowing Same Security Level Communication
Monitoring Interfaces
Configuration Examples for Interfaces in Transparent Mode
Feature History for Interfaces in Transparent Mode
Configuring Basic Settings
Configuring Basic Settings
Configuring the Hostname, Domain Name, and Passwords
Changing the Login Password
Changing the Enable Password
Setting the Hostname
Setting the Domain Name
Setting the Date and Time
Setting the Time Zone and Daylight Saving Time Date Range
Setting the Date and Time Using an NTP Server
Setting the Date and Time Manually
Configuring the Master Passphrase
Information About the Master Passphrase
Licensing Requirements for the Master Passphrase
Guidelines and Limitations
Adding or Changing the Master Passphrase
Disabling the Master Passphrase
Recovering the Master Passphrase
Feature History for the Master Passphrase
Configuring the DNS Server
Monitoring DNS Cache
DNS Cache Monitoring Commands
Feature History for DNS Cache
Configuring DHCP
Information About DHCP
Licensing Requirements for DHCP
Guidelines and Limitations
Configuring a DHCP Server
Enabling the DHCP Server
Configuring DHCP Options
Options that Return an IP Address
Options that Return a Text String
Options that Return a Hexadecimal Value
Using Cisco IP Phones with a DHCP Server
Configuring DHCP Relay Services
DHCP Monitoring Commands
Feature History for DHCP
Configuring Dynamic DNS
Information About DDNS
Licensing Requirements for DDNS
Guidelines and Limitations
Configuring DDNS
Configuration Examples for DDNS
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs.
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
Example 5: Client Updates A RR; Server Updates PTR RR
DDNS Monitoring Commands
Feature History for DDNS
Configuring Objects and Access Lists
Configuring Objects
Configuring Objects and Groups
Information About Objects and Groups
Information About Objects
Information About Object Groups
Licensing Requirements for Objects and Groups
Guidelines and Limitations for Objects and Groups
Configuring Objects
Configuring a Network Object
Configuring a Service Object
Configuring Object Groups
Adding a Protocol Object Group
Adding a Network Object Group
Adding a Service Object Group
Adding an ICMP Type Object Group
Nesting Object Groups
Removing Object Groups
Monitoring Objects and Groups
Feature History for Objects and Groups
Configuring Regular Expressions
Creating a Regular Expression
Creating a Regular Expression Class Map
Scheduling Extended Access List Activation
Information About Scheduling Access List Activation
Licensing Requirements for Scheduling Access List Activation
Guidelines and Limitations for Scheduling Access List Activation
Configuring and Applying Time Ranges
Configuration Examples for Scheduling Access List Activation
Feature History for Scheduling Access List Activation
Information About Access Lists
Access List Types
Access Control Entry Order
Access Control Implicit Deny
IP Addresses Used for Access Lists When You Use NAT
Where to Go Next
Adding an Extended Access List
Information About Extended Access Lists
Licensing Requirements for Extended Access Lists
Default Settings
Configuring Extended Access Lists
Adding an Extended Access List
Adding Remarks to Access Lists
Monitoring Extended Access Lists
Configuration Examples for Extended Access Lists
Configuration Examples for Extended Access Lists (No Objects)
Configuration Examples for Extended Access Lists (Using Objects)
Where to Go Next
Feature History for Extended Access Lists
Adding an EtherType Access List
Information About EtherType Access Lists
Licensing Requirements for EtherType Access Lists
Guidelines and Limitations
Default Settings
Configuring EtherType Access Lists
Task Flow for Configuring EtherType Access Lists
Adding EtherType Access Lists
Adding Remarks to Access Lists
What to Do Next
Monitoring EtherType Access Lists
Configuration Examples for EtherType Access Lists
Feature History for EtherType Access Lists
Adding a Standard Access List
Information About Standard Access Lists
Licensing Requirements for Standard Access Lists
Guidelines and Limitations
Default Settings
Adding Standard Access Lists
Task Flow for Configuring Extended Access Lists
Adding a Standard Access List
Adding Remarks to Access Lists
What to Do Next
Monitoring Access Lists
Configuration Examples for Standard Access Lists
Feature History for Standard Access Lists
Adding a Webtype Access List
Licensing Requirements for Webtype Access Lists
Guidelines and Limitations
Default Settings
Using Webtype Access Lists
Task Flow for Configuring Webtype Access Lists
Adding Webtype Access Lists with a URL String
Adding Webtype Access Lists with an IP Address
Adding Remarks to Access Lists
What to Do Next
Monitoring Webtype Access Lists
Configuration Examples for Webtype Access Lists
Feature History for Webtype Access Lists
Adding an IPv6 Access List
Information About IPv6 Access Lists
Licensing Requirements for IPv6 Access Lists
Prerequisites for Adding IPv6 Access Lists
Guidelines and Limitations
Default Settings
Configuring IPv6 Access Lists
Task Flow for Configuring IPv6 Access Lists
Adding IPv6 Access Lists
Adding Remarks to Access Lists
Monitoring IPv6 Access Lists
Configuration Examples for IPv6 Access Lists
Where to Go Next
Feature History for IPv6 Access Lists
Configuring Logging for Access Lists
Configuring Logging for Access Lists
Information About Logging Access List Activity
Licensing Requirements for Access List Logging
Guidelines and Limitations
Default Settings
Configuring Access List Logging
Monitoring Access Lists
Configuration Examples for Access List Logging
Feature History for Access List Logging
Managing Deny Flows
Information About Managing Deny Flows
Licensing Requirements for Managing Deny Flows
Guidelines and Limitations
Default Settings
Managing Deny Flows
Monitoring Deny Flows
Feature History for Managing Deny Flows
Configuring IP Routing
Routing Overview
Information About Routing
Switching
Path Determination
Supported Route Types
Static Versus Dynamic
Single-Path Versus Multipath
Flat Versus Hierarchical
Link-State Versus Distance Vector
How Routing Behaves Within the ASA
Egress Interface Selection Process
Next Hop Selection Process
Supported Internet Protocols for Routing
Information About the Routing Table
Displaying the Routing Table
How the Routing Table Is Populated
Backup Routes
How Forwarding Decisions Are Made
Dynamic Routing and Failover
Information About IPv6 Support
Features That Support IPv6
IPv6-Enabled Commands
Entering IPv6 Addresses in Commands
Disabling Proxy ARPs
Configuring Static and Default Routes
Information About Static and Default Routes
Licensing Requirements for Static and Default Routes
Guidelines and Limitations
Configuring Static and Default Routes
Configuring a Static Route
Adding or Editing a Static Route
Configuring a Default Static Route
Limitations on Configuring a Default Static Route
Configuring IPv6 Default and Static Routes
Monitoring a Static or Default Route
Configuration Examples for Static or Default Routes
Feature History for Static and Default Routes
Defining Route Maps
Information About Route Maps
Permit and Deny Clauses
Match and Set Clause Values
Licensing Requirements for Route Maps
Guidelines and Limitations
Defining a Route Map
Customizing a Route Map
Defining a Route to Match a Specific Destination Address
Configuring the Metric Values for a Route Action
Configuration Example for Route Maps
Feature History for Route Maps
Configuring OSPF
Information About OSPF
Licensing Requirements for OSPF
Guidelines and Limitations
Configuring OSPF
Customizing OSPF
Redistributing Routes Into OSPF
Configuring Route Summarization When Redistributing Routes Into OSPF
Configuring Route Summarization Between OSPF Areas
Configuring OSPF Interface Parameters
Configuring OSPF Area Parameters
Configuring OSPF NSSA
Defining Static OSPF Neighbors
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Restarting the OSPF Process
Configuration Example for OSPF
Monitoring OSPF
Feature History for OSPF
Configuring RIP
Information About RIP
Routing Update Process
RIP Routing Metric
RIP Stability Features
RIP Timers
Licensing Requirements for RIP
Guidelines and Limitations
Configuring RIP
Enabling RIP
Customizing RIP
Configuring the RIP Version
Configuring Interfaces for RIP
Configuring the RIP Send and Receive Version on an Interface
Configuring Route Summarization
Filtering Networks in RIP
Redistributing Routes into the RIP Routing Process
Enabling RIP Authentication
. Restarting the RIP Process
Monitoring RIP
Configuration Example for RIP
Feature History for RIP
Configuring Multicast Routing
Information About Multicast Routing
Stub Multicast Routing
PIM Multicast Routing
Multicast Group Concept
Multicast Addresses
Licensing Requirements for Multicast Routing
Guidelines and Limitations
Enabling Multicast Routing
Customizing Multicast Routing
Configuring Stub Multicast Routing and Forwarding IGMP Messages
Configuring a Static Multicast Route
Configuring IGMP Features
Disabling IGMP on an Interface
Configuring IGMP Group Membership
Configuring a Statically Joined IGMP Group
Controlling Access to Multicast Groups
Limiting the Number of IGMP States on an Interface
Modifying the Query Messages to Multicast Groups
Changing the IGMP Version
Configuring PIM Features
Enabling and Disabling PIM on an Interface
Configuring a Static Rendezvous Point Address
Configuring the Designated Router Priority
Configuring and Filtering PIM Register Messages
Configuring PIM Message Intervals
Filtering PIM Neighbors
Configuring a Bidirectional Neighbor Filter
Configuring a Multicast Boundary
Configuration Example for Multicast Routing
Additional References
Related Documents
RFCs
Feature History for Multicast Routing
Configuring EIGRP
Information About EIGRP
Licensing Requirements for EIGRP
Guidelines and Limitations
Configuring EIGRP
Enabling EIGRP
Enabling EIGRP Stub Routing
Customizing EIGRP
Defining a Network for an EIGRP Routing Process
Configuring Interfaces for EIGRP
Configuring Passive Interfaces
Configuring the Summary Aggregate Addresses on Interfaces
Changing the Interface Delay Value
Enabling EIGRP Authentication on an Interface
Defining an EIGRP Neighbor
Redistributing Routes Into EIGRP
Filtering Networks in EIGRP
Customizing the EIGRP Hello Interval and Hold Time
Disabling Automatic Route Summarization
Configuring Default Information in EIGRP
Disabling EIGRP Split Horizon
Restarting the EIGRP Process
Monitoring EIGRP
Configuration Example for EIGRP
Feature History for EIGRP
Configuring IPv6 Neighbor Discovery
Information About IPv6 Neighbor Discovery
Neighbor Solicitation Messages
Neighbor Reachable Time
Router Advertisement Messages
Static IPv6 Neighbors
Licensing Requirements for IPv6 Neighbor Discovery
Guidelines and Limitations
Default Settings for IPv6 Neighbor Discovery
Configuring the Neighbor Solicitation Message Interval
Configuring the Neighbor Reachable Time
Configuring the Router Advertisement Transmission Interval
Configuring the Router Lifetime Value
Configuring DAD Settings
Configuring IPv6 Addresses on an Interface
Suppressing Router Advertisement Messages
Configuring the IPv6 Prefix
Configuring a Static IPv6 Neighbor
Monitoring IPv6 Neighbor Discovery
Additional References
Related Documents for IPv6 Prefixes
RFCs for IPv6 Prefixes and Documentation
Feature History for IPv6 Neighbor Discovery
Configuring Network Address Translation
Information About NAT
Why Use NAT?
