Go to page of
Similar user manuals
-
Network Router
Cisco Systems E2500
672 pages 21.39 mb -
Network Router
Cisco Systems 3660
8 pages 0.49 mb -
Network Router
Cisco Systems CISCO7206
32 pages 1.43 mb -
Network Router
Cisco Systems RV320
125 pages 1.24 mb -
Network Router
Cisco Systems EM-HDA-8FXS
2 pages 0.14 mb -
Network Router
Cisco Systems 12000
20 pages 0.19 mb -
Network Router
Cisco Systems CISCO1750
84 pages 0.96 mb -
Network Router
Cisco Systems 2800
46 pages 2.8 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of Cisco Systems ASA 5505, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Cisco Systems ASA 5505 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of Cisco Systems ASA 5505. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of Cisco Systems ASA 5505 should contain:
- informations concerning technical data of Cisco Systems ASA 5505
- name of the manufacturer and a year of construction of the Cisco Systems ASA 5505 item
- rules of operation, control and maintenance of the Cisco Systems ASA 5505 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Cisco Systems ASA 5505 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Cisco Systems ASA 5505, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Cisco Systems service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Cisco Systems ASA 5505.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the Cisco Systems ASA 5505 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco we bsite at www.cisco.com/go/ offices. Cisco A S A S eries Fire w all CLI Conf iguration Guide Sof tw are V ers ion 9.1 For the AS A 5505, AS A 551 0, AS A 5520, AS A 5540, ASA 5550, AS A 5512-X, AS A 551 5-[...]
-
Page 2
THE SPECIFICATION S AND INFORMAT ION REGARDING THE PRODUCTS IN THIS MA NUAL ARE SUBJ ECT TO CHANGE WITHOUT NOT ICE. ALL STATEMENTS , INFORMATION , AND RECOMMEN DATIONS I N THIS MANUA L ARE BELIEVE D TO BE ACCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FUL L RESPONSIBILITY FOR THEIR APPLICAT ION OF ANY[...]
-
Page 3
iii Cisco ASA Series Firewall CLI Configuration Guide CONTENTS About This Guide xxv Document Objectives xxv Related Documentation xxv Conventi ons xxv Obtaining Documentation and Submitting a Serv ice Request xxvi PART 1 Configuring Service P olicies Using the Modul ar Policy Fram ework CHAPTER 1 Configuring a Service Policy Usin g the Modular Poli[...]
-
Page 4
Contents iv Cisco ASA Series Firewall CLI Configuration Guide Applying Inspection and Connection Limits to HTTP Traffic to Sp ecific Servers 1-20 Applying Inspection to HTTP Traffic with NAT 1-21 Feature History for Service Policies 1-22 CHAPTER 2 Configuring Special Actions for Application Inspectio ns (Inspection Policy Map) 2-1 Information About[...]
-
Page 5
Contents v Cisco ASA Series Firewall CLI Configuration Guide Main Differences Between Network Ob ject NAT and Twice NAT 3-13 Information About Network Object NAT 3-14 Information About Twice NAT 3-14 NAT Rule Order 3-18 NAT Interfaces 3-19 Routing NAT Packets 3-19 Mapped Addresses and Routing 3-19 Transparent Mode Routin g Requirements for Remote N[...]
-
Page 6
Contents vi Cisco ASA Series Firewall CLI Configuration Guide DNS Server and FTP Server on Ma pped Interface, FTP Server is Translate d (Static NAT with DNS Modification) 4-25 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real In terface (Static NAT64 with DNS64 Modification) 4-26 Feature History fo r Network Object NAT 4-28 CHAP[...]
-
Page 7
Contents vii Cisco ASA Series Firewall CLI Configuration Guide Access Rule s for Returning Traffic 6-5 Allowing Broadcast and Multicast Traffic through the Transparent Fire wall Using Access Rules 6-5 Management Access Rules 6-6 Information About EtherType Rules 6-6 Supported EtherT ypes and Other Traffic 6-6 Access Rule s for Returning Traffic 6-7[...]
-
Page 8
Contents viii Cisco ASA Series Firewall CLI Configuration Guide Configuring a RADIUS Server to Downl oad Per-User Ac cess Control List Names 7-21 Configuring Accounting for Network Access 7-21 Using MAC Addresses to Exempt Traffic from Authentic ation and Authorization 7-23 Feature History for AAA Rules 7-25 PART 4 Configuring Applic ation Inspecti[...]
-
Page 9
Contents ix Cisco ASA Series Firewall CLI Configuration Guide IP Options Inspec tion Overview 10-24 Configuring an IP Options Inspection Poli cy Map fo r Additional Inspection Control 10-25 IPsec Pass Thro ugh Inspection 10-25 IPsec Pass Thro ugh Inspection Ove rview 10-26 Example for Defining an IPsec Pa ss Through Parameter Map 10-26 IPv6 Inspect[...]
-
Page 10
Contents x Cisco ASA Series Firewall CLI Configuration Guide Verifying and Monitorin g MGCP Inspection 11 -14 RTSP Inspection 11-14 RTSP Inspection Overv iew 11-15 Using RealPlayer 11-1 5 Restrictions and Limitations 11-15 Configuring an RTSP Inspection Policy Map for Additional Inspe ction Control 11 -16 SIP Inspection 11-18 SIP Inspection Overvie[...]
-
Page 11
Contents xi Cisco ASA Series Firewall CLI Configuration Guide RSH Inspection 13-10 SNMP Insp ection 13-10 SNMP Insp ection Ove rview 13-10 Configuring an SNMP Inspection Policy Ma p for Additional Inspection Control 13-10 XDMCP Inspection 13-11 PART 5 Configuring Unified Communications CHAPTER 14 Information About Cisco Unified Communications Proxy[...]
-
Page 12
Contents xii Cisco ASA Series Firewall CLI Configuration Guide Working with Certificates in the Unified Communication Wizard 15 -23 Exporting an Identity Certificate 15-23 Installing a Certificate 15-23 Generating a Certificate Sign ing Request (CSR) for a Unified Communicatio ns Proxy 15-24 Saving the Identity Certificate Request 15-25 Installing [...]
-
Page 13
Contents xiii Cisco ASA Series Firewall CLI Configuration Guide Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster 16-20 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-21 Creating the Media Termination Instance 16 -23 Creating the Phone Proxy In stance 16-24 Enabling the Phone Proxy with SIP and Skinny Inspection 16-26[...]
-
Page 14
Contents xiv Cisco ASA Series Firewall CLI Configuration Guide CTL Client Overview 17-3 Licensing for the TLS Proxy 17-5 Prerequisites for the TLS Proxy for Encrypted Voice Inspection 17-7 Configuring the TLS Proxy for Encryp ted Voice Inspection 17-7 Task flow for Configuring the TLS Pr o xy for Encrypted Voice Inspec tion 17-8 Creating Trustpoint[...]
-
Page 15
Contents xv Cisco ASA Series Firewall CLI Configuration Guide Configuration Requirements for XMPP Federation 19-6 Licensing for Cisco Unified Presence 19 -7 Configuring Cisco Unified Presen ce Proxy for SIP Federation 19-8 Task Flow for Configuring Cisco Unified Prese nce Federation Proxy for SIP Federation 19-9 Creating Trustpoints and Generating [...]
-
Page 16
Contents xvi Cisco ASA Series Firewall CLI Configuration Guide Configuring the Cisco UC-IMC Pro xy by usin g the UC-IME Proxy Pane 20-30 Configuring the Cisco UC-IMC Proxy by us ing the Unified Communications Wizard 20-32 Troubleshooting Cisco Intercompany Me dia Engine Proxy 20 -33 Feature History for Cisco Intercompany Media Engine Proxy 20-36 PA[...]
-
Page 17
Contents xvii Cisco ASA Series Firewall CLI Configuration Guide Licensing Requirement s for QoS 23-5 Guidelines and Limitations 23-5 Configuring QoS 23-6 Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Configuring a Service Rule for Standard Prio rity Queuing [...]
-
Page 18
Contents xviii Cisco ASA Series Firewall CLI Configuration Guide Cloud Web Security Actions 25-5 Bypassing Scanning with White lists 25-6 IPv4 and IPv6 Support 25 -6 Failover from Primary to Backup Proxy Server 25-6 Licensing Requirements fo r Cisco Cloud Web Security 25-6 Prerequisites for Cloud Web Security 25-7 Guidelines and Limitations 25-7 De[...]
-
Page 19
Contents xix Cisco ASA Series Firewall CLI Configuration Guide Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 Information About the Dynamic Database 26-2 Information About the Static Database 26-3 Information About the DNS Reverse Lookup Cache and DNS Host Cache 2[...]
-
Page 20
Contents xx Cisco ASA Series Firewall CLI Configuration Guide Configuring Advanced Threat Detection Statistics 27-6 Information About Advanced Threat Detection Statistics 27-6 Guidelines and Limitations 27-6 Default Settings 27-7 Configuring Advanced Threat Detectio n Statistics 27-7 Monitoring Advan ced Threat Detection Statistics 27-9 Feature His[...]
-
Page 21
Contents xxi Cisco ASA Series Firewall CLI Configuration Guide Configuration Examples for Java Applet Filtering 29-5 Feature History for Java Applet Filtering 29-6 Filtering URLs and FTP Requests with an External Server 29-6 Information About URL Filtering 29-6 Licensing Requirements fo r URL Filtering 29-7 Guidelines and Limitations for URL Filter[...]
-
Page 22
Contents xxii Cisco ASA Series Firewall CLI Configuration Guide (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module 30-12 (ASA 5585-X) Changing the ASA CX Management IP Address 30-14 Configuring Basic ASA CX Settings at the ASA CX CLI 30-15 Configuring the Security Policy on the ASA CX Module Using PRSM 30-16 (Optional) [...]
-
Page 23
Contents xxiii Cisco ASA Series Firewall CLI Configuration Guide ASA 5512-X through ASA 5555-X (Software Mo dule) 31-9 ASA 5505 31-10 Sessioning to the M odule from the ASA 31-11 (ASA 5512-X through ASA 5555-X) Booting th e Software Module 31-11 Configuring Basic IPS Module Network Settings 31-12 (ASA 5510 and Hig her) Configuring Basic Networ k Se[...]
-
Page 24
Contents xxiv Cisco ASA Series Firewall CLI Configuration Guide Additional References 32-18 Feature History for the CSC SSM 32-19 I NDEX[...]
-
Page 25
xxv Cisco ASA Series Firewall CLI Configuratio n Guide About This Guide This preface introduces Cisco ASA Series F ir e wall CLI Conf igur ation Guide and includes the follo wing sections: • Document Objectiv es, page xxv • Related Documentati on, page xxv • Con v entions, page xxv • Obtaining Documentati on and Submitting a Ser vice Reques[...]
-
Page 26
xxvi Cisco ASA Series Firewall CLI Configuration Guide Note Means reader take note . Ti p Means the following inf ormation will help you sol ve a pr o blem . Caution Means re a d e r b e c a re f u l . In this situation, you might perform an action t hat could result in equipment damage or loss of dat a. Obtaining Documentation and Submitting a Ser[...]
-
Page 27
P AR T 1 Conf iguring Service P olicies Using the Modular P olicy F rame work[...]
-
Page 28
[...]
-
Page 29
CH A P T E R 1-1 Cisco ASA Series Firewall CLI Configuratio n Guide 1 Configuring a Service Policy Using the Modular Policy Framework Service polici es using Modular Pol icy Fram ew ork provide a consistent and f lexible w ay to configure ASA features. For example, you can us e a service polic y to create a time out conf iguration that is specific [...]
-
Page 30
1-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies Supported Features Ta b l e 1 - 1 lists the features supported by Modul ar Policy Frame work. Feature Directionality Actions are applied to t raffic bid irectionally or unidir ectionall[...]
-
Page 31
1-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Note When you use a global policy , all features are unidire ctional; features that are normally bidirectional when applied to a single interf ace only apply to the ingress of each inte[...]
-
Page 32
1-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies For e x ample, if a packet matches a class map for co nnection limits, and also matches a class map fo r an application inspection, then both actions are applied. If a packet matches a [...]
-
Page 33
1-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Incompatibility of Certain Feature Actions Some features are not compatible w i th each other for the same traf fic. Th e following list may not include all incompatibilities; fo r info[...]
-
Page 34
1-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Licensing Requirement s for Service Policies class ftp inspect ftp Feature Matching for Multiple Service Policies For TCP a nd UDP traf fic (and ICMP w hen you enable stateful ICMP in spection), servi ce policies operate[...]
-
Page 35
1-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Guidelines and Limitations • TCP normalization • TCP state bypass • User statistics for Id entity Fire wall Class Map Guidelines The maximum number of class mapsof all types is 255 in sin gle mode or per conte xt i[...]
-
Page 36
1-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Default Settings Default Settings The follo wing topics describe the defaul t settings for Modular Polic y Framew ork: • Default Co nfiguration, page 1-8 • Default Cl ass Maps, page 1-9 Default Configuration By defau[...]
-
Page 37
1-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es inspect ip-options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tft[...]
-
Page 38
1-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Task Flows for Configuring Service Policies Step 1 Identify the traf fic—Identify th e traf fic on which you want t o perform Modular Polic y Framework actions by creating Layer 3/4 class maps. For e xample, you might[...]
-
Page 39
1-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es See the “Defining Actions (Layer 3/ 4 Policy Map)” section on pa ge 1-15 and the “ Applying Actions to an Interface (Service Policy)” section on page 1-17 . Task Fl[...]
-
Page 40
1-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) T raff ic shaping can only be applied the to class-default class map. Step 4 For the same class map, identify the prio rity polic y map that you created in Step 2 using the ser[...]
-
Page 41
1-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Cla ss Maps) match access-list access_list_name Example: hostname(config-cmap)# match access-list udp Matches traffic specified by an extended A CL. If t he ASA is operating in transparent[...]
-
Page 42
1-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) Examples The follo wing is an example for the class-map command: ciscoasa(config)# access-list udp permit udp any any ciscoasa(config)# access-list tcp permit tcp any any cisco[...]
-
Page 43
1-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Defining Act ions (Layer 3/4 Poli cy Map) Detailed Steps Defining Actions (Layer 3/4 Policy Map) This section describes how to associate actions with Layer 3/4 class ma ps by creatin g a Layer 3/4 policy map. Restrictio[...]
-
Page 44
1-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Examples The follo wing is an example of a policy-map command for con nection polic y . It limits the number of connections allo wed to the web serv er 10.1.1.1: ci[...]
-
Page 45
1-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Applying Actions to an Interface (Service Policy) The follo wing example sho ws how traf fic matches the f irst a vail able class map, and will not match an y subsequent class maps that specify actions in the same featu[...]
-
Page 46
1-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Monitoring Modular Policy Framework Detailed Steps Examples For e xample, the followin g command enables the inbo und_polic y policy map on the outside interf ace: ciscoasa(config)# service-policy inbound_policy interfa[...]
-
Page 47
1-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork Applying Inspection and QoS Policing to HTTP Traffic In this e x ample (see Figure 1-1 ) , any HTTP conn ection (TCP traf fic on port 80) that enters or e xits the AS[...]
-
Page 48
1-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Configuration Examples for Modular Policy Framework ciscoasa(config)# policy-map http_traffic_policy ciscoasa(config-pmap)# class http_traffic ciscoasa(config-pmap-c)# inspect http ciscoasa(config)# service-policy http_[...]
-
Page 49
1-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork ciscoasa(config)# service-policy policy_serverB interface inside ciscoasa(config)# service-policy policy_serverA interface outside Applying Inspection to HTTP Traffic[...]
-
Page 50
1-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Feature History for Service Policies Feature History for Service Policies Ta b l e 1 - 3 lists the release history for this feature. T able 1 -3 Feat ure Hist ory for Service P olicies Feature Name Releases Feature Info[...]
-
Page 51
CH A P T E R 2-1 Cisco ASA Series Firewall CLI Configuratio n Guide 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Frame work lets you conf igure specia l actions for man y application inspections. When you enable an inspection engine in the Layer 3/4 poli c y map, you can also optionally enable act[...]
-
Page 52
2-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Guidelines and Limitations policy map is that you can create more comple x match criteria and you can reuse class maps. Ho we ver , you cannot set different actions for dif ferent matches. Note: Not all [...]
-
Page 53
2-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Default Inspection Policy Maps A class map is determined to be the same t ype as another class map or match command based on the lo west priority match command in the class map (th e priority is based on [...]
-
Page 54
2-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Defining Actions in an Inspection Policy Map Note There are other default inspect ion policy maps such as _default_esmtp_map . For example, inspect esmtp implicitly uses the polic y map “_default_esmtp[...]
-
Page 55
2-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Examples The follo wing is an example o f an HTTP inspection polic y map and the related class maps. This pol icy map is acti vated by the Laye r 3/4 polic y[...]
-
Page 56
2-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Identifying Traffic in an Inspection Class Map Restrictions Not all application s support inspection cl ass maps. See the CLI help for class-map type inspect for a list of supported applications. Detaile[...]
-
Page 57
2-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Where to Go Nex t Where to Go Next T o use an inspection pol icy , see Chapter 1, “Configuring a Service Poli cy Using the Modular Po licy Frame work. ” Feature History for Inspection Policy Maps Ta b[...]
-
Page 58
2-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Feature History for Inspection Policy Maps[...]
-
Page 59
P AR T 2 Conf iguring Network A ddress T ranslation[...]
-
Page 60
[...]
-
Page 61
CH A P T E R 3-1 Cisco ASA Series Firewall CLI Configuratio n Guide 3 Information About NAT This chapter pro vides an ove rview of h ow Netw ork Address T ranslation (N A T) works on the ASA. This chapter includes the following sections: • Why Use N A T?, page 3-1 • N A T T erm inology , page 3-2 • N A T T ypes, page 3-3 • N A T in Routed a[...]
-
Page 62
3-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Terminology One of the main functions of N A T is to enable pr iv ate IP networks to conn ect to the In ternet. NA T replaces a priv ate IP address with a public IP addre ss, translating the priv ate addresses in the inter nal pri v ate network into legal, r[...]
-
Page 63
3-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types NAT Types • N A T T ypes Overvi ew , page 3-3 • Static NA T , page 3-3 • Dynamic N A T , page 3-7 • Dynamic P A T , page 3-8 • Identity N A T , page 3-10 NAT Types Overview Y o u can implement N A T using the following meth ods: • Static N [...]
-
Page 64
3-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Figure 3-1 sho ws a typical static NA T scenar io. The translation is always act iv e so both real and remote hosts can initiate co nnections. Figure 3-1 Static NA T Note Y ou can disable bidirect ionality if desired. Information About Static NAT with [...]
-
Page 65
3-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Note For ap plications that r equire application i nspection for secondary channels (for example, FTP and V oIP), the ASA automatically transl ates the second ary ports. Static NAT with Identi ty Port Translation The follo wing static N A T with port t[...]
-
Page 66
3-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types For e xample, you hav e a load balancer at 10.1.2 .27. Depending on the URL requested, it redirects traf fic to the correct web server . Information About Other Mapping Scenarios (Not Recommended) The ASA has the fle xibility to allow an y kind of stat[...]
-
Page 67
3-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-5 sho ws a typical many-to- few static N A T scenario. Figure 3-5 Man y-t o-Few Static NA T Instead of usin g a static rule this way , we suggest that you c reate a one-to-one rule for the traff ic tha t needs bidirectional initiation, a nd th[...]
-
Page 68
3-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Note For the duratio n of the translatio n, a remote host can initiate a connection to th e translated host if an access rule allows it. Because the address is unpr edictabl e, a connectio n to the ho st is unlikely . Nev ertheless, in this case you ca[...]
-
Page 69
3-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-7 sho ws a typical dynamic P A T scenario. Only real hosts can crea te a NA T session, and responding traf fic is al lo wed back. The mapped addr ess is the same for each translation, b ut the port is dynamically assigned. Figur e 3-7 Dynamic [...]
-
Page 70
3-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Identity NAT Y o u might ha ve a N A T configur ation in which you need to transl ate an IP address to itself. F or example, if you create a broad rule that applies N A T to every netw ork, but want to e x clude one network [...]
-
Page 71
3-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-9 sho ws a typical N A T example in rou ted mode, with a pri vate netw ork on the inside. Figure 3-9 NA T Exam pl e: Routed Mode 1. When the inside host at 10.1.2.27 sends a packet to a w eb server [...]
-
Page 72
3-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Figure 3-1 0 NA T Exampl e: T ranspar ent Mode 1. When the inside host at 10.1.1.75 sends a packet to a w eb server , the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15. 2. When [...]
-
Page 73
3-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT and IPv6 NAT and IPv6 Y ou can use N A T to translate between IPv6 netw orks, and also to translate between IPv4 and IPv6 networks (rou ted mode only). W e recommend the followi ng best practices: • N A T66 (IPv6-to-IPv6)—W e recommend using static N A [...]
-
Page 74
3-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted • How source and destinati on N A T is implemented. – Network obj ect N A T— Each rule can apply to either the source or desti n ation of a pack et. So two rules m ight be used, one for the source IP a ddress, and one for the desti[...]
-
Page 75
3-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented T wice N A T also lets you use service objects for static N A T with port translation; networ k object NA T only accepts inline def inition. T o start confi guring twice N A T , see Chapter 5, “Conf iguring T wice NA T . ” Figure 3-[...]
-
Page 76
3-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted Figure 3-12 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices. When the host accesses the server for web services, the real address is[...]
-
Page 77
3-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented Figure 3-13 sho ws a remote host con n ecting to a mapp ed host. The mapped h ost has a twice static N A T translation that translates the real address only for traf fic to and from the 2 09.165.201.0/27 network. A translation does not [...]
-
Page 78
3-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Rule Order NAT Rule Order Network ob ject N A T rules an d twice NA T rules a re stored in a single table that is divided into t hree sections. Sectio n 1 rules are appl ied first, then section 2, an d finally section 3, unt il a match is fo und. For e xamp[...]
-
Page 79
3-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Interfaces For section 2 r ules, for example, you ha ve the foll ow ing IP addresses def ined within netw ork objects: 192.168.1.0/24 ( static) 192.168.1.0/ 24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 ( static) 172.16.1.0/24 (dynamic) ( object def) 172[...]
-
Page 80
3-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Routing NAT Packets Mapped Addresses and Routing When you translate the real addres s to a mapped address, the mapped address you choose determines ho w to conf igure routing , if necessary , for the mapped address. See additional guidelines about mapped IP add[...]
-
Page 81
3-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Routing NAT Packets Figur e 3-14 Pro xy ARP Problems with Identity NA T In rare cases, you need proxy ARP for identity N A T ; for example for virt ual T elnet. When using AAA for network access, a host needs to authenti cate with the ASA using a service like T[...]
-
Page 82
3-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Determining the Egress Interface When the ASA receives traf fic for a mapped address, the ASA unstran slates the destination address according to the NA T rule, and then it sends the packet on to the real address. The ASA determines the egress inter[...]
-
Page 83
3-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN NAT and Remote Access VPN Figure 3-17 sh ow s both an inside serv er (10.1.1.6) and a VPN cli ent (209.165.201.10) accessi ng the Internet. Unless you conf igure split tunnelling for the VPN client (where only specif ied traff ic goes through the VP[...]
-
Page 84
3-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Figur e 3-18 Identity NA T for VPN Clients See the follo wing sample N A T conf iguration for the abo ve network: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, [...]
-
Page 85
3-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figur e 3-19 Interf ace P A T and Identity NA T for Sit e-to-Site VPN Figure 3-20 sho ws a VPN clie nt connected to ASA1 (Boul der), with a T elnet request for a server (10.2.2.78) accessibl e ov er a site-to-site tunnel betw een ASA1 and ASA2 (San [...]
-
Page 86
3-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 [...]
-
Page 87
3-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figure 3-21 sho ws a VPN client T elnet ting to the ASA inside interface. When yo u use a management-access interface, and you configure identity N A T according to the “NA T and Remote Access VPN” or “N A T and Site-to-Site VPN” section, yo[...]
-
Page 88
3-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup Tr[...]
-
Page 89
3-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-22 sho ws a D NS server that is access ible from the outside interface. A serv er, ftp .cisco.com, is on the inside interface. Y ou co nfigure the ASA to st atic ally translate the ft p.cisco.com real a ddress (10.1.3.14) to a mapped addres[...]
-
Page 90
3-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT a static rule between the inside and DMZ, then you al so need to enable DNS reply modif ication on this rule. The DNS reply will then be modif ied two times. In this case, the ASA ag ain translates t he address inside the DNS reply to 192.168.1.10 a[...]
-
Page 91
3-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-24 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside serv er . In this case, when an inside us er requests the address fo r ftp.cisco.com from the DNS server , the DNS server responds with [...]
-
Page 92
3-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (200 1:DB8::D1A5:C8E1) you need to conf igure DNS reply modif ication for the stat ic translation. This e xample also includes a static N A T translation for th e DNS server ,[...]
-
Page 93
3-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Where to Go Nex t Figure 3-26 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside server . In this case, wh en an inside user performs a rev e rse DNS lookup for 10.1.2.56, the ASA modifies the re verse DNS query[...]
-
Page 94
3-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Where to Go Next[...]
-
Page 95
CH A P T E R 4-1 Cisco ASA Series Firewall CLI Configuratio n Guide 4 Configuring Network Object NAT All N A T rules that are configured as a paramete r of a network object are considered to be network object NAT rules. Net work object N A T is a quick an d easy way to configure N A T for a single IP address, a range of addresses, or a subnet. Afte[...]
-
Page 96
4-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Licensing Requirements for Network Object NAT Licensing Requirements for Network Object NAT The follo wing table shows the licensing requirements for this feature: Prerequisites for Network Object NAT Depending on the conf iguration, you can conf igure [...]
-
Page 97
4-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Default Settings Additional Guidelines • Y ou can only def ine a single NA T rule for a gi ven object; if you w ant to conf igure multiple N A T rules for an object, you need to create multiple objects with d iff erent names that specify the same IP a[...]
-
Page 98
4-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Configuring Network Object NAT This section descri bes ho w to conf igure network object N A T and includes the follow ing topics: • Adding Netw ork Objects for Mapp ed Addresses, page 4-4 • Conf iguring Dynamic N A T [...]
-
Page 99
4-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Detailed Steps Configuring Dynamic NAT This section descri bes ho w to conf igure network object N A T for dynamic NA T . For more information, see the “Dynamic N A T” section on page 3-7 . Detailed Steps Command Purp[...]
-
Page 100
4-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic N A T that hides 192.168.2.0 network beh ind a range of outside addresses 10.2.2 .1 through 10.2.2.10: ciscoasa(config)# object network my-range-obj ciscoasa(config-netwo[...]
-
Page 101
4-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT ciscoasa(config-network-object)# host 10.10.10.21 ciscoasa(config-network-object)# object-group network nat-pat-grp ciscoasa(config-network-object)# network-object object nat-range1 ciscoasa(config-network-object)# networ[...]
-
Page 102
4-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT • If you enable e xtended P A T for a dynamic P A T rule, then you cannot also us e an address in the P A T pool as the P A T address in a separate static N A T -with-port-translation rule. F o r example, if t he P A T p[...]
-
Page 103
4-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] dynamic { mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] | interface [ ipv6 ]} [ interface [ ipv6 ]] [ dns ] Exam[...]
-
Page 104
4-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic P A T that hides the 192.168.2.0 netw ork behind address 10.2.2.2: ciscoasa(config)# object network my-inside-net ciscoasa(config-network-object)# subnet 192.168.2.0 255[...]
-
Page 105
4-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT The follo wing example conf igures dynamic P A T with a P A T pool to translate the inside IPv6 network to an outside IPv4 network: ciscoasa(config)# object network IPv4_POOL ciscoasa(config-network-object)# range 203.0.[...]
-
Page 106
4-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Step 3 { host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2 } Example: ciscoasa(config-network-object)# subnet 10.2.1.0 255.255.255.0 If you are creating a ne w network object, def ines the [...]
-
Page 107
4-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] static { mapped_inline_ip | mapped_obj | interface [ ipv6 ]} [ net-to-net ] [ dns | service { tcp | udp } real_port mapped_port ] [ no-proxy-arp ] Example: ciscoasa(config-network[...]