NAT Terminology
NAT Types
NAT Types Overview
Static NAT
Information About Static NAT
Information About Static NAT with Port Translation
Information About One-to-Many Static NAT
Information About Other Mapping Scenarios (Not Recommended)
Dynamic NAT
Information About Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Dynamic PAT
Information About Dynamic PAT
Dynamic PAT Disadvantages and Advantages
Identity NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
NAT in Transparent Mode
NAT for VPN
How NAT is Implemented
Main Differences Between Network Object NAT and Twice NAT
Information About Network Object NAT
Information About Twice NAT
NAT Rule Order
NAT Interfaces
Routing NAT Packets
Mapped Addresses and Routing
Transparent Mode Routing Requirements for Remote Networks
Determining the Egress Interface
DNS and NAT
Where to Go Next
Configuring Network Object NAT
Information About Network Object NAT
Licensing Requirements for Network Object NAT
Prerequisites for Network Object NAT
Guidelines and Limitations
Default Settings
Configuring Network Object NAT
Configuring Dynamic NAT
Configuring Dynamic PAT (Hide)
Configuring Static NAT or Static NAT-with-Port-Translation
Configuring Identity NAT
Monitoring Network Object NAT
Configuration Examples for Network Object NAT
Providing Access to an Inside Web Server (Static NAT)
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification)
Feature History for Network Object NAT
Configuring Twice NAT
Information About Twice NAT
Licensing Requirements for Twice NAT
Prerequisites for Twice NAT
Guidelines and Limitations
Default Settings
Configuring Twice NAT
Configuring Dynamic NAT
Configuring Dynamic PAT (Hide)
Configuring Static NAT or Static NAT-with-Port-Translation
Configuring Identity NAT
Monitoring Twice NAT
Configuration Examples for Twice NAT
Different Translation Depending on the Destination (Dynamic PAT)
Different Translation Depending on the Destination Address and Port (Dynamic PAT)
Feature History for Twice NAT
Configuring Service Policies Using the Modular Policy Framework
Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies
Supported Features for Through Traffic
Supported Features for Management Traffic
Feature Directionality
Feature Matching Within a Service Policy
Order in Which Multiple Feature Actions are Applied
Incompatibility of Certain Feature Actions
Feature Matching for Multiple Service Policies
Licensing Requirements for Service Policies
Guidelines and Limitations
Default Settings
Default Configuration
Default Class Maps
Task Flows for Configuring Service Policies
Task Flow for Using the Modular Policy Framework
Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping
Identifying Traffic (Layer 3/4 Class Maps)
Creating a Layer 3/4 Class Map for Through Traffic
Creating a Layer 3/4 Class Map for Management Traffic
Defining Actions (Layer 3/4 Policy Map)
Applying Actions to an Interface (Service Policy)
Monitoring Modular Policy Framework
Configuration Examples for Modular Policy Framework
Applying Inspection and QoS Policing to HTTP Traffic
Applying Inspection to HTTP Traffic Globally
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
Applying Inspection to HTTP Traffic with NAT
Feature History for Service Policies
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Information About Inspection Policy Maps
Guidelines and Limitations
Default Inspection Policy Maps
Defining Actions in an Inspection Policy Map
Identifying Traffic in an Inspection Class Map
Where to Go Next
Configuring Access Control
Configuring Access Rules
Information About Access Rules
General Information About Rules
Implicit Permits
Information About Interface Access Rules and Global Access Rules
Using Access Rules and EtherType Rules on the Same Interface
Implicit Deny
Inbound and Outbound Rules
Information About Extended Access Rules
Access Rules for Returning Traffic
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
Management Access Rules
Information About EtherType Rules
Supported EtherTypes and Other Traffic
Access Rules for Returning Traffic
Allowing MPLS
Licensing Requirements for Access Rules
Prerequisites
Guidelines and Limitations
Default Settings
Configuring Access Rules
Monitoring Access Rules
Configuration Examples for Permitting or Denying Network Access
Feature History for Access Rules
Configuring AAA Servers and the Local Database
Information About AAA
Information About Authentication
Information About Authorization
Information About Accounting
Summary of Server Support
RADIUS Server Support
Authentication Methods
Attribute Support
RADIUS Authorization Functions
TACACS+ Server Support
RSA/SDI Server Support
RSA/SDI Version Support
Two-step Authentication Process
RSA/SDI Primary and Replica Servers
NT Server Support
Kerberos Server Support
LDAP Server Support
Authentication with LDAP
LDAP Server Types
HTTP Forms Authentication for Clientless SSL VPN
Local Database Support, Including as a Falback Method
How Fallback Works with Multiple Servers in a Group
Using Certificates and User Login Credentials
Using User Login Credentials
Using Certificates
Licensing Requirements for AAA Servers
Guidelines and Limitations
Configuring AAA
Task Flow for Configuring AAA
Configuring AAA Server Groups
Configuring Authorization with LDAP for VPN
Configuring LDAP Attribute Maps
Adding a User Account to the Local Database
Guidelines
Limitations
Managing User Passwords
.Changing User Passwords
Authenticating Users with a Public Key for SSH
Differentiating User Roles Using AAA
Using Local Authentication
Using RADIUS Authentication
Using LDAP Authentication
Using TACACS+ Authentication
Monitoring AAA Servers
Additional References
RFCs
Feature History for AAA Servers
Configuring the Identity Firewall
Information About the Identity Firewall
Overview of the Identity Firewall
Architecture for Identity Firewall Deployments
Features of the Identity Firewall
Deployment Scenarios
Cut-through Proxy and VPN Authentication
Licensing for the Identity Firewall
Guidelines and Limitations
Prerequisites
Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Configuring the Active Directory Domain
Configuring Active Directory Agents
Configuring Identity Options
Configuring Identity-based Access Rules
Configuring Cut-through Proxy Authentication
Configuring VPN Authentication
Monitoring the Identity Firewall
Monitoring AD Agents
Monitoring Groups
Monitoring Memory Usage for the Identity Firewall
Monitoring Users for the Identity Firewall
Feature History for the Identity Firewall
Configuring Management Access
Configuring ASA Access for ASDM, Telnet, or SSH
Licensing Requirements for ASA Access for ASDM, Telnet, or SSH
Guidelines and Limitations
Configuring Telnet Access
Using a Telnet Client
Configuring SSH Access
Using an SSH Client
Configuring HTTPS Access for ASDM
Configuring CLI Parameters
Licensing Requirements for CLI Parameters
Guidelines and Limitations
Configuring a Login Banner
Customizing a CLI Prompt
Changing the Console Timeout
Configuring ICMP Access
Information About ICMP Access
Licensing Requirements for ICMP Access
Guidelines and Limitations
Default Settings
Configuring ICMP Access
Configuring Management Access Over a VPN Tunnel
Licensing Requirements for a Management Interface
Guidelines and Limitations
Configuring a Management Interface
Configuring AAA for System Administrators
Information About AAA for System Administrators
Information About Management Authentication
Information About Command Authorization
Licensing Requirements for AAA for System Administrators
Prerequisites
Guidelines and Limitations
Default Settings
Configuring Authentication for CLI and ASDM Access
Configuring Authentication to Access Privileged EXEC Mode (the enable Command)
Configuring Authentication for the enable Command
Authenticating Users with the login Command
Limiting User CLI and ASDM Access with Management Authorization
Configuring Command Authorization
Configuring Local Command Authorization
Viewing Local Command Privilege Levels
Configuring Commands on the TACACS+ Server
Configuring TACACS+ Command Authorization
Configuring Management Access Accounting
Viewing the Currently Logged-In User
Recovering from a Lockout
Setting a Management Session Quota
Feature History for Management Access
Configuring AAA Rules for Network Access
AAA Performance
Licensing Requirements for AAA Rules
Guidelines and Limitations
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
Applications Required to Receive an Authentication Challenge
ASA Authentication Prompts
Static PAT and HTTP
Configuring Network Access Authentication
Enabling Secure Authentication of Web Clients
Authenticating Directly with the ASA
Authenticating HTTP(S) Connections with a Virtual Server
Authenticating Telnet Connections with a Virtual Server
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Configuring RADIUS Authorization
Configuring a RADIUS Server to Send Downloadable Access Control Lists
Configuring a RADIUS Server to Download Per-User Access Control List Names
Configuring Accounting for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Feature History for AAA Rules
Configuring Filtering Services
Information About Web Traffic Filtering
Configuring ActiveX Filtering
Information About ActiveX Filtering
Licensing Requirements for ActiveX Filtering
Guidelines and Limitations for ActiveX Filtering
Configuring ActiveX Filtering
Configuration Examples for ActiveX Filtering
Feature History for ActiveX Filtering
Configuring Java Applet Filtering
Information About Java Applet Filtering
Licensing Requirements for Java Applet Filtering
Guidelines and Limitations for Java Applet Filtering
Configuring Java Applet Filtering
Configuration Examples for Java Applet Filtering
Feature History for Java Applet Filtering
Filtering URLs and FTP Requests with an External Server
Information About URL Filtering
Licensing Requirements for URL Filtering
Guidelines and Limitations for URL Filtering
Identifying the Filtering Server
Configuring Additional URL Filtering Settings
Buffering the Content Server Response
Caching Server Addresses
Filtering HTTP URLs
Filtering HTTPS URLs
Filtering FTP Requests
Monitoring Filtering Statistics
Feature History for URL Filtering
Configuring Web Cache Services Using WCCP
Information About WCCP
Guidelines and Limitations
Licensing Requirements for WCCP
Enabling WCCP Redirection
WCCP Monitoring Commands
Feature History for WCCP
Configuring Digital Certificates
Information About Digital Certificates
Public Key Cryptography
Certificate Scalability
Key Pairs
Trustpoints
Certificate Enrollment
Proxy for SCEP Requests
Revocation Checking
Supported CA Servers
CRLs
OCSP
The Local CA
Storage for Local CA Files
The Local CA Server
Licensing Requirements for Digital Certificates
Prerequisites for Local Certificates
Prerequisites for SCEP Proxy Support
Guidelines and Limitations
Configuring Digital Certificates
Configuring Key Pairs
Removing Key Pairs
Configuring Trustpoints
Configuring CRLs for a Trustpoint
Exporting a Trustpoint Configuration
Importing a Trustpoint Configuration
Configuring CA Certificate Map Rules
Obtaining Certificates Manually
Obtaining Certificates Automatically with SCEP
Configuring Proxy Support for SCEP Requests
Enabling the Local CA Server
Configuring the Local CA Server
Customizing the Local CA Server
Debugging the Local CA Server
Disabling the Local CA Server
Deleting the Local CA Server
Configuring Local CA Certificate Characteristics
Configuring the Issuer Name
Configuring the CA Certificate Lifetime
Configuring the User Certificate Lifetime
Configuring the CRL Lifetime
Configuring the Server Keysize
Setting Up External Local CA File Storage
Downloading CRLs
Storing CRLs
Setting Up Enrollment Parameters
Adding and Enrolling Users
Renewing Users
Restoring Users
Removing Users
Revoking Certificates
Maintaining the Local CA Certificate Database
Rolling Over Local CA Certificates
Archiving the Local CA Server Certificate and Keypair
Monitoring Digital Certificates
Feature History for Certificate Management
Configuring Application Inspection
Getting Started with Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
Guidelines and Limitations
Default Settings
Configuring Application Layer Protocol Inspection
Configuring Inspection of Basic Internet Protocols
DNS Inspection
How DNS Application Inspection Works
How DNS Rewrite Works
Configuring DNS Rewrite
Configuring DNS Rewrite with Two NAT Zones
Overview of DNS Rewrite with Three NAT Zones
Configuring DNS Rewrite with Three NAT Zones
Configuring a DNS Inspection Policy Map for Additional Inspection Control
Verifying and Monitoring DNS Inspection
FTP Inspection
FTP Inspection Overview
Using the strict Option
Configuring an FTP Inspection Policy Map for Additional Inspection Control
Verifying and Monitoring FTP Inspection
HTTP Inspection
HTTP Inspection Overview
Configuring an HTTP Inspection Policy Map for Additional Inspection Control
ICMP Inspection
ICMP Error Inspection
Instant Messaging Inspection
IM Inspection Overview
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control
IP Options Inspection
IP Options Inspection Overview
Configuring an IP Options Inspection Policy Map for Additional Inspection Control
IPsec Pass Through Inspection
IPsec Pass Through Inspection Overview
Example for Defining an IPsec Pass Through Parameter Map
IPv6 Inspection
Configuring an IPv6 Inspection Policy Map
NetBIOS Inspection
NetBIOS Inspection Overview
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control
PPTP Inspection
SMTP and Extended SMTP Inspection
SMTP and ESMTP Inspection Overview
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
TFTP Inspection
Configuring Inspection for Voice and Video Protocols
CTIQBE Inspection
CTIQBE Inspection Overview
Limitations and Restrictions
Verifying and Monitoring CTIQBE Inspection
H.323 Inspection
H.323 Inspection Overview
How H.323 Works
H.239 Support in H.245 Messages
Limitations and Restrictions
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
Configuring H.323 and H.225 Timeout Values
Verifying and Monitoring H.323 Inspection
Monitoring H.225 Sessions
Monitoring H.245 Sessions
Monitoring H.323 RAS Sessions
MGCP Inspection
MGCP Inspection Overview
Configuring an MGCP Inspection Policy Map for Additional Inspection Control
Configuring MGCP Timeout Values
Verifying and Monitoring MGCP Inspection
RTSP Inspection
RTSP Inspection Overview
Using RealPlayer
Restrictions and Limitations
Configuring an RTSP Inspection Policy Map for Additional Inspection Control
SIP Inspection
SIP Inspection Overview
SIP Instant Messaging
Configuring a SIP Inspection Policy Map for Additional Inspection Control
Configuring SIP Timeout Values
Verifying and Monitoring SIP Inspection
Skinny (SCCP) Inspection
SCCP Inspection Overview
Supporting Cisco IP Phones
Restrictions and Limitations
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control
Verifying and Monitoring SCCP Inspection
Configuring Inspection of Database and Directory Protocols
ILS Inspection
SQL*Net Inspection
Sun RPC Inspection
Sun RPC Inspection Overview
Managing Sun RPC Services
Verifying and Monitoring Sun RPC Inspection
Configuring Inspection for Management Application Protocols
DCERPC Inspection
DCERPC Overview
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
GTP Inspection
GTP Inspection Overview
Configuring a GTP Inspection Policy Map for Additional Inspection Control
Verifying and Monitoring GTP Inspection
RADIUS Accounting Inspection
RADIUS Accounting Inspection Overview
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
RSH Inspection
SNMP Inspection
SNMP Inspection Overview
Configuring an SNMP Inspection Policy Map for Additional Inspection Control
XDMCP Inspection
Configuring Unified Communications
Information About Cisco Unified Communications Proxy Features
Information About the Adaptive Security Appliance in Cisco Unified Communications
TLS Proxy Applications in Cisco Unified Communications
Licensing for Cisco Unified Communications Proxy Features
Configuring the Cisco Phone Proxy
Information About the Cisco Phone Proxy
Phone Proxy Functionality
Supported Cisco UCM and IP Phones for the Phone Proxy
Licensing Requirements for the Phone Proxy
Prerequisites for the Phone Proxy
Media Termination Instance Prerequisites
Certificates from the Cisco UCM
DNS Lookup Prerequisites
Cisco Unified Communications Manager Prerequisites
Access List Rules
NAT and PAT Prerequisites
Prerequisites for IP Phones on Multiple Interfaces
7960 and 7940 IP Phones Support
Cisco IP Communicator Prerequisites
Prerequisites for Rate Limiting TFTP Requests
Rate Limiting Configuration Example
About ICMP Traffic Destined for the Media Termination Address
End-User Phone Provisioning
Ways to Deploy IP Phones to End Users
Phone Proxy Guidelines and Limitations
General Guidelines and Limitations
Media Termination Address Guidelines and Limitations
Configuring the Phone Proxy
Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
Importing Certificates from the Cisco UCM
Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
Creating Trustpoints and Generating Certificates
Creating the CTL File
Using an Existing CTL File
Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
Creating the Media Termination Instance
Creating the Phone Proxy Instance
Enabling the Phone Proxy with SIP and Skinny Inspection
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
Configuring Your Router
Troubleshooting the Phone Proxy
Debugging Information from the Security Appliance
Debugging Information from IP Phones
IP Phone Registration Failure
TFTP Auth Error Displays on IP Phone Console
Configuration File Parsing Error
Configuration File Parsing Error: Unable to Get DNS Response
Non-configuration File Parsing Error
Cisco UCM Does Not Respond to TFTP Request for Configuration File
IP Phone Does Not Respond After the Security Appliance Sends TFTP Data
IP Phone Requesting Unsigned File Error
IP Phone Unable to Download CTL File
IP Phone Registration Failure from Signaling Connections
SSL Handshake Failure
Certificate Validation Errors
Media Termination Address Errors
Audio Problems with IP Phones
Saving SAST Keys
Configuration Examples for the Phone Proxy
Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers
Example 4: Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary and TFTP Server on Different Servers
Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher
Example 6: VLAN Transversal
Feature History for the Phone Proxy