-
Page 108
4-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures static N A T for the real host 10.1.1.1 o n the inside to 10.2.2.2 on the outside with DNS rewrite enabled. ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network[...]
-
Page 109
4-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Example The follo wing example maps a host address to it self using an inline mapped ad dress: ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)#[...]
-
Page 110
4-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT The follo wing example maps a host address to it self using a network o bject: ciscoasa(config)# object network my-host-obj1-identity ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)# object [...]
-
Page 111
4-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Monitoring Ne twork Object NAT Detailed Steps Examples The follo wing example creates a deny rule for H.323 traf fic, so that it uses multi-session P A T : ciscoasa(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 ciscoasa(config)# xlate [...]
-
Page 112
4-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Configuration Examples for Network Object NAT This section includes the following conf iguration examples: • Providing Access to an Inside W eb Server (Static N A T), pa ge 4-19 • N A T for Inside Host[...]
-
Page 113
4-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Providing Access to an Inside Web Server (Static NAT) The follo wing example performs static N A T for an inside web server . The real address is on a priv ate network, so a pu blic address is required . [...]
-
Page 114
4-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Figur e 4-2 Dynamic NA T for Inside, Static NA T for Outside W eb Server Step 1 Create a network obj ect for the dynamic N A T pool to which you w ant to translate the insi de addresses: ciscoasa(config)# [...]
-
Page 115
4-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) The follo wing example sho ws an inside load balancer that is translated to multiple IP addresses. When an outside host access[...]
-
Page 116
4-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) The follo wing static N A T -with-port-translation e xample pro vides a single address for remo te users to access FTP , HTTP , and[...]
-
Page 117
4-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 5 Create a network object for the SMTP server address: ciscoasa(config)# object network SMTP_SERVER Step 6 Defin e the SMTP server address, and co nfi gure static N A T with identity port tran slatio[...]
-
Page 118
4-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209. 165.201.10). The ASA refers to the stat ic rule for the inside server and tr[...]
-
Page 119
4-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 sho ws an FTP server and DNS server on the outs id e. The ASA has a static translation[...]
-
Page 120
4-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 sho ws an FTP server and DNS server on the outside IPv4 netw ork. The ASA h[...]
-
Page 121
4-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 2 Configure N A T for the DNS server . a. Create a network object for the DNS server address. ciscoasa(config)# object network DNS_SERVER b. Define the DNS server address, and conf ig ure static N A [...]
-
Page 122
4-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Feature History for Network Object NAT Ta b l e 4 - 1 lists each feature change and the platfo rm release in which it was impl emented. T able 4-1 Feat ure Hist ory for Netw ork Ob ject NA T Feature Name Platform [...]
-
Page 123
4-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T Flat range of P A T ports for a P A T pool 8.4(3) If av aila ble, the real source port number is used for the mapped port. Ho wev er , if the real port is not a v ailable, by default th e mapped ports are chose[...]
-
Page 124
4-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network in[...]
-
Page 125
4-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T N A T support for rev erse DNS lookups 9.0(1) N A T now supports t ranslation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for th[...]
-
Page 126
4-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT[...]
-
Page 127
CH A P T E R 5-1 Cisco ASA Series Firewall CLI Configuratio n Guide 5 Configuring Twice NAT T wice N A T lets you identify both the source and destin ation address in a single rule. This chapt er sho ws you how to configure twice NA T a nd includes the following sections: • Information Ab out T wice N A T , page 5-1 • Licensing Requ irements fo[...]
-
Page 128
5-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Licensing Require ments for Twice NAT T wice N A T also lets you use service objects for static N A T -with-port-translation; netw ork object N A T only accepts inline definition. For detailed in formation about th e differences between twice N A T and network obj[...]
-
Page 129
5-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Guidelines and Limitations • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 netw orks is not supported. T ranslating between two IPv6 networks, or between t wo IPv4 netw orks is support[...]
-
Page 130
5-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Default Settings • Y ou can use the same objects in mul tiple rules. • The mapped IP address pool cann ot include: – The mapped interface IP address. If you specify any interf ace for the rule, then all interface I P addresses are disallowed. For interf a ce[...]
-
Page 131
5-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Guidelines • A network ob ject group can contain objects and/or in line addresses of eith er IPv4 or IPv6 addresses. The group cannot co ntain both IPv4 and IPv6 addresses; it must co ntain one type only . • See the “Guidelines and Li[...]
-
Page 132
5-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps (Optional) Adding Service Objec ts for Real and Mapped Ports Config ure service objects for: • Source r eal port (Static only) or Destination real port • Source mapped port (Static only) or Destination mapped port For more [...]
-
Page 133
5-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT • Source Dynami c P A T (Hide)—Source Dynamic P A T does not support port transl ation. • Source Static N A T or Static N A T with port transl ation—A service object can contain both a source and destination port; howe ver , you sho[...]
-
Page 134
5-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses See the “ Adding Networ k Objects for Rea[...]
-
Page 135
5-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { real_obj | any } { mapped_obj [ interface [ ipv6 ]]} [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service mapped_dest_svc_obj [...]
-
Page 136
5-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (Continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation only , specify the interfac e keyw ord. If you specify ipv6 , then the IPv6 address of th[...]
-
Page 137
5-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example configures dynamic N A T for inside network 10 .1.1.0/24 whe n accessing servers on the 209.165.201 .1/27 network as well as serv ers on the 203.0.113.0/24 network: ciscoasa(config)# object network INSIDE_NW[...]
-
Page 138
5-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT • If av ailable, the real source port number is used for the mapped port. Ho wev er, if the real port is not av ailable, by defaul t the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, a[...]
-
Page 139
5-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses See the “ Adding Networ k Objects for [...]
-
Page 140
5-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { real-obj | any } { mapped_obj [ interface [ ipv6 ]] | [ pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] [ interface [ ipv6[...]
-
Page 141
5-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT (continued) For a P A T pool, you can specify one or more of t he follo wing options: -- Round robin—Th e round-r obin keyw ord enables round-robin address allocati on for a P A T pool. W ithout round robin, by defa ult all ports for a P[...]
-
Page 142
5-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation o nly (routed mode), specify the interf ace keyw ord. If you specify ipv6 , then the IPv6[...]
-
Page 143
5-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example conf igures interface P A T for inside network 192 .168.1.0/24 when accessi ng outside T elnet server 209.165 .201.23, and Dynamic P A T using a P A T pool when accessing any serv er on the 203.0.113.0/24 ne[...]
-
Page 144
5-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes ho w to configure a static N A T rule using twice NA T . For more informatio n about static N A T , see the “S tatic NA T” section on page 3-3 . Detailed S[...]
-
Page 145
5-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static real_ob [ mapped_obj | interface [ ipv6 ]] [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj m[...]
-
Page 146
5-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Examples The following e xample shows the use of static interface N A T with port translation. Hosts on the outside access an FTP server on the inside by connecting t o the outside interf ace IP address with destin ation port 65000 through 6[...]
-
Page 147
5-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT to the command k eyw ords; the actual source and dest ination address and port in a packet depends on which host sent the packet. In this example, connections are originat ed from outside to inside, so t he “source” address and port of[...]
-
Page 148
5-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses ( you will typically use the same object for the sour ce mapped addresses) • Destination real addresses • Destination mapped addre[...]
-
Page 149
5-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static { nw_obj nw_obj | any any } [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj mapped_src_real_[...]
-
Page 150
5-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Monitoring Twice NAT Configuring Per-Session PAT Rules By default, all TCP P A T traffic and all UDP DNS traf fic uses per-session P A T . T o use multi-session P A T for traf fic, you can conf igure per-sessi on P A T rules: a permit rule uses per-sessio n P A T[...]
-
Page 151
5-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Configuration Examples for Twice NAT This section includes the following conf iguration examples: • Different T ranslat ion Dependin g on the Desti nation (Dynami c P A T), page 5-25 • Different T ranslation Depending on [...]
-
Page 152
5-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 4 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1 Because you do not want to t ranslate the destination ad dr[...]
-
Page 153
5-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the De stination Address and Port (Dynamic PAT) Figure 5-2 sho ws the use of source and destination port s. The host on the 10.1.2.0/24 network accesses a single host for both web ser vices [...]
-
Page 154
5-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 5 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not [...]
-
Page 155
5-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platfo rm release in which it was imple mented. T able 5-1 Feature Hist ory for T wice NA T Feature Name Platform Releases Feature Information T wice N A[...]
-
Page 156
5-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Round robin P A T pool allocation uses the same IP address for existing hosts 8.4(3) When using a P A T pool with round robin allocation, if a host has an existing con nection, then subsequent connections from that host will use the [...]
-
Page 157
5-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network inst ead of an assign[...]
-
Page 158
5-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT N A T support for rev erse DNS lookups 9.0(1) N A T now supports tran slation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for the N A T rule. Per-sessi[...]
-
Page 159
P AR T 3 Conf iguring Access Contr ol[...]
-
Page 160
[...]
-
Page 161
CH A P T E R 6-1 Cisco ASA Series Firewall CLI Configuratio n Guide 6 Configuring Access Rules This chapter describes ho w to control netw ork acce ss through t he ASA using access rul es and includes the following sections: • Information Ab out Access Rules, page 6-1 • Licensing Requirements for Access Rules, page 6-7 • Prerequisites, page 6[...]
-
Page 162
6-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules • Information Ab out EtherT ype Rules, page 6-6 General Information About Rules This section describes informati on for both access rules and EtherT ype rules, and it includes the follo wing topics: • Implicit Permits, page 6[...]
-
Page 163
6-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Implicit Deny A CLs have an implicit deny at the end of the list, so un less you exp licitly permit i t, traf fic cannot pass. For e xample, if you want to allow all users to a ccess a network through the ASA except for particula[...]
-
Page 164
6-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Figur e 6-1 Outbound ACL See the follo wing commands for this example: ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14 host 209.165.200.225 eq www ciscoasa(config)# access-list OUTSIDE extended permit tcp[...]
-
Page 165
6-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Firewall Mode Guidelines Supported in routed an d tr ansparent f irewall mod e. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations Ev aluate the follo wing alternati ves befo re using the transactional comm it m[...]
-
Page 166
6-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Ta b l e 6 - 1 lists common traff ic types that you can allow through the transparen t fire wa ll. Management Access Rules Y ou can config ure access rules that control management traff ic destined to the ASA. Ac cess control rul[...]
-
Page 167
6-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Licensing Requiremen ts for Access Ru les Access Rules for Returning Traffic Because EtherT ypes are conne ctionless, you need to a pply the rule to both interf aces if you want traf fic to pass in both direct ions. Allowing MPLS If you allo w MPLS, ensure tha[...]
-
Page 168
6-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Guidelines and Limitations Per-User ACL Guidelines • The per-user A CL uses the value in the timeout uauth command, b u t it can be ov erridden by the AAA per-u ser session timeout v alue. • If traf f ic is denied because of a per -user A CL, syslog messag[...]
-
Page 169
6-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Guidelines and Limitations Detailed Steps Examples The follo wing example sho ws how to use the access-group command: hostname(config)# access-list outside_access permit tcp any host 209.165.201.3 eq 80 hostname(config)# access-group outside_access interface o[...]
-
Page 170
6-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Monitoring Access Rule s Monitoring Access Rules T o monitor network access, enter the follo w ing command: Configuration Examples for Permitting or Denying Network Access This section includes typical conf iguration e xamples for permitting or den ying netwo[...]
-
Page 171
6-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Feature History for Access Rules hostname (config-service)# service-object tcp source range 2000 3000 hostname (config-service)# service-object tcp source range 3000 3010 destinatio$ hostname (config-service)# service-object ipsec hostname (config-service)# s[...]
-
Page 172
6-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Feature History for Access Rules Unif ied A CL for IPv4 and IPv6 9.0(1) A CLs now supp ort IPv4 and IPv6 addresses. Y ou can e ven specify a mix of IPv4 and IPv6 addresses fo r the source and destination. The any ke yword was chan ged to represent IPv4 and IP[...]
-
Page 173
CH A P T E R 7-1 Cisco ASA Series Firewall CLI Configuratio n Guide 7 Configuring AAA Rules for Network Access This chapter describes ho w to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the general operations configuration guide. This chapte r includes the follo wing sections: • [...]
-
Page 174
7-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed [...]
-
Page 175
7-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access One-Time Authentication A user at a gi ven I P address only needs to authenticat e one time for all rules and types, u ntil the authentication session e xpires. (See the timeout uauth co mmand in t[...]
-
Page 176
7-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Note If you use HTTP authenticati on, by defaul t the user name and passw ord are sent from the cli ent to the ASA in clear te xt; in addition, the username and password are sen t on to the destina[...]
-
Page 177
7-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access • For T elnet and FTP traf fic, users must log in thro ugh the cut-throug h proxy server and again to the T elnet and FTP servers. • A user can specify an A ctiv e Directory domain wh ile pr ov[...]
-
Page 178
7-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Inst ead, the ASA sends an error message to the w eb bro wser , indicating that the user [...]
-
Page 179
7-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Configuring Network Access Authentication T o conf igure network access auth entication, perform the fo llo wing steps: Command Purpose Step 1 aaa-server Example: ciscoasa(config)# aaa-server AuthO[...]
-
Page 180
7-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Examples The follo wing example authenticates all in side HTTP traf fic and SMTP traff ic: ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+ ciscoasa(config-aaa-server-group)# exit ciscoas[...]
-
Page 181
7-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access The following e xample shows a typical cut-through proxy co nfigu ration to allo w a user to log in through the ASA. In this e xample, the follow ing conditions app ly: • The ASA IP address is 19[...]
-
Page 182
7-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access For more inf ormation about authentication, see the “Info rmation About Authen tication” section on page 7-2 . Enabling Secure Authentication of Web Clients If you use HTTP authenti cation, by[...]
-
Page 183
7-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access nat (inside,outside) static 10.132.16.200 service tcp 443 443 Authenticating Directly with the ASA If you do not w a nt to allo w HTTP , HTTPS, T elnet, or FTP through the ASA b ut want to authent[...]
-
Page 184
7-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Authenticating Telnet Connecti ons with a Virtual Server Although you can configure network access authenti cation for an y protocol or service (see the aaa authentication match or aaa authenticat[...]