Configuring the TLS Proxy for Encrypted Voice Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
Decryption and Inspection of Unified Communications Encrypted Signaling
CTL Client Overview
Licensing for the TLS Proxy
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection
Creating Trustpoints and Generating Certificates
Creating an Internal CA
Creating a CTL Provider Instance
Creating the TLS Proxy Instance
Enabling the TLS Proxy Instance for Skinny or SIP Inspection
Monitoring the TLS Proxy
Feature History for the TLS Proxy for Encrypted Voice Inspection
Configuring Cisco Mobility Advantage
Information about the Cisco Mobility Advantage Proxy Feature
Cisco Mobility Advantage Proxy Functionality
Mobility Advantage Proxy Deployment Scenarios
Mobility Advantage Proxy Using NAT/PAT
Trust Relationships for Cisco UMA Deployments
Licensing for the Cisco Mobility Advantage Proxy Feature
Configuring Cisco Mobility Advantage
Task Flow for Configuring Cisco Mobility Advantage
Installing the Cisco UMA Server Certificate
Creating the TLS Proxy Instance
Enabling the TLS Proxy for MMP Inspection
Monitoring for Cisco Mobility Advantage
Configuration Examples for Cisco Mobility Advantage
Example 1: Cisco UMC/Cisco UMA Architecture - Security Appliance as Firewall with TLS Proxy and MMP Inspection
Example 2: Cisco UMC/Cisco UMA Architecture - Security Appliance as TLS Proxy Only
Feature History for Cisco Mobility Advantage
Configuring Cisco Unified Presence
Information About Cisco Unified Presence
Architecture for Cisco Unified Presence for SIP Federation Deployments
Trust Relationship in the Presence Federation
Security Certificate Exchange Between Cisco UP and the Security Appliance
XMPP Federation Deployments
Configuration Requirements for XMPP Federation
Licensing for Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
Creating Trustpoints and Generating Certificates
Installing Certificates
Creating the TLS Proxy Instance
Enabling the TLS Proxy for SIP Inspection
Monitoring Cisco Unified Presence
Configuration Example for Cisco Unified Presence
Example Configuration for SIP Federation Deployments
Example Access List Configuration for XMPP Federation
Example NAT Configuration for XMPP Federation
Feature History for Cisco Unified Presence
Configuring Cisco Intercompany Media Engine Proxy
Information About Cisco Intercompany Media Engine Proxy
Features of Cisco Intercompany Media Engine Proxy
How the UC-IME Works with the PSTN and the Internet
Tickets and Passwords
Call Fallback to the PSTN
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine
Architecture
Basic Deployment
Off Path Deployment
Licensing for Cisco Intercompany Media Engine
Guidelines and Limitations
Configuring Cisco Intercompany Media Engine Proxy
Task Flow for Configuring Cisco Intercompany Media Engine
Configuring NAT for Cisco Intercompany Media Engine Proxy
Configuring PAT for the Cisco UCM Server
Creating Access Lists for Cisco Intercompany Media Engine Proxy
Creating the Media Termination Instance
Creating the Cisco Intercompany Media Engine Proxy
Creating Trustpoints and Generating Certificates
Creating the TLS Proxy
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
(Optional) Configuring TLS within the Local Enterprise
(Optional) Configuring Off Path Signaling
Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane
Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard
Troubleshooting Cisco Intercompany Media Engine Proxy
Feature History for Cisco Intercompany Media Engine Proxy
Configuring Connection Settings and QoS
Configuring Connection Settings
Information About Connection Settings
TCP Intercept and Limiting Embryonic Connections
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
Dead Connection Detection (DCD)
TCP Sequence Randomization
TCP Normalization
TCP State Bypass
Licensing Requirements for Connection Settings
Guidelines and Limitations
TCP State Bypass Guidelines and Limitations
Default Settings
Configuring Connection Settings
Task Flow For Configuring Configuration Settings (Except Global Timeouts)
Customizing the TCP Normalizer with a TCP Map
Configuring Connection Settings
Monitoring Connection Settings
Monitoring TCP State Bypass
Configuration Examples for Connection Settings
Configuration Examples for Connection Limits and Timeouts
Configuration Examples for TCP State Bypass
Configuration Examples for TCP Normalization
Feature History for Connection Settings
Configuring QoS
Information About QoS
Supported QoS Features
What is a Token Bucket?
Information About Policing
Information About Priority Queuing
Information About Traffic Shaping
How QoS Features Interact
DSCP and DiffServ Preservation
Licensing Requirements for QoS
Guidelines and Limitations
Configuring QoS
Determining the Queue and TX Ring Limits for a Standard Priority Queue
Configuring the Standard Priority Queue for an Interface
Configuring a Service Rule for Standard Priority Queuing and Policing
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing
(Optional) Configuring the Hierarchical Priority Queuing Policy
Configuring the Service Rule
Monitoring QoS
Viewing QoS Police Statistics
Viewing QoS Standard Priority Statistics
Viewing QoS Shaping Statistics
Viewing QoS Standard Priority Queue Statistics
Feature History for QoS
Configuring Advanced Network Protection
Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Types
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Databases
Information About the Dynamic Database
Information About the Static Database
Information About the DNS Reverse Lookup Cache and DNS Host Cache
How the Botnet Traffic Filter Works
Licensing Requirements for the Botnet Traffic Filter
Guidelines and Limitations
Default Settings
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Dynamic Database
Adding Entries to the Static Database
Enabling DNS Snooping
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Blocking Botnet Traffic Manually
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Commands
Configuration Examples for the Botnet Traffic Filter
Recommended Configuration Example
Other Configuration Examples
Where to Go Next
Feature History for the Botnet Traffic Filter
Configuring Threat Detection
Information About Threat Detection
Licensing Requirements for Threat Detection
Configuring Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
Guidelines and Limitations
Default Settings
Configuring Basic Threat Detection Statistics
Monitoring Basic Threat Detection Statistics
Feature History for Basic Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
Guidelines and Limitations
Default Settings
Configuring Advanced Threat Detection Statistics
Monitoring Advanced Threat Detection Statistics
Feature History for Advanced Threat Detection Statistics
Configuring Scanning Threat Detection
Information About Scanning Threat Detection
Guidelines and Limitations
Default Settings
Configuring Scanning Threat Detection
Monitoring Shunned Hosts, Attackers, and Targets
Feature History for Scanning Threat Detection
Configuration Examples for Threat Detection
Using Protection Tools
Preventing IP Spoofing
Configuring the Fragment Size
Blocking Unwanted Connections
Configuring IP Audit for Basic IPS Support
Configuring IP Audit
IP Audit Signature List
Configuring Modules
Configuring the ASA IPS Module
Information About the ASA IPS module
How the ASA IPS module Works with the ASA
Operating Modes
Using Virtual Sensors (ASA 5510 and Higher)
Information About Management Access
Licensing Requirements for the ASA IPS module
Guidelines and Limitations
Default Settings
Configuring the ASA IPS module
Task Flow for the ASA IPS Module
Connecting Management Interface Cables
Sessioning to the Module from the ASA
Configuring Basic IPS Module Network Settings
(ASA 5510 and Higher) Configuring Basic Network Settings
(ASA 5505) Configuring Basic Network Settings
(ASA 5512-X through ASA 5555-X) Installing the Software Module
Configuring the Security Policy on the ASA IPS module
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
Diverting Traffic to the ASA IPS module
Monitoring the ASA IPS module
Troubleshooting the ASA IPS module
Installing an Image on the Module
Uninstalling a Software Module Image
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
Configuration Examples for the ASA IPS module
Feature History for the ASA IPS module
Configuring the ASA CX Module
Information About the ASA CX Module
How the ASA CX Module Works with the ASA
Information About ASA CX Management
Initial Configuration
Policy Configuration and Management
Information About Authentication Proxy
Information About VPN and the ASA CX Module
Compatibility with ASA Features
Licensing Requirements for the ASA CX Module
Guidelines and Limitations
Default Settings
Configuring the ASA CX Module
Task Flow for the ASA CX Module
Connecting Management Interface Cables
Configuring the ASA CX Management IP Address
Configuring Basic ASA CX Settings at the ASA CX CLI
Configuring the Security Policy on the ASA CX Module Using PRSM
(Optional) Configuring the Authentication Proxy Port
Redirecting Traffic to the ASA CX Module
Monitoring the ASA CX Module
Showing Module Status
Showing Module Statistics
Monitoring Module Connections
Capturing Module Traffic
Troubleshooting the ASA CX Module