-
Page 185
7-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Examples The follo wing example sho ws how to enable virtual T elnet together with AAA authentication for ot her services: ciscoasa(config)# virtual telnet 209.165.202.129 ciscoasa(config)# access[...]
-
Page 186
7-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring Authorization for Network Access After a user authenticates for a giv en connection, the ASA can use authorization to further control traff ic from the user . This section includes the f[...]
-
Page 187
7-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss T o conf igure T A CA CS+ authorization, perform the foll owing steps: Command Purpose Step 1 aaa-server Example: ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+ Identifi es your AAA se[...]
-
Page 188
7-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Examples The follo wing example authenticates an d authorizes inside T elnet traff ic. T e lnet traf fic to serv e rs other than 209.165.201.5 can be authenticated alone, bu t traf fic to 209.165.20[...]
-
Page 189
7-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss ciscoasa(config-aaa-server-host)# key TACPlusUauthKey ciscoasa(config-aaa-server-host)# exit ciscoasa(config)# aaa authentication match TELNET_AUTH inside AuthOutbound ciscoasa(config)# aaa author[...]
-
Page 190
7-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access • Simplified and centralize d manage ment of ACLs—Do w nloadable ACLs enable you to w rite a set of A CLs once and apply it to many user or gro up prof iles and distrib ute it to many ASAs. This[...]
-
Page 191
7-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss . ip:inacl# n = ACE-n ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 6. If the A CL required is more than approximately 4 KB in length, Cisco Secure A CS responds with an access-chall[...]
-
Page 192
7-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access The do wnloaded A C L on the ASA consists of th e follo wing lines: access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 p[...]
-
Page 193
7-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accounting fo r Network Access Converting Wildcard Netma sk Expressions in Downloadable ACLs I f a R A D I U S s e r v e r p r o v i d e s d ow n l oa d a b l e AC L s to Cisco VPN 3000 series concentrators as well as to the ASA, y[...]
-
Page 194
7-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accoun ting for Network Ac cess T o conf igure accounting, perform the follo wing steps: Examples The follo wing example authenticates, au thorizes, and accoun ts for inside T elnet traf f ic. T elnet traf fic t o servers other than[...]
-
Page 195
7-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Ex empt Traffi c from Authentica tion and Authorization ciscoasa(config)# aaa accounting match SERVER_AUTH inside AuthOutbound AAA provides an extra le vel of protection and cont rol for user access than using A CLs alon[...]
-
Page 196
7-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization T o use MA C addresses to ex empt traff ic from authentication and aut horization, perform th e follo wing steps: Examples The follo wing example bypasses au thenticat[...]
-
Page 197
7-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules The follo wing example bypasses au thentication for a a group of MAC addresses e xcept for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement [...]
-
Page 198
7-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules[...]
-
Page 199
P AR T 4 Conf iguring Applic ation Inspection[...]
-
Page 200
[...]
-
Page 201
CH A P T E R 9-1 Cisco ASA Series Firewall CLI Configuratio n Guide 9 Getting Started with Application Layer Protocol Inspection This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels [...]
-
Page 202
9-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Information about Application Layer Protoc ol Inspection Figur e 9-1 How Inspec tion En gines W o r k In Figure 9-1 , operations are numbered in the order th ey occur , and are described as follows: 1. A TCP SYN packet arri[...]
-
Page 203
9-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable applicat ion inspection for a service that embeds IP addres ses, the ASA t ranslates embedded addresses and up dates any checksum or other fi elds that are aff ected by the translatio[...]
-
Page 204
9-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations Inspected protocols are subject to adv anced TCP-state tracking, and th e TCP state of these connections is not automatically replicated. Wh ile these connections are replicated to the s[...]
-
Page 205
9-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limita tions ICMP ERR OR — — — — ILS (LD AP) TCP/389 No extended P A T . No N A T64. —— Instant Messagin g (IM) V aries by client No ext ended P A T . No N A T64. RFC 3860 — IP Options ?[...]
-
Page 206
9-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations The default po licy conf iguration includes the follo wing commands: SIP TCP/5060 UDP/5060 No outside N A T . No N A T on same security interfaces. No ext ended P A T . No per-session P [...]
-
Page 207
9-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum [...]
-
Page 208
9-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Y ou can specify a match access-list command along with the match default-inspection- traffi c command to narro w the matched traff ic to specific IP addresses. Because th[...]
-
Page 209
9-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection • H323—See the “Conf iguring an H.323 Inspection Polic y Map for Additional Inspection Cont rol” section on page 11-6 • HTTP—See the “Configuring an HTTP Insp e[...]
-
Page 210
9-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection class in Step 5 . Do not add another class that matches SNMP . Step 5 Enable application insp ection by entering the follo wing command: ciscoasa(config-pmap-c)# inspect [...]
-
Page 211
9-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection http [ map_name ] If you added an HTTP in spection polic y map according to the “Configuring an HTTP In specti on Policy Map fo r Additional Insp ection Control” s ectio[...]
-
Page 212
9-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Step 6 T o acti v a te the polic y map on one or more interfaces, enter the follo wing command: ciscoasa(config)# service-policy policymap_name { global | interface inter[...]
-
Page 213
CH A P T E R 10-1 Cisco ASA Series Firewall CLI Configuratio n Guide 10 Configuring Inspection of Basic Internet Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dyn[...]
-
Page 214
10-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • Config uring DNS Inspection, page 10-8 • Monitoring DNS Inspecti on, page 10-9 Information About DNS Inspection • General Information A bout DNS, page 10-2 • DNS Inspection A ctions, page 10 -2 General Info[...]
-
Page 215
10-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default inspe[...]
-
Page 216
10-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection policy-map type inspect dns name Example: ciscoasa(config)# policy-map type inspect dns dns-map Creates an inspection polic y map in which you want t o match traf fic di rectly . Y ou can specify multiple match comma[...]
-
Page 217
10-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 4 match [ not ] dns-class { eq { in | c_val }} | range c_val1 c_val2 } For di rect match only: { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | log } Example: ciscoasa(config-pmap)# [...]
-
Page 218
10-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 6 match [ not ] domain-name regex { regex_id | class class_id ] For direct match only: { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | log } Example: ciscoasa(config-pmap)# match doma[...]
-
Page 219
10-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 7 (If you are using a DNS inspection class map) policy-map type inspect dns name class class_map_name { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | mask [ log ] | log } Example: c[...]
-
Page 220
10-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Examples The follo wing example sho ws a how to d efine a DN S inspection polic y map. regex domain_example “example.com” regex domain_foo “foo.com” ! define the domain names that the server serves class-ma[...]
-
Page 221
10-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Examples The follo wing example sho ws a how to use a ne w inspection polic y map in the global default configuration: policy-map global_policy class inspection_default no inspect dns preset_dns_map inspect dns new[...]
-
Page 222
10-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection For connections using a DNS serv er, the source port of the connection may be replaced by the IP address of DNS server i n the sho w conn command output. A single connection i s created for multiple DNS sess ions, a[...]
-
Page 223
10-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection Using the strict Option Using the strict option with the inspect ftp command increases the security of protected netw orks by prev ent ing web browsers from sending embedded commands in FTP requests. Note T o spec[...]
-
Page 224
10-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Configuring an FTP Inspection Policy Map for Additional Inspection Control FTP command fi ltering and securit y checks are pro vided using strict FTP inspection for impro ved security and contr ol. Protocol conforma[...]
-
Page 225
10-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection d. (Optiona l) T o ma tch a file type for F TP transfe r , enter the following comm and: ciscoasa(config-cmap)# match [ not ] filetype regex [ regex_name | class regex_class_name ] Where the rege x _ n a m e is th[...]
-
Page 226
10-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Step 5 (Optional) T o add a description to the polic y map, enter the followi ng command: ciscoasa(config-pmap)# description string Step 6 T o apply actions to mat ching traf fic, perform the follo wing steps. a. Sp[...]
-
Page 227
10-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# mask-banner ciscoasa(config)# class-map match-all ftp-traffic ciscoasa(config-cmap)# match port tcp eq ftp ciscoasa(config)# policy-map ftp-policy ciscoa[...]
-
Page 228
10-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection The enhanced HTTP inspection feature, wh ich is also kno wn as an application fire wall and is av ailable when you configure an HTTP map (see “Conf iguring an HTTP Inspection Polic y Map for Additional Inspection[...]
-
Page 229
10-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-cmap)# description string c. (Optiona l) T o ma tch traffic with a content-type f ield in the HTTP response that does not match the accept field in the corresponding HTTP re quest message, enter t[...]
-
Page 230
10-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . The length gt max_bytes is [...]
-
Page 231
10-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection The res e t ke yword drops t h e packet, cl oses the connec tion, and sends a TCP reset to the server and/or client. The log ke yword, which you can use alone or with one o f the other ke ywords, sends a system l[...]
-
Page 232
10-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols ICMP Inspection ICMP Inspection The ICMP inspection engine allows ICMP traff ic to ha ve a “session” so it can be inspected like TCP and UDP traf fic. W ithout the ICMP inspection engine, we recommend that you do not allow ICM[...]
-
Page 233
10-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s Instant Messa ging Inspection Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control T o specify actions when a message violates a parame ter , create an IM inspection po licy map. Y ou can then[...]
-
Page 234
10-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols Instant Messaging In spection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . f. (Optional)[...]
-
Page 235
10-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection Y ou can specify multiple class or match commands in the policy map. F or information about the order of class and match commands, see the “Def ining Actions in an Insp ection Policy Map ” section on pa[...]
-
Page 236
10-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection • IP Options Inspection Ov erview , page 10-24 • Config uring an IP Options Inspection Polic y Map for Additional Inspection Co ntrol, page 10-25 IP Options Inspection Overview Each IP pack et contains an[...]
-
Page 237
10-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection Configuring an IP Options Inspecti on Policy Map for Additional Inspection Control Step 1 T o create an IP Options insp ection polic y map, enter the follo wing command: ciscoasa(config)# policy-map[...]
-
Page 238
10-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection • IPsec Pass Through Insp ection Ov ervie w , page 10-26 • “Example for Def ining an IPsec Pass Throu gh Param eter Map” section on page 10-26 IPsec Pass Through Inspection Overview Internet Protocol Securi[...]
-
Page 239
10-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection Information about IPv6 Inspection IPv6 inspection lets you selecti vely log or drop IPv6 traf fic based on the extensio n header . In addition, IPv6 inspection can check co nformance to RFC 2460 for type and o rd[...]
-
Page 240
10-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection Detailed Steps Examples The following e xam ple creates an insp ection policy map that will dro p and log all IPv6 packets with the hop-by-hop, destinat ion-option, rout ing-address, and routin g type 0 headers: po[...]
-
Page 241
10-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection drop log match header destination-option drop log match header routing-address count gt 0 drop log match header routing-type eq 0 drop log Configuring IPv6 Inspection T o enable IPv6 inspection, perform th e foll[...]
-
Page 242
10-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols NetBIOS Inspection Examples The follo wing example drops all IPv6 traf fic with the hop-by-hop, destinatio n-option, routing-addr ess, and routing type 0 headers: policy-map type inspect ipv6 ipv6-pm parameters match header hop-by[...]
-
Page 243
10-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s NetBIOS Inspection Step 4 (Optional) T o add a description to the polic y map, enter the follo wing command: ciscoasa(config-pmap)# description string Step 5 T o apply actions to matching traf fic, perform the follo wing steps. [...]
-
Page 244
10-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols PPTP Inspection ciscoasa(config)# policy-map netbios_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect netbios netbios_map PPTP Inspection PPTP is a protocol for tunneling PPP tr af fic. A PPT[...]
-
Page 245
10-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session b ut an ESMTP sess ion is considerably faster and of fers more op[...]
-
Page 246
10-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection T o specify actions when a message viola tes a parame ter , create an ESMTP inspect ion polic y map. Y ou can then apply the inspection polic y map when you en able ESMTP inspection. T o create a[...]
-
Page 247
10-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s TFTP Inspec tion Step 6 T o conf igure parameters that af fect the inspection engine, perform the follo wing steps: a. T o enter parameters conf iguratio n mode, enter the fo llo wing command: ciscoasa(config-pmap)# parameters c[...]
-
Page 248
10-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion[...]
-
Page 249
CH A P T E R 11-1 Cisco ASA Series Firewall CLI Configuratio n Guide 11 Configuring Inspection for Voice and Video Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on d[...]
-
Page 250
11-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols CTIQBE Inspection Limitations and Restrictions The follo wing summarizes limitations that appl y when using CTIQBE applicat ion inspection: • CTIQBE application insp ection does not suppor t config urations with the alias comman[...]
-
Page 251
11-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The line be ginning with RTP/R TCP: PAT xlate s: appears onl y if an internal CTI de vice has register ed with an external Call Manager and th e CTI de vice address and ports are P A T ed to that external interf a[...]
-
Page 252
11-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt appl ications such as Cisco CallManage r and V ocalT e c Gatekeeper . H.323 is a suite of protocol s defined by the Int ernational T[...]
-
Page 253
11-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, t he ASA opens the H.245 channel and then inspects traf fic sent ov er the H.245 channel as well. All H.245 messages passing t hrough the ASA u ndergo H .245 application inspec[...]
-
Page 254
11-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection • Only static N A T is fully supported. Static P A T may not properly translate IP addresses embedded in optional f ields within H.323 messages. If you e xperience this kind of problem, do not use static P A T w[...]
-
Page 255
11-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection b. (Optional) T o add a description to the class map , enter the follo wing command: ciscoasa(config-cmap)# description string Where string is th e description of the cl ass map (up to 200 characters). c. (Optiona[...]
-
Page 256
11-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Y ou can specify multiple class or match commands in the policy map. F or information about the order of class and match commands, see the “Def ining Actions in an Insp ection Policy Map ” section on page 2-4 [...]
-
Page 257
11-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The follo wing example sho ws how to confi g ure phone number f iltering: ciscoasa(config)# regex caller 1 “5551234567” ciscoasa(config)# regex caller 2 “5552345678” ciscoasa(config)# regex caller 3 “555[...]
-
Page 258
11-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection 0 Concurrent Call(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.205/1720 This output indi cates that there is curr ently 1 acti ve H.323 call goin g through the ASA between the local endpoint 10.130.5 6.3 an[...]
-
Page 259
11-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection Total: 1 GK Caller 172.30.254.214 10.130.56.14 This output sho ws that there is one acti ve registration between the gatekeeper 1 72.30.254.214 an d its client 10.130 .56.14. MGCP Inspection This section descri be[...]
-
Page 260
11-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols MGCP Inspection MGCP transactions are composed of a command an d a mandatory response. There a re eight types of commands: • CreateConnection • ModifyConnection • DeleteCo nnection • Notifi cationRequest • Notify • Au[...]
-
Page 261
11-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# b. T o configure the call agents, enter the follo wing command fo r each call agent: ciscoasa(config-pmap-p)# call-agent ip_address group_id Use the call-[...]
-
Page 262
11-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection Verifying and Monitoring MGCP Inspection The show mgcp com mands command lists the number of MGCP com mands in the command queue. The show mgcp ses sions command lists the number of e xis ting MGCP sessions. The d[...]
-
Page 263
11-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection RTSP Inspection Overview The R TSP inspection engine lets the ASA pass R TSP packets. R TSP is used by RealAudio, RealNetworks, Ap ple QuickT ime 4, Real Player, and Cisco IP/TV connections. Note For Cisco IP/TV ,[...]
-
Page 264
11-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection • Y o u can conf igure N A T for Apple QuickT ime 4 or RealPlayer . Cisco IP/TV only works with NA T if the V iewer and Content Manager are on the ou tside network and the serv er is on the inside network. Confi[...]
-
Page 265
11-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expression you created i n Step 1 . The class r e gex_cl ass_name is the regular e xpression class map you create d in Step 2 . Step 4 T o create an R TS[...]
-
Page 266
11-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection ciscoasa(config-pmap-p)# url-length-limit length Where the length ar gument specifies the URL length i n bytes (0 to 6000). The follo wing example sho ws a how to d efine an R TSP inspection polic y map. ciscoasa(c[...]
-
Page 267
11-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection T o support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connectio ns for the media must be inspected, because whil e the signaling is sent ov er a we[...]
-
Page 268
11-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection SIP inspection has a database with indices CALL_ID/FR OM/TO from the SIP payload. These ind ices identify the call, the source, and the destination. Th is database contains the media addresses and media ports found[...]
-
Page 269
11-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the class_map_name is the name of the class map. The match-all ke yword is the def ault, and specifies that t raff ic must match all criteria to match the class map. The match-an y keyw ord specifies that the[...]
-
Page 270
11-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . k. (Optiona l) T o ma tch a[...]
-
Page 271
11-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection b. T o enable or disable instant messaging, enter the f o llo wing command: ciscoasa(config-pmap-p)# im c. T o enable or disable IP address pri vacy , enter the follow ing command: ciscoasa(config-pmap-p)# ip-addre[...]
-
Page 272
11-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Configuring SIP Timeout Values The media connections are torn do wn within two min utes after the connection becomes idle. This is, ho we ver , a configurable timeout an d can be set for a shorter or l on[...]
-
Page 273
11-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • SCCP Inspecti on Overview , page 11-25 • Supporting Cisco IP Phon es, page 11-25 • Restrictions and Limitat ions, page 11-26 • Config uring a Skinn y (SCCP) Inspection Polic y Map for Additional[...]
-
Page 274
11-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection When the Cisco IP Phones are on a lower security interface compared to the TFTP server , you must use an A CL to connect to the protected TF TP server on UD P port 69. While you do need a stati c entry fo[...]
-
Page 275
11-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Step 5 T o apply actions to matching traf fic, perform the follo wing steps. a. Specify the traf fic on which you want to perf orm actions using one of the follo wing methods: • Specify the SCCP class m[...]
-
Page 276
11-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Where the value_length ar gument is a maximum or minim u m v alue. f. T o config ure the timeout v alue for signaling and media connection s, enter the follo wing command: ciscoasa(config-pmap-p)# timeout[...]
-
Page 277
CH A P T E R 12-1 Cisco ASA Series Firewall CLI Configuratio n Guide 12 Configuring Inspection of Database and Directory Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channel[...]
-
Page 278
12-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols SQL*Net Inspection During connection negotiati on time, a BIND PDU is sent from the client to the server . Once a successful BIND RESPONSE from the server is receiv ed, othe r operational messages may be e xchanged (such a[...]
-
Page 279
12-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t, Refuse, Resend, and Marker) will not be scanned for addresses to N A T nor will inspection open dynamic connections for any embedd ed ports in the pack[...]
-
Page 280
12-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection Managing Sun RPC Services Use the Sun RPC services table to co ntrol Sun RPC traf fic through t he ASA based on established Sun RPC sessions. T o create entries in the Sun RPC services table, use th e su[...]
-
Page 281
12-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:[...]
-
Page 282
12-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection[...]
-
Page 283
CH A P T E R 13-1 Cisco ASA Series Firewall CLI Configuratio n Guide 13 Configuring Inspection for Management Application Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channe[...]
-
Page 284
13-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for nati ve TCP communication between the EPM and client on well known TCP port 135. Map a nd lookup op erations of the E PM are supported for clients. Cli ent and server can be[...]
-
Page 285
13-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection The follo wing example sho ws how to def ine a DCERPC inspection polic y map with the timeout confi gured for DCERPC pinholes. ciscoasa(config)# policy-map type inspect dcerpc dcerpc_map ciscoasa(config-pmap[...]
-
Page 286
13-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection Configuring a GTP Inspection Policy Ma p for Additional Inspection Control If you w ant to enforce additi onal parameters on GTP t raf fic, creat e and conf igure a GTP map. If you do not specify a map with t[...]
-
Page 287
13-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# The mnc network_code argument is a two or th ree-digit v alue identifying the network cod e. By default, t he security appliance does not ch eck for[...]
-
Page 288
13-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection a. Use the object-group command t o define a ne w network object group that w ill represent the SGSN that sends GTP requests to the GSN po ol. ciscoasa(config)# object-group network SGSN-name ciscoasa(config-[...]
-
Page 289
13-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection Enter this command separately for each timeout. The gsn keyw ord specif ies the period of inacti vity after which a GSN will be remo ved. The pdp-context key word specif ies the maximum period of time allo w[...]
-
Page 290
13-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection total created_pdpmcb 0 total deleted_pdpmcb 0 pdp_non_existent 0 Y ou can use the v e rtical bar (|) to f ilter the display . T ype ?| for more display f iltering optio ns. The follo wing is sa[...]
-
Page 291
13-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols RADIUS Accounting Inspection RADIUS Accounting Inspection Overview One of the well kno wn problems is the over -billing attack in GPRS networks. The o ver-billi ng attack can cause consumers anger an d frustration by being[...]
-
Page 292
13-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RSH Inspection service-policy global_policy global RSH Inspection RSH inspection is enabled by default. The RSH prot ocol uses a TCP connection from th e RSH client to the RSH server on TCP port 514. The client and serv er[...]
-
Page 293
13-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols XDMCP Inspection ciscoasa(config-snmp-map)# deny version 2 XDMCP Inspection XDMCP inspection is enabled by def ault; howe ver , the XDMCP inspection engi ne is dependent upon proper conf iguration of the established comma[...]
-
Page 294
13-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols XDMCP Inspection[...]
-
Page 295
P AR T 5 Conf iguring Unif ied Communications[...]
-
Page 296
[...]
-
Page 297
CH A P T E R 14-1 Cisco ASA Series Firewall CLI Configuratio n Guide 14 Information About Cisco Unified Communications Proxy Features This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information Ab out the Adapti ve Securi[...]
-
Page 298
14-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Information About the A daptive Security Appliance in Cisco U nified Communications TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encr yption ofte n leaves network s[...]
-
Page 299
14-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features TLS Proxy Ap plications in Cisco Unified Communications The ASA prov ides perimeter security by en crypting signalin g connections between enterpri ses and pre venting unathorized calls. An ASA running the Cisco In terc[...]
-
Page 300
14-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobi lity solution , the TLS clien t is a Cisco UM A client and the TLS server is a Cisco UMA server . The ASA is between a Cisco UM A clie[...]
-
Page 301
14-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features Licensing for Cisc o Unified Communications Proxy Features ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 10[...]
-
Page 302
14-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features T able 14-2 sho ws the default and maximum TLS sessio n details by platform. The follo wing table shows the Uni fied Co mmunications Proxy licen se details by pl[...]
-
Page 303
CH A P T E R 15-1 Cisco ASA Series Firewall CLI Configuratio n Guide 15 Using the Cisco Unified Communication Wizard This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Unif ied Communication W iz[...]
-
Page 304
15-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Information about the Cis co Unified Communication Wizard The wizard simplif ies the configuration of the Unified Communications proxi es in the follo wing ways: • Y ou enter all required data in the wizard steps. Y ou are not required t[...]
-
Page 305
15-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Licensing Requirements for the Unified Communication W izard Using the ASA as a sec ure presence federation pr oxy , businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Ci sco or Microsoft Presence se[...]
-
Page 306
15-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in r[...]
-
Page 307
15-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard Note Any conf iguration created by the wizard should be maintained t hrough the wizard to ensure pr oper synchronization. F or example, if you create a ph one proxy c[...]
-
Page 308
15-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Step 2 Specify each entity in th e network (al l Cisco UCM and TFTP servers) that the IP phones mu st trust. Click Add to add the servers. See Confi guring Serv ers for[...]
-
Page 309
15-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard statements, you must delete them manually by using the appropriate area of AS DM or rerun the Unified Communications wizard without making any changes and apply the c[...]
-
Page 310
15-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button conf igures the server to use the IP address of the public interface. Y ou select the publi c interface in step 4 of the wiz[...]
-
Page 311
15-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard See also the Cisco Unif ied Communications Manage r Securit y Guide for in formation on Usin g the Certif icate Authority Proxy Function (CAPF) to instal l a locally [...]
-
Page 312
15-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard • PC Port • V oice VL AN access • Gratuitous ARP • Span to PC Port Step 3 T o configure address translation for IP phones, check the Enable addre ss translatio[...]
-
Page 313
15-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the pri vate IP addr ess, enter the IP ad dress on which pr i vate media traf fic terminates. The IP address must be within the same su[...]
-
Page 314
15-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring the Topology for the Cisco Mobility Advantage Proxy When config uring the Mobility Adv antage Proxy , you specify settings to def ine the pri vate an[...]
-
Page 315
15-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to co nfigu re the Cisco Mobilit y Adv antage proxy , the wizard only supports installing self-sig ned certificates. Step 2 Export th[...]
-
Page 316
15-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Pr esence Federation Pr oxy by using the Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Note The Unified Commu nication W izard is supported for the AS A ve[...]
-
Page 317
15-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Presence Federation Proxy by using the Unified Communication W izard Step 3 In the FQDN f ield, enter the domain name for the Unif ied Presence server . This domain name is incl uded in the certif icate signing request t[...]
-
Page 318
15-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard For th e TLS handshake, t he two en tities, namely the local entity and a remote en tity , could v alidate the peer certificate via a certif icate c hain to trusted th ird[...]
-
Page 319
15-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard T o config ure the Cisco Intercompan y Media Engine Proxy by using ASDM, choose W izards > Unif ied Communication Wi zard from the menu. The Unified Communication W iz[...]
-
Page 320
15-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Step 2 Click Next . Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sits i n-line with the Internet f irewa ll such that all Internet tr[...]
-
Page 321
15-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Step 1 T o configure the Cisco Interco mpany Media Engine Proxy as part of a basic de ployment, select the interface that connects to the local Cisco Unified Communicatio[...]
-
Page 322
15-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Y ou must incl ude an entry fo r each Cisco U CM in the clust er with Cisco Inte rcompany Media E[...]
-
Page 323
15-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard gen erates a self-signed certif icate for the ASA[...]
-
Page 324
15-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Configuring the Remote-Side Certificat es for the Cisco Intercompany Media Engine Proxy Establishing a trust relation ship cross enterprises or across administrati ve doma[...]
-
Page 325
15-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: • Exporting an Identit y Certif icate, page 15-23 • Installing [...]
-
Page 326
15-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Presence Federation server , and the Cisco Unifie d Communications Manager servers, respectiv ely , on the ASA. See the documentatio n for each of these products for informat [...]
-
Page 327
15-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard • Remote Presence Federati on serv ers for the Cisco Presence Fede ration Proxy • The remote ASAf or the Cisco In tercom pany Media Engine Prox y Before generating the C[...]
-
Page 328
15-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Submit the CSR to the cert ificat e authority (CA), for example, by pastin g the CSR text in to the CSR enrollment page on th e CA website. When the CA returns the signed iden[...]
-
Page 329
15-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard T ypically , a certificate aut hority returns tw o certif icates: your signed identity certif icate and the certif icate authority’ s certif icate (r eferred to as the roo[...]
-
Page 330
15-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard[...]
-
Page 331
CH A P T E R 16-1 Cisco ASA Series Firewall CLI Configuratio n Guide 16 Configuring the Cisco Phone Proxy This chapter describes ho w to confi gure the ASA for Cisco Phon e Proxy feature. This chapte r includes the follo wing sections: • Information Abou t the Cisco Phone Proxy , page 16-1 • Licensing Requ irements for the Pho ne Proxy , page 1[...]
-
Page 332
16-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figur e 16-1 Phone Pro xy Secur e Deploy ment The phone proxy supports a Cisc o UCM cluste r in mixed mode or n onsecure mode . Regardless of the cluster mode , the remote phones th at are capable of encryptio[...]
-
Page 333
16-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng. W ith LSC prov isioning you create a pass word for each remote [...]
-
Page 334
16-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unif ied IP Phone 7941 • Cisco Unif ied IP Phone 7941G-GE • Cisco Unif ied IP Phone 7940 (SCCP p rotocol support only) • Cisco Unif ied W ireless IP Phone 7921 • Cisco Unif ied Wireless I [...]
-
Page 335
16-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5525-X Base Lice[...]
-
Page 336
16-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more inf ormation about licensing, see the general operati ons config uration guide. Prerequisites for the Phone Proxy This section contains the following topics: • Media T ermination Instance Prerequisites, p[...]