General Recovery Procedures
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
Debugging the Module
Problems with the Authentication Proxy
Configuration Examples for the ASA CX Module
Feature History for the ASA CX Module
Configuring the ASA CSC Module
Information About the CSC SSM
Determining What Traffic to Scan
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
Guidelines and Limitations
Default Settings
Configuring the CSC SSM
Before Configuring the CSC SSM
Connecting to the CSC SSM
Diverting Traffic to the CSC SSM
Monitoring the CSC SSM
Troubleshooting the CSC Module
Installing an Image on the Module
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
Configuration Examples for the CSC SSM
Where to Go Next
Additional References
Feature History for the CSC SSM
Configuring High Availability
Information About High Availability
Introduction to Failover and High Availability
Failover System Requirements
Hardware Requirements
Software Requirements
License Requirements
Failover and Stateful Failover Links
Failover Link
Stateful Failover Link
Failover Interface Speed for Stateful Links
Avoiding Interrupted Failover Links
Active/Active and Active/Standby Failover
Determining Which Type of Failover to Use
Stateless (Regular) and Stateful Failover
Stateless (Regular) Failover
Stateful Failover
Transparent Firewall Mode Requirements
Auto Update Server Support in Failover Configurations
Auto Update Process Overview
Monitoring the Auto Update Process
Failover Health Monitoring
Unit Health Monitoring
Interface Monitoring
Failover Times
Failover Messages
Failover System Messages
Debug Messages
SNMP
Configuring Active/Standby Failover
Information About Active/Standby Failover
Active/Standby Failover Overview
Primary/Secondary Status and Active/Standby Status
Device Initialization and Configuration Synchronization
Command Replication
Failover Triggers
Failover Actions
Optional Active/Standby Failover Settings
Licensing Requirements for Active/Standby Failover
Prerequisites for Active/Standby Failover
Guidelines and Limitations
Configuring Active/Standby Failover
Task Flow for Configuring Active/Standby Failover
Configuring the Primary Unit
Configuring the Secondary Unit
Configuring Optional Active/Standby Failover Settings
Enabling HTTP Replication with Stateful Failover
Disabling and Enabling Interface Monitoring
Configuring Failover Criteria
Configuring the Unit and Interface Health Poll Times
Configuring Virtual MAC Addresses
Controlling Failover
Forcing Failover
Disabling Failover
Restoring a Failed Unit
Testing the Failover Functionality
Monitoring Active/Standby Failover
Feature History for Active/Standby Failover
Configuring Active/Active Failover
Information About Active/Active Failover
Active/Active Failover Overview
Primary/Secondary Status and Active/Standby Status
Device Initialization and Configuration Synchronization
Command Replication
Failover Triggers
Failover Actions
Optional Active/Active Failover Settings
Licensing Requirements for Active/Active Failover
Prerequisites for Active/Active Failover
Guidelines and Limitations
Configuring Active/Active Failover
Task Flow for Configuring Active/Active Failover
Configuring the Primary Failover Unit
Configuring the Secondary Failover Unit
Configuring Optional Active/Active Failover Settings
Configuring Failover Group Preemption
Enabling HTTP Replication with Stateful Failover
Disabling and Enabling Interface Monitoring
Configuring Interface Health Monitoring
Configuring Failover Criteria
Configuring Virtual MAC Addresses
Configuring Support for Asymmetrically Routed Packets
Remote Command Execution
Changing Command Modes
Security Considerations
Limitations of Remote Command Execution
Controlling Failover
Forcing Failover
Disabling Failover
Restoring a Failed Unit or Failover Group
Testing the Failover Functionality
Monitoring Active/Active Failover
Feature History for Active/Active Failover
Configuring VPN
Configuring IPsec and ISAKMP
Information About Tunneling, IPsec, and ISAKMP
IPsec Overview
ISAKMP and IKE Overview
Licensing Requirements for Remote Access IPsec VPNs
Guidelines and Limitations
Configuring ISAKMP
Configuring IKEv1 and IKEv2 Policies
Enabling IKE on the Outside Interface
Disabling IKEv1 Aggressive Mode
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
Enabling IPsec over NAT-T
Using NAT-T
Enabling IPsec with IKEv1 over TCP
Waiting for Active Sessions to Terminate Before Rebooting
Alerting Peers Before Disconnecting
Configuring Certificate Group Matching for IKEv1
Creating a Certificate Group Matching Rule and Policy
Using the Tunnel-group-map default-group Command
Configuring IPsec
Understanding IPsec Tunnels
Understanding IKEv1 Transform Sets and IKEv2 Proposals
Defining Crypto Maps
Applying Crypto Maps to Interfaces
Using Interface Access Lists
Changing IPsec SA Lifetimes
Creating a Basic IPsec Configuration
Using Dynamic Crypto Maps
Providing Site-to-Site Redundancy
Viewing an IPsec Configuration
Clearing Security Associations
Clearing Crypto Map Configurations
Supporting the Nokia VPN Client
Configuring L2TP over IPsec
Information About L2TP over IPsec/IKEv1
IPsec Transport and Tunnel Modes
Licensing Requirements for L2TP over IPsec
Prerequisites for Configuring L2TP over IPsec
Guidelines and Limitations
Configuring L2TP over IPsec
Configuration Example for L2TP over IPsec Using ASA 8.2.5
Configuration Example for L2TP over IPsec Using ASA 8.4.1 and later
Feature History for L2TP over IPsec
Setting General VPN Parameters
Configuring VPNs in Single, Routed Mode
Configuring IPsec to Bypass ACLs
Permitting Intra-Interface Traffic (Hairpinning)
NAT Considerations for Intra-Interface Traffic
Setting Maximum Active IPsec or SSL VPN Sessions
Using Client Update to Ensure Acceptable IPsec Client Revision Levels
Understanding Load Balancing
Comparing Load Balancing to Failover
Load Balancing
Failover
Implementing Load Balancing
Prerequisites
Eligible Platforms
Eligible Clients
VPN Load-Balancing Algorithm
VPN Load-Balancing Cluster Configurations
Some Typical Mixed Cluster Scenarios
Scenario 1: Mixed Cluster with No SSL VPN Connections
Scenario 2: Mixed Cluster Handling SSL VPN Connections
Configuring Load Balancing
Configuring the Public and Private Interfaces for Load Balancing
Configuring the Load Balancing Cluster Attributes
Enabling Redirection Using a Fully Qualified Domain Name
Frequently Asked Questions About Load Balancing
IP Address Pool Exhaustion
Unique IP Address Pools
Using Load Balancing and Failover on the Same Device
Load Balancing on Multiple Interfaces
Maximum Simultaneous Sessions for Load Balancing Clusters
Viewing Load Balancing
Configuring VPN Session Limits
Configuring Connection Profiles, Group Policies, and Users
Overview of Connection Profiles, Group Policies, and Users
Connection Profiles
General Connection Profile Connection Parameters
IPsec Tunnel-Group Connection Parameters
Connection Profile Connection Parameters for SSL VPN Sessions
Configuring Connection Profiles
Maximum Connection Profiles
Default IPsec Remote Access Connection Profile Configuration
Configuring IPsec Tunnel-Group General Attributes
Configuring Remote-Access Connection Profiles
Specifying a Name and Type for the Remote Access Connection Profile
Configuring Remote-Access Connection Profile General Attributes
Configuring Double Authentication
Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes
Configuring IPsec Remote-Access Connection Profile PPP Attributes
Configuring LAN-to-LAN Connection Profiles
Default LAN-to-LAN Connection Profile Configuration
Specifying a Name and Type for a LAN-to-LAN Connection Profile
Configuring LAN-to-LAN Connection Profile General Attributes
Configuring LAN-to-LAN IPsec IKEv1 Attributes
Configuring Connection Profiles for Clientless SSL VPN Sessions
Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions
Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions
Customizing Login Windows for Users of Clientless SSL VPN sessions
Configuring Microsoft Active Directory Settings for Password Management
Using Active Directory to Force the User to Change Password at Next Logon
Using Active Directory to Specify Maximum Password Age
Using Active Directory to Override an Account Disabled AAA Indicator
Using Active Directory to Enforce Minimum Password Length
Using Active Directory to Enforce Password Complexity
Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client
AnyConnect Client and RADIUS/SDI Server Interaction
Configuring the Security Appliance to Support RADIUS/SDI Messages
Group Policies
Default Group Policy
Configuring Group Policies
Configuring an External Group Policy
Configuring an Internal Group Policy
Configuring Group Policy Attributes
Configuring WINS and DNS Servers
Configuring VPN-Specific Attributes
Configuring Security Attributes
Configuring the Banner Message
Configuring IPsec-UDP Attributes for IKEv1
Configuring Split-Tunneling Attributes
Configuring Domain Attributes for Tunneling
Configuring Attributes for VPN Hardware Clients
Configuring Backup Server Attributes
Configuring Browser Client Parameters
Configuring Network Admission Control Parameters
Configuring Address Pools
Configuring Firewall Policies
Supporting a Zone Labs Integrity Server