-
Page 337
16-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy • For IP pho nes behind a router or gate way , you must also meet this prerequisite. On the router or gatew ay , ad d routes to the m edi a termination address on the ASA interface that the IP phones communicate [...]
-
Page 338
16-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy If N A T is configured for the TFTP server or Cisco UCMs, the translated “globa l” address must be used in the ACLs. T able 16-1 lists the ports that are required to be conf igured on the exi sting fire wall: No[...]
-
Page 339
16-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy host 10.0.0.2 nat (inside,outside) static interface service tcp 2443 7443 Note Both P A T configurations—for the non secure and secure ports—m ust be configured. • When the IP phones must co ntact the CAPF on[...]
-
Page 340
16-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note If an IP phone already has an LSC installed on it from a different Cisco UCM cluster , delete the LSC from the dif ferent cluster and install an LSC from the current Cisco UCM cl uster . Note Y ou can confi gu[...]
-
Page 341
16-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Prerequisites for Rate Limiting TFTP Requests In a remote access scenario, we recommend that you conf igure rate limiting of TFTP requests b ecause any IP phone co nnecting through the I nternet is allo wed to sen[...]
-
Page 342
16-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations End-User Phone Provisioning The phone proxy is a tr ansparent proxy with resp ect to the TFTP and signaling t ransactions. If N A T is not configured for the Cisco UCM TFTP se rver , then th e IP phones need t[...]
-
Page 343
16-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Phone Proxy Guidelines a nd Limitations • General Guidelines and Limitations, page 16-1 3 • Media T ermination Address Guidel ines and Limitation s, page 16-14 General Guidelines and Limitations The phone proxy has the foll ow ing general limit[...]
-
Page 344
16-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy – T wo SIP IP phones: both in non-secure mo de T wo SCCP IP phones: one IP phone in authenti ca ted mode and one in encr ypted mode, both in authentic ated mode, bo th in encr ypted mode – T wo SIP IP phones: on e I[...]
-
Page 345
16-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y • Creating the TLS Proxy for a Mixed-mode Ci sco UCM Cluster , page 16-21 • Creating the Media T e rmination Instance, page 16-23 • Creating the Phone Proxy Instance, page 16-24 • Enabling the Phone Proxy with S[...]
-
Page 346
16-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 3 Click Find and it wi ll display all the certif icates. Step 4 Find the f ilename Cisco_Manuf acturing_CA . This is the certif icate need to verify the IP p hone certificate. Click the .PEM f ile Cisco_Manufacturi[...]
-
Page 347
16-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Note For mix ed-mode clusters, the phone proxy does not support the Cisco Unif ied Call Manager using TFTP to send encrypted conf iguration fil[...]
-
Page 348
16-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Prerequisites Import the required certif icates, whic h are stored on the Cisco UCM. See Certificates from the Cisco UCM, page 16-7 and Importing Certif icates from the Cisco UCM, page 16-15 . What to Do Next Once you h[...]
-
Page 349
16-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Prerequisites If you are usin g domain name s for your Cisco UCM and TFTP server , you must configure DNS l ookup on the ASA. Add an entry for each of the outside in terfaces on the ASA into your DNS server , if such en[...]
-
Page 350
16-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Using an Existing CTL File Note Only when the phone prox y is running in mix ed-mode clusters, you hav e the option to use an exi sting CTL file to install tr ustpoints. If you hav e an existing CTL file that contains t[...]
-
Page 351
16-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What to Do Next Once you have created the TLS proxy inst ance, create the phone proxy instance. See Creating the Phone Proxy Instance, page 16-24 . Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster For mix ed mo[...]
-
Page 352
16-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 6 hostname(config-ca-trustpoint)# subject-name X.500_name Example: hostname(config-ca-trustpoint)# subject-name cn=FW_LDC_SIGNER_172_23_45_200 Includes the indicated subj ect DN in the certificate during enrollment[...]
-
Page 353
16-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What To Do Next Once you hav e created the TLS proxy instance a nd installe d the certificate on the Cisco Unif ied Communications Manager, create the p hone proxy instance. See Cr eating the Phon e Proxy Instan ce, pag[...]
-
Page 354
16-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What To Do Next Once you ha ve created the media termin ation instan ce, create th e phone prox y instance. See Crea ting the Phone Proxy Instance, page 16-24 . Creating the Phone Proxy Instance Create the phone proxy i[...]
-
Page 355
16-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Command Purpose Step 1 hostname(config)# phone-proxy phone_proxy_name Example: hostname(config)# phone-proxy myphoneproxy Creates the phone proxy instance. Only one phone proxy instance can be con fi gured on the securi[...]
-
Page 356
16-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What to Do Next Once you ha ve created the phon e proxy instance, con figur ing SIP and Skinny for the phone proxy . See Enabling the Phon e Proxy with SIP an d Skinny Inspection, page 16-26 . Enabling the Phone Proxy w[...]
-
Page 357
16-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Configuring Linksys Routers with UDP Po rt Forwarding for the Phone Proxy When IP phones are behind a N A T -ca pable router , the router can be co nfigured to forward the UDP ports to the IP address of the IP phone. Sp[...]
-
Page 358
16-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Configuring Your Router Y our fire wall/router needs to be conf igured to forward a range of UDP ports to the IP pho ne. This will allow the IP phone to recei ve audio when you make/recei ve calls. Note Different C[...]
-
Page 359
16-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-5 lists the captu re commands to use with the phone p roxy . Use the capture command on the appropriate interfaces (IP phones and Cisco UCM) to enable packet capture capabilities for pack et snif fing and [...]
-
Page 360
16-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y T able 16-5 Security Appliance Captur e Co mmands to Use with the Phone Pro xy T o Use the Command Notes T o capture packets on the A SA interfaces. capture ca ptur e_name interface interface_name Use this command [...]
-
Page 361
16-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-6 lists the sho w commands to use with the phone proxy . T able 16-6 Secur ity Appliance Show Com mands to Use with the Phone Pr o xy T o Use the Command Notes T o show the packets or connections dropped b[...]
-
Page 362
16-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Debugging Information from IP Phones On the IP phone, perform th e follo wing actions: • Check the Status messages on th e IP phone by selecting the Settings b utton > Status > Status Messages and selecting[...]
-
Page 363
16-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y • Check the Security sett ings on the IP phone by selecting the Set tings button > Secu rity Config uration. Settings fo r web access, Security mode, MIC, LSC, CTL file, tru st list, and CAPF appear . Under Sec[...]
-
Page 364
16-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Step 2 From the ASA, verify that the CTL f ile for the phone proxy contains on e record entry for each entity in the network—Primary Cisco UCM, Secon dary Cisco UCM, TFTP serv er—by entering the fo llo wing com[...]
-
Page 365
16-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Solution Step 1 V erify that DNS lookup is config ured on the ASA. Step 2 If DNS lookup is conf igured, determine whether you can p ing the FQDN for the Ci sco UCM from the ASA. Step 3 If ASA cannot ping the Cisco U[...]
-
Page 366
16-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.[...]
-
Page 367
16-37 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Step 3 If the router is a Linksys router , see Configu ring Linksys Routers wit h UDP Port Fo rwarding for t he Phone Proxy , page 16 -27 for information on the con fig uration requiremen ts. IP Phone Requesting Uns[...]
-
Page 368
16-38 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Make sure that each media-termination instance is cr eated correctly and that th e address or addresses are set correctly . The ASA must meet specif ic criter ia for media termination. See Media T ermination Instan[...]
-
Page 369
16-39 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y b. V erify that the list o f installed certif icates contains all required certif icates for the phone proxy . See Ta b l e 1 6 - 2 , Certificates Required by the Secu rity Appliance fo r the Phone Proxy , for infor[...]
-
Page 370
16-40 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y SSL Handshake Failure Problem The phone proxy is not fu nctioning. Initial troub leshooting unco vered the follo wing errors in the ASA syslogs: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl h[...]
-
Page 371
16-41 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y [3des-sha1] [des-sha1] [rc4-md5] [p ossibly others] See the command reference for more informatio n about setting ciphers wit h the ssl encry ption command. Certificate Validation Errors Problem Errors in the ASA lo[...]
-
Page 372
16-42 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y phone-proxy mypp media-termination address 10.10.0.25 cipc security-mode authenticated cluster-mode mixed disable service-settings timeout secure-phones 0:05:00 hostname(config)# Make sure that each media-terminati[...]
-
Page 373
16-43 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y The SAST keys can be seen via the show crypto k ey mypubkey rsa command. The SAST keys are associated with a trustpoint that is labeled _inter nal_ ctl-file _name _SAST_ X where ctl-f ile-name is the name of the CTL[...]
-
Page 374
16-44 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy mGF/hfDDNAICBAA= hostname(config)# quit INFO: Import PKCS12 operation completed successfully hostname(config)# Step 3 Create the CTL file instance on the ne w A SA using the same name as the one used in th[...]
-
Page 375
16-45 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-2 Nonsecure Cisco UCM clust er , Ci sco UCM and TFTP Se rver on Publisher object network obj-192.0.2.101 host 192.0.2.101 nat (inside,outside) static 10.10.0.26 access-list pp extended permit u[...]
-
Page 376
16-46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Example 2: Mixed-mode Cisco UCM clu ster, Cisco UCM and TFTP Server on Publisher Figure 16-3 sho ws an example of the configuration fo r a mixed-mode Cisco UCM cluster using the follo wing topology . Figur[...]
-
Page 377
16-47 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.101 interface inside tls-proxy mytls ctl-file myctl cluster-mode mixed class-map sec_sccp m[...]
-
Page 378
16-48 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy host 192.0.2.101 nat (inside,outside) static interface udp 69 69 access-list pp extended permit udp any host 10.10.0.24 eq 69 access-group pp in interface outside crypto key generate rsa label cucm_kp modu[...]
-
Page 379
16-49 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figure 16-5 Mixed-mode Cisco UCM cluster , Pr i mar y Cisco UCM, Secondary Cisco UCM, and TFTP Serv er on Dif f erent Serv ers object network obj-192.0.2.105 host 192.0.2.105 nat (inside,outside) static 1[...]
-
Page 380
16-50 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my-ldc-ca.exmaple.com subject-name cn=FW_LDC_SIGNER_172_23_45_200 keypair ldc_signer_key crypto ca enroll ldc_server tls-proxy my_proxy[...]
-
Page 381
16-51 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-6 LSC Pro visioning in Mix ed-mode Cisco UCM clust er; Cisco UCM and TFTP Serv er on Publisher object network obj-192.0.2.105 host 192.0.2.105 nat (inside,outside) static 10.10.0.26 object netw[...]
-
Page 382
16-52 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.25 interface in[...]
-
Page 383
16-53 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-7 VLAN T ransv ersal Between CIPC Softphon es on the Da ta VLAN and Har d Phones on the V oice VLAN object network obj-10.130.50.0 subnet 10.130.50.0 255.255.255.0 nat (data,voice) dynamic 192.[...]
-
Page 384
16-54 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Feature History for the Phone Proxy class sec_sip inspect sip phone-proxy mypp service-policy pp_policy interface data Feature History for the Phone Proxy T able 16-7 lists the release h ist ory for this feature . T able 16-7 Feat ure Hist ory for [...]
-
Page 385
CH A P T E R 17-1 Cisco ASA Series Firewall CLI Configuratio n Guide 17 Configuring the T LS Proxy for Encrypted Voice Inspection This chapter describes ho w to configure t he ASA for the TLS Proxy for Encrypted V oice Inspection feature. This chapter includ es the follo wing sections: • Information ab out the TLS Proxy for En crypted V oice Insp[...]
-
Page 386
17-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection The security appliance acts as a TLS proxy betwee n the Cisco IP Phone an d Cisco UCM. The proxy is transparent for the voice calls be tween the pho ne and theC[...]
-
Page 387
17-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Information about the TLS Pro xy for Encrypted Voice Inspection • Cisco Unif ied IP Phone 7941G-GE • Cisco Unif ied IP Phone 7940 • Cisco Unif ied Wirel ess IP Phone 7921 • Cisco Unif ied Wirel ess IP Phone 7925 • [...]
-
Page 388
17-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection Figure 1 7 -2 CTL Client TLS Pro xy Featur es — ASA IP Address or Domain Name Figure 17-2 sh ow s support for entering the security app liance IP address or d[...]
-
Page 389
17-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Licensing for the TLS Proxy Figure 1 7 -4 CTL Client TLS Pro xy Featur es — CTL File Installed on the ASA The security appliance does not store the raw CTL file in the flash, rather , it parses the CTL file and installs ap[...]
-
Page 390
17-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Licensing for the TLS Proxy ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 20 00, 3000, 5000, or 10,000 sessions. 2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100[...]
-
Page 391
17-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Prerequisites for the T LS Prox y for Encrypted Voice Inspection T able 17-1 sho ws the default and maximum TLS sessio n details by platform. For more inf ormation about licensing, see the general operations con figurat ion [...]
-
Page 392
17-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n • Creating T rustpoints and Generating Certif icates, page 17-9 • Creating an Intern al CA, page 17-10 • Creating a CTL Provider Instance, page 17-11 • Creat[...]
-
Page 393
17-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection Step 8 Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL f ile and install the CTL file on the secu rity appliance. See the Ci[...]
-
Page 394
17-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you have created the tr ustpoints and generate d th e certificates, create the internal CA to sign the LDC for Cisco IP Phones. See Creating an[...]
-
Page 395
17-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you ha ve created the internal CA, create the CTL provider instance. See Creating a CTL Provider Instance, page 17-11 . Creating a CTL Provider [...]
-
Page 396
17-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you hav e created the CTL provider instance, create the TLS proxy instance. See Creating the TLS Proxy Instance, page 17-12 . Creating the TLS [...]
-
Page 397
17-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you hav e created TLS proxy ins tance, enab le the TLS proxy instance fo r Skinny and SIP inspection. See Enabling the TLS Proxy Instance f or S[...]
-
Page 398
17-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n Command Purpose Step 1 hostname(config)# class-map class_map_name Example: ciscoasa(config)# class-map sec_skinny Configures the se cure Skin ny class of traff ic t[...]