Overview of the Integrity Server and ASA Interaction
Configuring Integrity Server Support
Setting Client Firewall Parameters
Configuring Client Access Rules
Configuring Group-Policy Attributes for Clientless SSL VPN Sessions
Configuring Group-Policy Attributes for AnyConnect Secure Mobility Client Connections
Configuring User Attributes
Viewing the Username Configuration
Configuring Attributes for Specific Users
Setting a User Password and Privilege Level
Configuring User Attributes
Configuring VPN User Attributes
Configuring Clientless SSL VPN Access for Specific Users
Configuring IP Addresses for VPNs
Configuring an IP Address Assignment Method
Configuring Local IP Address Pools
Configuring AAA Addressing
Configuring DHCP Addressing
Configuring Remote Access IPsec VPNs
Information About Remote Access IPsec VPNs
Licensing Requirements for Remote Access IPsec VPNs
Guidelines and Limitations
Configuring Remote Access IPsec VPNs
Configuring Interfaces
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
Configuring an Address Pool
Adding a User
Creating an IKEv1 Transform Set or IKEv2 Proposal
Defining a Tunnel Group
Creating a Dynamic Crypto Map
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
Saving the Security Appliance Configuration
Configuration Examples for Remote Access IPsec VPNs
Feature History for Remote Access VPNs
Configuring Network Admission Control
Information about Network Admission Control
Licensing Requirements
Prerequisites for NAC
Guidelines and Limitations
Viewing the NAC Policies on the Security Appliance
Adding, Accessing, or Removing a NAC Policy
Configuring a NAC Policy
Specifying the Access Control Server Group
Setting the Query-for-Posture-Changes Timer
Setting the Revalidation Timer
Configuring the Default ACL for NAC
Configuring Exemptions from NAC
Assigning a NAC Policy to a Group Policy
Changing Global NAC Framework Settings
Changing Clientless Authentication Settings
Enabling and Disabling Clientless Authentication
Changing the Login Credentials Used for Clientless Authentication
Changing NAC Framework Session Attributes
Configuring Easy VPN Services on the ASA 5505
Specifying the Client/Server Role of the Cisco ASA 5505
Specifying the Primary and Secondary Servers
Specifying the Mode
NEM with Multiple Interfaces
Configuring Automatic Xauth Authentication
Configuring IPsec Over TCP
Comparing Tunneling Options
Specifying the Tunnel Group or Trustpoint
Specifying the Tunnel Group
Specifying the Trustpoint
Configuring Split Tunneling
Configuring Device Pass-Through
Configuring Remote Management
Guidelines for Configuring the Easy VPN Server
Group Policy and User Attributes Pushed to the Client
Authentication Options
Configuring the PPPoE Client
PPPoE Client Overview
Configuring the PPPoE Client Username and Password
Enabling PPPoE
Using PPPoE with a Fixed IP Address
Monitoring and Debugging the PPPoE Client
Clearing the Configuration
Using Related Commands
Configuring LAN-to-LAN IPsec VPNs
Summary of the Configuration
Configuring Interfaces
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
Configuring ISAKMP Policies for IKEv1 Connections
Configuring ISAKMP Policies for IKEv2 Connections
Creating an IKEv1 Transform Set
Creating an IKEv2 Proposal
Configuring an ACL
Defining a Tunnel Group
Creating a Crypto Map and Applying It To an Interface
Applying Crypto Maps to Interfaces
Configuring Clientless SSL VPN
Information About Clientless SSL VPN
Licensing Requirements
Prerequisites for Clientless SSL VPN
Guidelines and Limitations
Observing Clientless SSL VPN Security Precautions
Disabling URL on the Portal Page
Using SSL to Access the Central Site
Using HTTPS for Clientless SSL VPN Sessions
Configuring Clientless SSL VPN and ASDM Ports
Configuring Support for Proxy Servers
Configuring SSL/TLS Encryption Protocols
Authenticating with Digital Certificates
Enabling Cookies on Browsers for Clientless SSL VPN
Configuring Application Helper
Managing Passwords
Using Single Sign-on with Clientless SSL VPN
Configuring SSO with HTTP Basic or NTLM Authentication
Configuring SSO Authentication Using SiteMinder
Adding the Cisco Authentication Scheme to SiteMinder
Configuring SSO Authentication Using SAML Browser Post Profile
Configuring the SAML POST SSO Server
Configuring SSO with the HTTP Form Protocol
Gathering HTTP Form Data
Configuring SSO for Plug-ins
Configuring SSO with Macro Substitution
Encoding
Authenticating with Digital Certificates
Creating and Applying Clientless SSL VPN Policies for Accessing Resources
Assigning Users to Group Policies
Using the Security Appliance Authentication Server
Using a RADIUS Server
Using an LDAP Server
Configuring Connection Profile Attributes for Clientless SSL VPN
Configuring Group Policy and User Attributes for Clientless SSL VPN
Configuring Browser Access to Plug-ins
Preparing the Security Appliance for a Plug-in
Installing Plug-ins Redistributed By Cisco
Providing Access to Third-Party Plug-ins
Configuring and Applying the POST URL
Providing Access to a Citrix Java Presentation Server
Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access
Creating and Installing the Citrix Plug-in
Viewing the Plug-ins Installed on the Security Appliance
Why a Microsoft Kerberos Constrained Delegation Solution
Understanding How KCD Works
Authentication Flow with KCD
Before Configuring KCD
Configuring KCD
Showing KCD Status Information
Showing Cached Kerberos Tickets
Clearing Cached Kerberos Tickets
Configuring Application Access
Logging Off Smart TunnelConfiguring Smart Tunnel Access
About Smart Tunnels
Why Smart Tunnels?
Adding Applications to Be Eligible for Smart Tunnel Access
Assigning a Smart Tunnel List
Configuring and Applying Smart Tunnel Policy
Configuring and Applying a Smart Tunnel Tunnel Policy
Specifying Servers for Smart Tunnel Auto Sign-on
Adding or Editing a Smart Tunnel Auto Sign-on Server Entry
Automating Smart Tunnel Access
Enabling and Disabling Smart Tunnel Access
Logging Off Smart Tunnel
When Its Parent Process Terminates
With A Notification Icon
Configuring Port Forwarding
Information About Port Forwarding
Configuring DNS for Port Forwarding
Adding Applications to Be Eligible for Port Forwarding
Assigning a Port Forwarding List
Automating Port Forwarding
Enabling and Disabling Port Forwarding
Application Access User Notes
Using Application Access on Vista
Closing Application Access to Prevent hosts File Errors
Recovering from hosts File Errors When Using Application Access
Understanding the hosts File
Stopping Application Access Improperly
Reconfiguring a Host’s File Automatically Using Clientless SSL VPN
Reconfiguring hosts File Manually
Configuring File Access
CIFS File Access Requirement and Limitation
Adding Support for File Access
Ensuring Clock Accuracy for SharePoint Access
Using Clientless SSL VPN with PDAs
Using E-Mail over Clientless SSL VPN
Configuring E-mail Proxies
Configuring Web E-mail: MS Outlook Web App
Configuring Portal Access Rules
Optimizing Clientless SSL VPN Performance
Configuring Caching
Configuring Content Transformation
Configuring a Certificate for Signing Rewritten Java Content
Disabling Content Rewrite
Using Proxy Bypass
Configuring Application Profile Customization Framework
APCF Syntax
Clientless SSL VPN End User Setup
Defining the End User Interface
Viewing the Clientless SSL VPN Home Page
Viewing the Clientless SSL VPN Application Access Panel
Viewing the Floating Toolbar
Customizing Clientless SSL VPN Pages
Information About Customization
Exporting a Customization Template
Editing the Customization Template
Importing a Customization Object
Applying Customizations to Connection Profiles, Group Policies and Users
Login Screen Advanced Customization
Modifying Your HTML File
Configuring Browser Access to Client-Server Plug-ins
About Installing Browser Plug-ins
RDP Plug-in ActiveX Debug Quick Reference
Preparing the Security Appliance for a Plug-in
Configuring the ASA to Use the New HTML File
Customizing Help
Customizing a Help File Provided By Cisco
Creating Help Files for Languages Not Provided by Cisco
Importing a Help File to Flash Memory
Exporting a Previously Imported Help File from Flash Memory
Requiring Usernames and Passwords
Communicating Security Tips
Configuring Remote Systems to Use Clientless SSL VPN Features
Starting Clientless SSL VPN
Using the Clientless SSL VPN Floating Toolbar
Browsing the Web
Browsing the Network (File Management)
Using Port Forwarding
Using E-mail Via Port Forwarding
Using E-mail Via Web Access
Using E-mail Via E-mail Proxy
Using Smart Tunnel
Translating the Language of User Messages
Understanding Language Translation
Creating Translation Tables
Referencing the Language in a Customization Object
Changing a Group Policy or User Attributes to Use the Customization Object
Capturing Data
Creating a Capture File
Using a Browser to Display Capture Data
Configuring AnyConnect VPN Client Connections
Information About AnyConnect VPN Client Connections
Licensing Requirements for AnyConnect Connections
Guidelines and Limitations
Remote PC System Requirements
Remote HTTPS Certificates Limitation
Configuring AnyConnect Connections
Configuring the ASA to Web-Deploy the Client
Enabling Permanent Client Installation
Configuring DTLS
Prompting Remote Users
Enabling AnyConnect Client Profile Downloads
Enabling Additional AnyConnect Client Features
Enabling Start Before Logon
Translating Languages for AnyConnect User Messages
Understanding Language Translation
Creating Translation Tables
Configuring Advanced AnyConnect Features
Enabling Rekey
Enabling and Adjusting Dead Peer Detection
Enabling Keepalive
Using Compression
Adjusting MTU Size
Configuring Session Timeouts
Updating AnyConnect Client Images
Enabling IPv6 VPN Access
Monitoring AnyConnect Connections
Logging Off AnyConnect VPN Sessions
Configuration Examples for Enabling AnyConnect Connections
Feature History for AnyConnect Connections
Configuring AnyConnect Host Scan
Host Scan Dependencies and System Requirements
Dependencies
System Requirements
Licensing
Host Scan Packaging
Installing and Enabling Host Scan on the ASA
Installing or Upgrading Host Scan
Enabling or Disabling a Host Scan
Viewing the Host Scan Version Enabled on the ASA
Uninstalling Host Scan
Assigning AnyConnect Feature Modules to Group Policies
Other Important Documentation Addressing Host Scan
Configuring Logging, SNMP, and Smart Call Home
Configuring Logging
Information About Logging
Logging in Multiple Context Mode
Analyzing Syslog Messages
Syslog Message Format
Severity Levels
Message Classes and Range of Syslog IDs
Filtering Syslog Messages
Using Custom Message Lists
Licensing Requirements for Logging
Prerequisites for Logging
Guidelines and Limitations
Configuring Logging
Enabling Logging
Configuring an Output Destination
Sending Syslog Messages to an External Syslog Server
Sending Syslog Messages to the Internal Log Buffer
Sending Syslog Messages to an E-mail Address
Sending Syslog Messages to ASDM
Sending Syslog Messages to the Console Port
Sending Syslog Messages to an SNMP Server
Sending Syslog Messages to a Telnet or SSH Session
Creating a Custom Event List
Generating Syslog Messages in EMBLEM Format to a Syslog Server
Generating Syslog Messages in EMBLEM Format to Other Output Destinations
Changing the Amount of Internal Flash Memory Available for Logs
Configuring the Logging Queue
Sending All Syslog Messages in a Class to a Specified Output Destination
Enabling Secure Logging
Including the Device ID in Non-EMBLEM Format Syslog Messages
Including the Date and Time in Syslog Messages
Disabling a Syslog Message
Changing the Severity Level of a Syslog Message
Limiting the Rate of Syslog Message Generation
Monitoring the Logs
Configuration Examples for Logging
Feature History for Logging
Configuring NetFlow Secure Event Logging (NSEL)
Information About NSEL
Using NSEL and Syslog Messages
Licensing Requirements for NSEL
Prerequisites for NSEL
Guidelines and Limitations
Configuring NSEL
Configuring NSEL Collectors
Configuring Flow-Export Actions Through Modular Policy Framework
Configuring Template Timeout Intervals
Changing the Time Interval for Sending Flow-Update Events to a Collector
Delaying Flow-Create Events
Disabling and Reenabling NetFlow-related Syslog Messages
Clearing Runtime Counters
Monitoring NSEL
NSEL Monitoring Commands
Configuration Examples for NSEL
Where to Go Next
Additional References
Related Documents
RFCs
Feature History for NSEL
Configuring SNMP
Information About SNMP
Information About SNMP Terminology
Information About MIBs and Traps
SNMP Object Identifiers
SNMP Physical Vendor Type Values
Supported Tables in MIBs
Supported Traps (Notifications)
SNMP Version 3
SNMP Version 3 Overview
Security Models
SNMP Groups
SNMP Users
SNMP Hosts
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
Licensing Requirements for SNMP
Prerequisites for SNMP
Guidelines and Limitations
Configuring SNMP
Enabling SNMP
Configuring SNMP Traps
Configuring a CPU Usage Threshold
Configuring a Physical Interface Threshold
Using SNMP Version 1 or 2c
Using SNMP Version 3
Troubleshooting Tips
Interface Types and Examples
Monitoring SNMP
SNMP Syslog Messaging
SNMP Monitoring
Configuration Examples for SNMP
Configuration Example for SNMP Versions 1 and 2c
Configuration Example for SNMP Version 3
Where to Go Next
Additional References
RFCs for SNMP Version 3
MIBs
Application Services and Third-Party Tools
Feature History for SNMP
Configuring Anonymous Reporting and Smart Call Home
Information About Anonymous Reporting and Smart Call Home
Information About Anonymous Reporting
What is Sent to Cisco?
DNS Requirement
Anonymous Reporting and Smart Call Home Prompt
Information About Smart Call Home
Licensing Requirements for Anonymous Reporting and Smart Call Home
Prerequisites for Smart Call Home and Anonymous Reporting
Guidelines and Limitations
Configuring Anonymous Reporting and Smart Call Home
Configuring Anonymous Reporting
Configuring Smart Call Home
Enabling Smart Call Home
Declaring and Authenticating a CA Trust Point
Configuring DNS
Subscribing to Alert Groups
Testing Call Home Communications
Optional Configuration Procedures
Monitoring Smart Call Home
Configuration Example for Smart Call Home
Feature History for Anonymous Reporting and Smart Call Home
System Administration
Managing Software and Configurations
Managing the Flash File System
Viewing Files in Flash Memory
Deleting Files from Flash Memory
Downloading Software or Configuration Files to Flash Memory
Downloading a File to a Specific Location
Downloading a File to the Startup or Running Configuration
Configuring the Application Image and ASDM Image to Boot
Configuring the File to Boot as the Startup Configuration
Deleting Files from a USB Drive on the ASA 5500-X Series
Performing Zero Downtime Upgrades for Failover Pairs
Upgrading an Active/Standby Failover Configuration
Upgrading an Active/Active Failover Configuration
Backing Up Configuration Files or Other Files
Backing up the Single Mode Configuration or Multiple Mode System Configuration
Backing Up a Context Configuration or Other File in Flash Memory
Backing Up a Context Configuration within a Context
Copying the Configuration from the Terminal Display
Backing Up Additional Files Using the Export and Import Commands
Using a Script to Back Up and Restore Files
Prerequisites
Running the Script
Sample Script
Configuring Auto Update Support
Configuring Communication with an Auto Update Server
Configuring Client Updates as an Auto Update Server
Viewing Auto Update Status
Downgrading Your Software
Information About Activation Key Compatibility
Performing the Downgrade
Troubleshooting
Testing Your Configuration
Enabling ICMP Debugging Messages and Syslog Messages
Pinging ASA Interfaces
Passing Traffic Through the ASA
Disabling the Test Configuration
Determining Packet Routing with Traceroute
Tracing Packets with Packet Tracer
Handling TCP Packet Loss
Reloading the ASA
Performing Password Recovery
Recovering Passwords for the ASA
Disabling Password Recovery
Resetting the Password on the SSM Hardware Module
Using the ROM Monitor to Load a Software Image
Erasing the Flash File System
Other Troubleshooting Tools
Viewing Debugging Messages
Capturing Packets
Viewing the Crash Dump
Coredump
Monitoring Per-Process CPU Usage
Common Problems
Reference
Using the Command-Line Interface
Firewall Mode and Security Context Mode
Command Modes and Prompts
Syntax Formatting
Abbreviating Commands
Command-Line Editing
Command Completion
Command Help
Filtering show Command Output
Command Output Paging
Adding Comments
Text Configuration Files
How Commands Correspond with Lines in the Text File
Command-Specific Configuration Mode Commands
Automatic Text Entries
Line Order
Commands Not Included in the Text Configuration
Passwords
Multiple Security Context Files
Supported Character Sets
Addresses, Protocols, and Ports
IPv4 Addresses and Subnet Masks
Classes
Private Networks
Subnet Masks
Determining the Subnet Mask
Determining the Address to Use with the Subnet Mask
IPv6 Addresses
IPv6 Address Format
IPv6 Address Types
Unicast Addresses
Multicast Address
Anycast Address
Required Addresses
IPv6 Address Prefixes
Protocols and Applications
TCP and UDP Ports
Local Ports and Protocols
ICMP Types
Configuring an External Server for Authorization and Authentication
Understanding Policy Enforcement of Permissions and Attributes
Configuring an External LDAP Server
Organizing the ASA for LDAP Operations
Searching the LDAP Hierarchy
Binding the ASA to the LDAP Server
Defining the ASA LDAP Configuration
Supported Cisco Attributes for LDAP Authorization
Cisco AV Pair Attribute Syntax
Cisco AV Pairs ACL Examples
Active Directory/LDAP VPN Remote Access Authorization Examples
User-Based Attributes Policy Enforcement
Placing LDAP Users in a Specific Group Policy
Enforcing Static IP Address Assignment for AnyConnect Tunnels
Enforcing Dial-in Allow or Deny Access
Enforcing Logon Hours and Time-of-Day Rules
Configuring an External RADIUS Server
Reviewing the RADIUS Configuration Procedure
ASA RADIUS Authorization Attributes
ASA IETF RADIUS Authorization Attributes
RADIUS Accounting Disconnect Reason Codes
Configuring an External TACACS+ Server
Glossary
Index
Cisco ASA 5500 Series Configuration
Guide using the CLI
Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA
5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, and ASA 5585-X
Released: January 31, 2011
Updated: October 31, 2012