-
Page 399
17-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Monitoring the TLS Proxy Monitoring the TLS Proxy Y ou can enable TLS proxy d ebug flag s along with SSL syslogs to deb ug TLS proxy connection problems. F or example, using th e follo wing commands to enable TLS proxy-rela[...]
-
Page 400
17-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Monitoring the TLS Proxy Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Data channel ready for the Client Apr 17 2007 23:13:47: %ASA-7-725013: SSL Server inside:195.168.2.201/5061 choose cipher : AES128-SHA Apr 17 2007[...]
-
Page 401
17-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Feature History for the TLS Pro xy for Encrypted Voice Inspection Public Key Type: RSA (1024 bits) Issuer Name: cn=TLS-Proxy-Signer Subject Name: cn=SEP0002B9EB0AAD o=Cisco Systems Inc c=US Validity Date: start date: 09:25:[...]
-
Page 402
17-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Feature History for the TLS Proxy for Encrypted Voice Inspection[...]
-
Page 403
CH A P T E R 18-1 Cisco ASA Series Firewall CLI Configuratio n Guide 18 Configuring Cisco Mobility Advantage This chapter de scribes how to configure the ASA for Ci sco Unified Communic ations Mobi lity Advantage Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Mobility Adv antage Proxy Feature, page [...]
-
Page 404
18-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature The TCP/TLS default por t is 5443. There are no embedded N A T or secondary connections. Cisco UMA client and server communications can be proxied via TLS, w hich decrypts the data, pa[...]
-
Page 405
18-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figur e 18-1 Securi ty Appliance as Fir ewall wi th Mobility A dvantag e Proxy and MMP Inspection In Figure 18-1 , the ASA performs static N A T by translating the Cisco UMA serv er [...]
-
Page 406
18-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figur e 1 8-2 Cisco UMC/Cisco UMA Ar chitect ure – Scenar io 2: Secur ity Appliance as Mobility Adv antage Pr oxy Only Mobility Advantage Pr oxy Using NAT/PAT In both scenarios ( Fig[...]
-
Page 407
18-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Trust Relationships for Cisco UMA Deployments T o establish a trust relatio nship between the Cisco U MC client and the ASA, t he ASA uses the Cisco UMA server certificate and ke ypa[...]
-
Page 408
18-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Licensing for the Cisco M obility Advantage Proxy Feature Figure 1 8-4 How the Secur ity Applia nce Repr es ents Cisco UMA – Cer tificat e Impersonation A trusted relationship betw ee n the ASA and the Cisco UMA se rver can be established wi t[...]
-
Page 409
18-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage • Enabling the TLS Proxy for MMP Insp ection, page 18-9 Task Flow for Configuring Cisco Mobility Advantage T o conf igure for the ASA to perfo rm TLS proxy and MMP inspection as sh own i n Figure 18-1 and F[...]
-
Page 410
18-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuring Cisc o Mobility Advantage What to Do Next Once you hav e created the trustpoints and installed the Cisco UMA cer tificate on the ASA, create the TLS proxy instance. See Creating t he TLS Proxy Instance, page 18-8 . Creating the TLS P[...]
-
Page 411
18-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage What to Do Next Once you ha ve created the TLS proxy inst ance, enable it for MMP inspection. See Enabling the TLS Proxy for MMP Inspection , page 18-9 . Enabling the TLS Proxy for MMP Inspection Cisco UMA cl[...]
-
Page 412
18-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Monitoring for Ci sco Mobility Advantage Monitoring for Cisco Mobility Advantage Mobility adv antage proxy can be deb ugged the same w a y as IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy conne[...]
-
Page 413
18-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage • Example 1: Cisco UMC/Cisco UMA Architecture – Secur ity Appliance as Fire wall with TLS Proxy and MMP Inspection, page 18 -11 • Examp[...]
-
Page 414
18-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuration Examples for Cisco Mobility Advantage object network obj-10.1.1.2-01 host 10.1.1.2 nat (inside,outside) static 192.0.2.140 crypto ca import cuma_proxy pkcs12 sample_passphrase <cut-paste base 64 encoded pkcs12 here> quit ! f[...]
-
Page 415
18-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Figur e 18-6 Cisco UMC/Cisco UMA Arc hitectur e – Scenario 2: Secur ity Appliance as TLS Pro xy Only object network obj-172.16.27.41-01 host 172.16.27.41 nat (inside,outside) static 192.0.2.1[...]
-
Page 416
18-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Feature History for Cisco Mobility Advantage tls-proxy cuma_proxy server trust-point cuma_proxy no server authenticate-client client cipher-suite aes128-sha1 aes256-sha1 class-map cuma_proxy match port tcp eq 5443 policy-map global_policy class[...]
-
Page 417
CH A P T E R 19-1 Cisco ASA Series Firewall CLI Configuratio n Guide 19 Configuring Cisco Unified Presence This chapter descri bes how to configure the adapti v e security applia nce for Cisco Unified Presence. This chapter includ es the follo wing sections: • Information Abo ut Cisco Unified Presenc e, page 19-1 • Licensing for Cisco Unified P[...]
-
Page 418
19-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence Figur e 19-1 T ypical Cisco Unified Pr esence/LCS Federation Scenar io In the abov e a rchitecture, the ASA functions as a fire wall, N A T , and TLS proxy , which is the recommended architecture. Howe ver ,[...]
-
Page 419
19-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For an other Cisco UP with the address 10.0 .0.3, you must use a d if ferent set of P A T ports, such as 45062[...]
-
Page 420
19-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence http://www .cisco.com/en/ US/products/ps6837/produc ts_i nstallation_and_co nfiguration_guid es_list.ht ml Trust Relationship in the Presence Federation W ithin an enterprise, setting up a tru st relationshi[...]
-
Page 421
19-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e Security Certificate Exchange Between C isco UP and the Security Appliance Y ou need to generate the ke ypai r for the certificate ( such as cup_proxy_key ) used by the A SA, and confi gure a trustpoint [...]
-
Page 422
19-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence For furt her information about config uring Cisco Un ified Presence Federation for XMPP Federation, see the Integr ation Gu ide for Configurin g Cisco Un ified Pr esen ce Release 8.0 for Interdomain F ed era[...]
-
Page 423
19-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Licensing for Cisco Unifie d Presence nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<privat[...]
-
Page 424
19-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation For more inf ormation about licensing, see the general operati ons config uration guide. Configuring Cisco Unified Presence Proxy for SIP Federation This section contains the following to[...]
-
Page 425
19-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation • Creating T rustpoints and Generating Certif icates, page 19-9 • Installing Certif icates, page 19-10 • Creating the TLS Proxy Instance, page 19-12 • Enabling the TLS Proxy for[...]
-
Page 426
19-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity . See the “ Installing Ce r[...]
-
Page 427
19-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation Command Purpose Step 1 hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export ent_y_proxy identity-certificate Export the ASA se[...]
-
Page 428
19-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Once you hav e created the trustpoi nts and installed the certif icates for the local and remote entities on the ASA, create the TLS proxy instance. Se e Creating the TLS[...]
-
Page 429
19-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation What to Do Next Once you ha ve created the TLS proxy i nst ance, enable it for SIP inspection. See Enabli ng the TLS Proxy for SIP Inspection, page 19-13 . Enabling the TLS Proxy for S[...]
-
Page 430
19-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Monitoring Cisco Unified Presence Monitoring Cisco Unified Presence Debug ging is similar to deb ugging TLS proxy for IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy connection problems. For e xampl[...]
-
Page 431
19-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Example A CL Configuration for XMPP Federat ion, page 19-17 • Example NA T Configuration for XMPP Federation, pa ge 19-18 Example Configuration for SIP Federation Deployments The follo wing [...]
-
Page 432
19-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence Figur e 19-5 T ypical Cisco Unified Pr esence/LCS Federation Scenar io object network obj-10.0.0.2-01 host 10.0.0.2 nat (inside,outside) static 192.0.2.1 service tcp 5061 5061 object network obj-10[...]
-
Page 433
19-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence quit ! for Entity Y’s CA certificate crypto ca trustpoint ent_y_ca enrollment terminal crypto ca authenticate ent_y_ca Enter the base 64 encoded CA certificate. End with a blank line or the word[...]
-
Page 434
19-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence The follo wing values are used in th is sample conf iguration: • Priv ate XMPP federation Cisco Unified Presence Release 8.0 IP address = 1.1.1.1 • Priv ate second Cisco Uni fied Presence Relea[...]
-
Page 435
19-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Pri vate third Cisco Unifi ed Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening po rt = 5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serv[...]
-
Page 436
19-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Feature History fo r Cisco Unified Presence Feature History for Cisco Unified Presence T able 19-1 lists the release h ist ory for this feature . T able 19-1 Feat ure Hist ory for Cisco Unified Pr esence Feature Name Releases Feature Information C[...]
-
Page 437
CH A P T E R 20-1 Cisco ASA Series Firewall CLI Configuratio n Guide 20 Configuring Cisco Inte rcompany Media Engine Proxy This chapter descri bes how to configure the AS A for Cisco Intercompan y Media Engine Proxy . This chapter includ es the follo wing sections: • Information About Cisco Intercom pany Media Engi ne Proxy , page 20-1 • Licens[...]
-
Page 438
20-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Cisco Intercompany Media Engine h as the follo wing ke y features: • W orks with existi ng phone numbers: Cisco Intercompan y Media Engine works with the phone numbers an [...]
-
Page 439
20-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy On successful verif ica tion, the terminating side creates a tick et that grants permission to the call originator to mak e a Cisco IM E call to a specif ic number . See Tick [...]
-
Page 440
20-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy As illustr ated in Figure 20-1 . Enterprise B makes a P STN call to enterprise A. That call compl etes successfully . Later , Enterprise B Cisco Intercompa ny Media Engine s[...]
-
Page 441
20-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy The TLS signaling connections from the Cisco UCM are terminated on the adapti ve security appliance and a TCP or TLS connecti on is initiated to the Cisco UCM. SR TP (media) s[...]
-
Page 442
20-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Figur e 20-2 Cisco Inter compan y Media En gine Ar chit ectur e in a Basic Deplo yment Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sit[...]
-
Page 443
20-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Licensing for Cisc o Intercompany Me dia Engine Off Path Deployment In an of f path deployment, inbound and outbound Cisco Intercom pany Media Engine calls pass t hrough an adapti ve securi ty appliance enab led with the Ci sco Inte[...]
-
Page 444
20-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Guidelines and Limitations For more information about licensing, see Chapter 4, “Managing Feature Licenses, ” in the general operations conf iguration guide. Guidelines and Limitations Context Mode Guidelines Supported in singl[...]
-
Page 445
20-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Guidelines and Limitations • Stateful failover of Cisco Unified Intercomp any Media Engine is no t supported. Durin g failover , existi ng calls tra versing the Cisco In tercompany Medi a Engine Proxy disconnect; ho wever , new ca[...]
-
Page 446
20-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Assume for e x ample, the ASA is conf igured to hav e a maximum of 100 TLS pro xy sessions and IME calls between SCCP IP phon es establish 101 TLS proxy sessions. In t his ex ampl[...]
-
Page 447
20-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note Step 1 through Step 8 apply to both basic (in- line) and of f path deployments and Step 9 applies onl y to of f path deployment. T o confi gure a Ci sco Intercompan y Media E[...]
-
Page 448
20-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Figure 20-6 Exampl e for Configur in g NA T for a Deployment T o configure auto N A T rules for the Cisc o UCM server , perform the following steps: Local Cisco UCMs Local ASA Cor[...]
-
Page 449
20-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the A CLs for the Cisco Intercompany Media Engine Proxy . See Creating A CLs for Cisco Intercompany Medi a Engine Proxy , page 20-15 . Configuring PAT for t[...]
-
Page 450
20-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Confi gures a network object for the outside IP add[...]
-
Page 451
20-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating ACLs for Cisco Intercompany Media Engine Proxy T o conf igure A CLs for the Cisco Intercompany Media Engine Prox y to reach the Cisco UCM serv er, perform the follo wing [...]
-
Page 452
20-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the media termination inst ance on the ASA fo r the Cisco Intercompany Media Engi ne Proxy . See Creating the Media T e rmination Instance, page 20-16 . Cre[...]
-
Page 453
20-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What To Do Next Once you hav e created the media termination instance, c reate the Cisco Intercompan y Media Engine Proxy . See Creating the Cisco Intercompany Media Engine Pro xy[...]
-
Page 454
20-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note Y ou cannot change an y of the conf iguration settings for the Cisco Intercompan y Media Engine Proxy described in this pr ocedure when the pr oxy is enabled for SIP inspecti[...]
-
Page 455
20-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 4 hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket ep och and password f[...]
-
Page 456
20-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity . Creating Trustpoints[...]
-
Page 457
20-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy connections between the local Ci sco UCM and the local ASA. The instructions in that task describe ho w to create tr ustpoint s between the local Cisc o UCM and t he local A SA. P[...]
-
Page 458
20-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engi ne. See the “Creating the TLS Proxy” section on page 20 -23 . Step 4 hostname(config-ca-trustpoint)#[...]
-
Page 459
20-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating the TLS Proxy Because either enterprise, n amely the local or remote Cisco UCM servers, can in itiate the TLS handshake (unlik e IP T elephony or Ci sco Mobility Adv anta[...]
-
Page 460
20-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you hav e created the TLS prox y , enable it for SIP inspect ion. Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Enable the TLS proxy f[...]
-
Page 461
20-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inboun d Cisco Intercompany Media E[...]
-
Page 462
20-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve enabled the TLS proxy for SIP i nspection, if necessary , configur e TLS within the enterprise. See (Optional) Config uring TLS within the Local Ent[...]
-
Page 463
20-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Commands Purpose Step 1 hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enrol[...]
-
Page 464
20-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve conf igured the TLS within the enterprise, if ne cessary , configure of f path signaling for an off path deployment. See (Optional) Conf iguring Off[...]
-
Page 465
20-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy (Optional) Configuring Off Path Signaling Perform this task only w hen you are conf iguring the Cisco Intercompan y Media Engine Proxy as part of an of f path deployment. Y ou mig[...]
-
Page 466
20-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy This section contains the follo wing sections: • Config uring the Cisco UC-IMC Proxy by using th e UC-IME Proxy P ane, page 20-30 • Config uring the Cisco UC-IMC Proxy by usin[...]