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Cisco ASA 5500 Series Configuration Guide using the CLI
Copyright © 2011-2012 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
About This Guide
lxv
lxv
lxv
Document Objectives
Audience
Related Documentation
Conventions
Obtaining Documentation and Submitting a Service Request
lxvi
lxv
lxvii
P A R T 1
Getting Started with the ASA
C H A P T E R 1
Introduction to the Cisco ASA 5500 Series
1-1
Hardware and Software Compatibility
VPN Specifications
New Features
1-1
1-1
New Features in Version 8.6(1)
New Features in Version 8.4(5)
New Features in Version 8.4(4.1)
New Features in Version 8.4(3)
New Features in Version 8.4(2)
New Features in Version 8.4(1)
Firewall Functional Overview 1-24
Security Policy Overview 1-24
1-1
1-2
1-4
1-6
1-9
1-12
1-19
1-25
1-25
1-25
Permitting or Denying Traffic with Access Lists
Applying NAT
Protecting from IP Fragments
1-25
Using AAA for Through Traffic
1-25
Applying HTTP, HTTPS, or FTP Filtering
Applying Application Inspection
1-25
Sending Traffic to the IPS Module
Sending Traffic to the Content Security and Control Module
Applying QoS Policies
Applying Connection Limits and TCP Normalization
Enabling Threat Detection
1-26
Enabling the Botnet Traffic Filter
Configuring Cisco Unified Communications
1-26
1-27
1-27
1-26
1-26
1-26
Cisco ASA 5500 Series Configuration Guide using the CLI
iii
Contents
Firewall Mode Overview 1-27
Stateful Inspection Overview 1-27
VPN Functional Overview 1-28
Security Context Overview 1-29
C H A P T E R 2
Getting Started
2-1
Accessing the Appliance Command-Line Interface
Configuring ASDM Access for Appliances
2-2
2-1
Accessing ASDM Using the Factory Default Configuration
2-2
Accessing ASDM Using a Non-Default Configuration (ASA 5505)
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
2-3
2-5
Starting ASDM 2-6
Connecting to ASDM for the First Time
Starting ASDM from the ASDM-IDM Launcher
2-8
Starting ASDM from the Java Web Start Application
Using ASDM in Demo Mode
2-7
2-9
2-8
Factory Default Configurations
2-10
Restoring the Factory Default Configuration
ASA 5505 Default Configuration
2-11
2-11
ASA 5505 Routed Mode Default Configuration
ASA 5505 Transparent Mode Sample Configuration
2-11
2-13
ASA 5510 and Higher Default Configuration
2-15
Working with the Configuration
2-15
Saving Configuration Changes
2-16
Saving Configuration Changes in Single Context Mode
Saving Configuration Changes in Multiple Context Mode
2-16
2-16
Copying the Startup Configuration to the Running Configuration
Viewing the Configuration
Clearing and Removing Configuration Settings
Creating Text Configuration Files Offline
2-19
2-18
2-18
2-17
Applying Configuration Changes to Connections
2-19
C H A P T E R 3
Managing Feature Licenses
3-1
Supported Feature Licenses Per Model
3-1
3-1
Licenses Per Model
License Notes
3-16
VPN License and Feature Compatibility
3-20
Information About Feature Licenses
3-20
Cisco ASA 5500 Series Configuration Guide using the CLI
iv
Contents
3-24
Preinstalled License
Permanent License
Time-Based Licenses
3-21
3-21
3-21
Time-Based License Activation Guidelines
How the Time-Based License Timer Works
How Permanent and Time-Based Licenses Combine
Stacking Time-Based Licenses
Time-Based License Expiration
3-21
3-21
3-23
3-23
3-22
Shared AnyConnect Premium Licenses
3-23
Information About the Shared Licensing Server and Participants
Communication Issues Between Participant and Server
Information About the Shared Licensing Backup Server
Failover and Shared Licenses
Maximum Number of Participants
3-25
3-25
3-27
3-25
Failover Licenses (8.3(1) and Later)
3-28
Failover License Requirements and Exceptions
How Failover Licenses Combine
Loss of Communication Between Failover Units
Upgrading Failover Pairs
3-28
3-30
3-28
3-29
No Payload Encryption Models
Licenses FAQ 3-30
3-30
Guidelines and Limitations
Configuring Licenses
3-32
3-31
Obtaining an Activation Key
Activating or Deactivating Keys
Configuring a Shared License
3-33
3-33
3-35
Configuring the Shared Licensing Server
Configuring the Shared Licensing Backup Server (Optional)
Configuring the Shared Licensing Participant
3-37
3-35
3-37
Monitoring Licenses
3-38
Viewing Your Current License
Monitoring the Shared License
3-46
Feature History for Licensing
3-38
3-44
P A R T 2
Configuring Firewall and Security Context Modes
C H A P T E R 4
Configuring the Transparent or Routed Firewall
4-1
Configuring the Firewall Mode
4-1
Information About the Firewall Mode
4-1
Cisco ASA 5500 Series Configuration Guide using the CLI
v
Contents
Information About Routed Firewall Mode
4-2
Information About Transparent Firewall Mode
4-6
4-6
Licensing Requirements for the Firewall Mode
Default Settings
Guidelines and Limitations
Setting the Firewall Mode
Feature History for Firewall Mode
4-6
4-8
4-9
4-2
Configuring ARP Inspection for the Transparent Firewall
4-9
4-10
Information About ARP Inspection
Licensing Requirements for ARP Inspection
Default Settings
Guidelines and Limitations
Configuring ARP Inspection
4-10
4-11
4-10
Task Flow for Configuring ARP Inspection
Adding a Static ARP Entry
Enabling ARP Inspection
4-12
4-11
4-10
4-11
Monitoring ARP Inspection
4-12
Feature History for ARP Inspection
4-13
Customizing the MAC Address Table for the Transparent Firewall
4-13
4-14
4-14
4-14
Information About the MAC Address Table
Licensing Requirements for the MAC Address Table
Default Settings
Guidelines and Limitations
Configuring the MAC Address Table
Adding a Static MAC Address
Setting the MAC Address Timeout
Disabling MAC Address Learning
4-15
4-16
4-14
4-15
4-15
Monitoring the MAC Address Table
4-16
Feature History for the MAC Address Table
4-17
Firewall Mode Examples
4-17
How Data Moves Through the ASA in Routed Firewall Mode
4-17
4-18
An Inside User Visits a Web Server
An Outside User Visits a Web Server on the DMZ
An Inside User Visits a Web Server on the DMZ
An Outside User Attempts to Access an Inside Host
A DMZ User Attempts to Access an Inside Host
How Data Moves Through the Transparent Firewall
4-22
4-23
4-19
4-20
4-21
An Inside User Visits a Web Server
An Inside User Visits a Web Server Using NAT
4-24
4-25
Cisco ASA 5500 Series Configuration Guide using the CLI
vi
Contents
An Outside User Visits a Web Server on the Inside Network
An Outside User Attempts to Access an Inside Host
4-27
4-26
C H A P T E R 5
Configuring Multiple Context Mode
Information About Security Contexts
5-1
5-1
5-2
Common Uses for Security Contexts
Context Configuration Files
5-2
Context Configurations
5-2
System Configuration
5-2
Admin Context Configuration
How the ASA Classifies Packets
5-3
5-4
5-6
Valid Classifier Criteria
Classification Examples
Cascading Security Contexts
Management Access to Security Contexts
5-2
5-3
5-7
System Administrator Access
Context Administrator Access
5-7
5-8
Information About Resource Management
5-8
Resource Limits
Default Class
Class Members
5-8
5-9
5-10
Information About MAC Addresses
5-11
Default MAC Address
Interaction with Manual MAC Addresses
Failover MAC Addresses
MAC Address Format
5-12
5-11
5-12
Licensing Requirements for Multiple Context Mode
Guidelines and Limitations
Default Settings
Configuring Multiple Contexts
5-13
5-14
5-14
5-11
5-12
Task Flow for Configuring Multiple Context Mode
Enabling or Disabling Multiple Context Mode
5-15
5-16
Enabling Multiple Context Mode
Restoring Single Context Mode
5-15
5-14
Configuring a Class for Resource Management
Configuring a Security Context
Automatically Assigning MAC Addresses to Context Interfaces
5-23
Changing Between Contexts and the System Execution Space
Managing Security Contexts
5-16
5-18
5-23
5-22
Cisco ASA 5500 Series Configuration Guide using the CLI
vii
Contents
Removing a Security Context
5-24
Changing the Admin Context
5-24
Changing the Security Context URL
Reloading a Security Context
5-26
5-25
Reloading by Clearing the Configuration
Reloading by Removing and Re-adding the Context
5-26
5-27
Monitoring Security Contexts
5-27
5-27
5-29
Viewing Context Information
Viewing Resource Allocation
Viewing Resource Usage
Monitoring SYN Attacks in Contexts
Viewing Assigned MAC Addresses
5-32
5-33
5-35
Viewing MAC Addresses in the System Configuration
Viewing MAC Addresses Within a Context
Configuration Examples for Multiple Context Mode
Feature History for Multiple Context Mode
5-39
5-37
5-38
5-36
P A R T 3
Configuring Interfaces
C H A P T E R 6
Starting Interface Configuration (ASA 5510 and Higher)
6-1
Information About Starting ASA 5510 and Higher Interface Configuration
6-1
Auto-MDI/MDIX Feature
6-2
Interfaces in Transparent Mode
Management Interface
6-2
6-2
Management Interface Overview 6-2
Management Slot/Port Interface
6-2
Using Any Interface for Management-Only Traffic
Management Interface for Transparent Mode
6-3
No Support for Redundant Management Interfaces
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
6-4
6-3
6-4
Redundant Interfaces
6-4
Redundant Interface MAC Address
6-4
EtherChannels
6-5
6-5
Channel Group Interfaces
Connecting to an EtherChannel on Another Device
Link Aggregation Control Protocol
Load Balancing
EtherChannel MAC Address
6-7
6-6
6-7
6-5
Licensing Requirements for ASA 5510 and Higher Interfaces
6-8
Cisco ASA 5500 Series Configuration Guide using the CLI
viii
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