-
Page 467
20-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 2 Check the Enable Cisco UC-IME prox y check box to enable the feature. Step 3 In the Unif ied CM Server s area, enter an IP addre s s or hostname for t he Cisco Unified Comm[...]
-
Page 468
20-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note In an of f path deployment any e xisting ASA that you ha ve deployed in your en vironment are not capable of transmitting Cisco Intercompan y Medi a Engine traf fic. Of f-pat[...]
-
Page 469
20-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Step 4 Specify the public netw ork settings. Step 5 Specify the media termin ation address settings of Cisco UCM. Step 6 Configure the local-side certif icate management, nam[...]
-
Page 470
20-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Troublesho oting Cisco Intercom pany Medi a Engine Proxy Local SRTP key set : Remote SRTP key set Remote Media (audio) conn: 192.168.10.51/19520 to 192.168.10.3/30930 Call-ID: ab6d7980-a7d11b08-50-1e0aa8c0@192.168.10.30 FB Sensiti[...]
-
Page 471
20-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Sum_all_packets : 20196 Codec_payload_format : 9 RTP_ptime_ms : 20 Max_RBLR_pct_x100 : 0 Max_ITE_count_in_8_sec : 0 Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_av[...]
-
Page 472
20-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy T able 20-1 lists the release h ist ory for this feature . T able 20-1 Feat ure Hist ory for Cisco Phone Pr oxy Fe[...]
-
Page 473
P AR T 6 Conf iguring Connection Set tings and QoS[...]
-
Page 474
[...]
-
Page 475
CH A P T E R 22-1 Cisco ASA Series Firewall CLI Configuratio n Guide 22 Configuring Connection Settings This chapter describe s how to configure connection settings for connections th at go through the A SA, or for manage ment connec tions, that go to the ASA. Co nnection sett ings include: • Maximum connection s (TCP and UDP connect ions, embryo[...]
-
Page 476
22-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Information Abou t Connection Settings TCP Intercept and Limiti ng Embryonic Connections Limiting the number of embryonic connections pro tects you from a DoS att ack. The ASA uses the per -client limits and the embryon ic connection limi t to trigger[...]
-
Page 477
22-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Information About Connec tion Settings TCP Sequence Randomization Each TCP connection has tw o ISNs: one generated by the client and one generated by the server . The ASA randomizes the ISN of the TCP S YN passing in both the inbound and outb ound di[...]
-
Page 478
22-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Licensing Requirement s for Connection Settings fast path (an established con nection), or the co ntrol plane path (advanced inspection). See the “Stateful Inspection Ov erview” section on page 1-17 in the general operations con figur ation guide [...]
-
Page 479
22-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d transparent mode. Failover Guidelines Failo ver is supported. TCP State B[...]
-
Page 480
22-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings no check-retransmission no checksum-verification exceed-mss allow queue-limit 0 timeout 4 reserved-bits allow syn-data allow synack-data drop invalid-ack drop seq-past-window drop tcp-options range 6 7 clear tcp-option[...]
-
Page 481
22-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Step 2 (Optional) Conf igure the TCP map criteria by entering one o r more of the follo wing commands (see T able 22-1 ). If you w ant to customize some settings, th en the d e faults are used for any commands you do [...]
-
Page 482
22-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings T able 22-1 tcp-map Commands Command Notes check-retransmission Pre vents inconsistent TCP retransmissions. checksum-verif ication V erifies the checksum. exceed-mss { allow | drop } Sets the action for packets whose d[...]
-
Page 483
22-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings queue-limit pkt_num [ timeout seconds ] Sets the maximum number of out - of-order packets that can be buf fered and put in order for a TCP connection, between 1 and 250 packets. The default is 0, whi ch means this set[...]
-
Page 484
22-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings synack-data { allow | dr op } Sets the action for TCP SYNA C K packets that contain data. The allow k eyword allows TCP SYN A C K packets that contain data. (Default) The drop ke yword drops TCP SYN A CK packets that [...]
-
Page 485
22-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Configuring Connection Settings T o set connection sett ings, perform the foll ow ing steps. Detailed Steps urgent-flag { allo w | clear } Sets the action for packets with the URG flag. The URG flag is used to indica[...]
-
Page 486
22-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings Step 3 policy-map name Example: ciscoasa(config)# policy-map tcp_bypass_policy Adds or edits a polic y map that sets the actions to take with the class map traf fic. Step 4 class name Example: ciscoasa(config-pmap)# c[...]
-
Page 487
22-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings set connection {[ conn-max n ] [ embryonic-conn-max n ] [ per-client-embryonic-max n ] [ per-client-max n ] [ random-sequence-number { enable | disable }]} Example: ciscoasa(config-pmap-c)# set connection conn-max 25[...]
-
Page 488
22-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings set connection timeout {[ embryonic hh : mm : ss ] { idle hh : mm : ss [ reset ]] [ half-closed hh : mm : ss ] [dcd hh : mm : ss [ max_retries ]]} Example: ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 em[...]
-
Page 489
22-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Monitoring Con nection Settings Monitoring Connection Settings T o monitor TCP state byp ass, perform one of the follo wing tasks: Configuration Examples for Connection Settings This section includes the following topics: • Config uration Examples[...]
-
Page 490
22-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuration Exampl es for Connection Settings ciscoasa(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000 ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd ciscoasa(config-pmap-c)# [...]
-
Page 491
22-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Feature History for Connection Setting s Feature History for Connection Settings T able 22-2 lists each feature change and the plat form release in which it w as implemented. T able 22-2 Featur e History for Connection Set tings Feature Name Platfor[...]
-
Page 492
22-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Feature History for Connection Settings Increased maximum connection limi ts for service polic y rules 9.0(1) The maximum number of conn ections for service polic y rules was increased from 65 535 to 2000000. W e modif ied the follo wing commands: se[...]
-
Page 493
CH A P T E R 23-1 Cisco ASA Series Firewall CLI Configuratio n Guide 23 Configuring QoS Hav e you ev er participated in a long-distance phon e call that in volv ed a satellite connection? The con versation might be interrup ted with brief, b ut per ceptible, gaps at odd intervals. Those gaps are the time, called the latency , between the arriv al o[...]
-
Page 494
23-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the foll ow ing QoS features: • Policing—T o prev ent indi vidual flows fr om hogging the netw ork bandwidth, you can limit the maximum bandwidth used per flo w . See the “Information About Pol icing?[...]
-
Page 495
23-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Information About QoS For traf fic shap ing, a token b ucket permits b urstiness but bounds i t. It guarantees that the bu rstiness is bounded so that the flo w will nev er send faster than the tok en b ucket capacity , divi ded by the time interv al, plus the establ[...]
-
Page 496
23-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping T raff ic shaping is used to match de vice and link spee ds, ther eby controlling pack et loss, variable delay , and link saturation , which can cause jitter and delay . Note T raff ic shaping is only suppor ted [...]
-
Page 497
23-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Licensing Requirements for Qo S Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical prio rity queuing is allo wed. For e xample, if you conf igure standard pr iority queuing for the global p olicy , and the[...]
-
Page 498
23-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority q ueuing is not support e d on the Management 0/0 interface. • (ASASM) Only policing is suppo rted. Additional Guidelines and Limitations • QoS is applied unidirect ionally; only traf fic that enters (or[...]
-
Page 499
23-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue T o determine the priority queue and TX ri ng limits, use the w orksheets belo w . T able 23-1 sho ws how to calculate the prio rity queue size. Because queues are not of infinite[...]
-
Page 500
23-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Configuring the Standard Priority Queue for an Interface If you enable standard pr iority queuing for t raff ic on a physical interface, then you need to also create the priori ty queue on each interface. Each physical interf ace us es two queues: one [...]
-
Page 501
23-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples The follo wing example establishes a priority queue on interface “out side” (the GigabitEthernet0/1 interface), with th e default queue-li mit and tx-ring-limit: ciscoasa(config)# priority-queue outside The follo wing example establishes[...]
-
Page 502
23-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Restrictions • Y ou cannot use the class-default class map for priority traf fic. • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priori ty queuing is allo wed. • (ASASM) The ASA[...]
-
Page 503
23-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples Example 23-1 Class Map Exam ples for VPN T r affic In the follo wing example, the class-map command classifies all non-tunn eled TCP traf fic, using an A CL named tc p_traff ic: ciscoasa(config)# access-list tcp_traffic permit tcp any any S[...]
-
Page 504
23-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS ciscoasa(config)# class-map tcp_traffic ciscoasa(config-cmap)# match access-list tcp_traffic In the follo wing example, other , more specif ic match criteria are used for classifying traffi c for specific, security-r elated tunne l groups. These speci[...]
-
Page 505
23-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Example 23-2 Prior ity and P olicing Exa mple In this exampl e, the maximum rate for traf fic of the tcp_traf fic class is 56,00 0 bits/second and a maximum b urst size of 10,500 bytes per second. F o r the TC1-BestEf fort class, the maximum rate is[...]
-
Page 506
23-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • For hierarchical pr iority queuing, you do not need to create a priority queue on an interface. Restrictions • For hierarchical priority queuing, for encrypted VP N traf fic, you can only match traf fic based on the DSCP or precedence setting; y[...]
-
Page 507
23-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priority queui ng is allowed. See the “Ho w QoS Features Interac t” section on page 23-4 for information about v alid QoS config[...]
-
Page 508
23-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS ciscoasa(config-cmap)# match access-list ike ciscoasa(config-cmap)# class-map voice_traffic ciscoasa(config-cmap)# match dscp EF AF13 ciscoasa(config-cmap)# policy-map qos_class_policy ciscoasa(config-pmap)# class voice_traffic ciscoasa(config-pmap-c)#[...]
-
Page 509
23-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Monitorin g QoS Viewing QoS Standard Priority Statistics T o view statistics for service policies implementi ng the priority command, use the show service-policy command with the priority ke yword: ciscoasa# show service-policy priority The follo wing is sample outp[...]
-
Page 510
23-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS Service-policy: voip Class-map: voip Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: class-default queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts ou[...]
-
Page 511
23-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Feature History for QoS Feature History for QoS T able 23-3 lists each feature change and the plat form release in which it w as implemented. T able 23-3 Featur e History for QoS Feature Name Platform Releases Feature Information Priority queuing and pol icing 7.0(1[...]
-
Page 512
23-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Feature History for QoS[...]
-
Page 513
CH A P T E R 24-1 Cisco ASA Series Firewall CLI Configuratio n Guide 24 Troubleshooting Connec tions and Resources This chapter describes ho w to troubleshoot the ASA and includes the follo wing sections: • T esting Y our Confi guration, page 24 -1 • Monitoring Per -Process CPU Usage, page 24-7 Testing Your Configuration This section descri bes[...]
-
Page 514
24-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Debugging messages and syslog messages can help you troubleshoot why yo ur pings are not successful. The ASA only shows ICMP deb ugging messa ges for pings to t[...]
-
Page 515
24-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Pinging ASA Interfaces T o test whether the ASA interfaces are up and r unning and that the ASA and connected routers are operating correctly , you ca n ping the ASA interfaces. T o ping the ASA interfaces, perfo[...]
-
Page 516
24-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Figur e 24-2 Ping Failur e at the ASA Int er f ace If the ping reaches the ASA, and it r e sponds, debu gging messages similar to the follo wing appear: ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209[...]
-
Page 517
24-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Passing Traffic Through the ASA After you successfully ping the ASA interf aces, make sure that traff ic can pass successfully through the ASA. By defaul t, you can ping from a high securit y interface to a lo w [...]
-
Page 518
24-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Disabling the Test Configuration After you complete your testing, d isable the test c onf iguration that allo ws ICMP to and through the ASA and that prints debugging messages. If you lea ve this co nf iguration i[...]
-
Page 519
24-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring Per-Process CPU Usage Determining Packet R outing with Traceroute Y ou can trace the route of a packet using the traceroute feature, w hich is accessed with the traceroute command. A traceroute w orks by sending UDP pack ets to a[...]
-
Page 520
24-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Per-Pro cess CPU Usage[...]
-
Page 521
P AR T 7 Conf iguring Adv anced Netw ork Pr otection[...]
-
Page 522
[...]
-
Page 523
CH A P T E R 25-1 Cisco ASA Series Firewall CLI Configuratio n Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud W eb Security pro vides web security and web f iltering services through the Software-as-a-Service (SaaS ) mode l. Enterpr ises with the A SA in thei r network c an use Cloud W eb Security services without having to i[...]
-
Page 524
25-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapte r includes the follo wing sections: • Information Abo ut Cisco Cl oud W eb Se curity , page 25 -2 • Licensing Requ irements for C isco Cloud W eb Secu rity , page 25-6 • Pre[...]
-
Page 525
25-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security The ASA supports the follo wing methods of determining the identi ty of a user, or of providin g a default identity: • AAA rules—When the ASA performs user authe n tication using a AAA r[...]
-
Page 526
25-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more inf ormation, see the Cloud W eb Security documentation: http://www .cisco.com/en/ US/products/ps11720/produ ct s_installation_and_conf iguration_guides_list.h tml . ScanCenter Polic[...]
-
Page 527
25-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security – AAA usernames, when u sing RADIUS or T ACA CS+, are sent in the follo wing format: LOCAL username – AAA username s, when using LD AP , ar e sent in the fo llowing format: domain-nam e[...]
-
Page 528
25-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Licensing Require ments for Cisco Cloud Web Se curity Bypassing Scanning with Whitelists If you use AAA rules o r IDFW , you can configu re th e ASA so that web traff ic from specific users or groups that otherwise match the serv ice [...]
-
Page 529
25-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud W eb Security On the Cloud W eb Security side, you must purchase a Cisco Cloud W eb Security license and identi fy the number of users that the ASA handles. Then log into ScanCenter , and generate your authenti[...]
-
Page 530
25-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Clo ud W eb Security proxy serv ers goes down, output fro m the show scansafe server command sho ws both servers up for appro ximately 15-25 minutes. Th is condition may occur because the [...]
-
Page 531
25-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Examples The follo wing example conf igures a primary and backup server: scansafe general-options server primary ip 10.24.0.62 port 8080 server backup ip 10.10.0.7 port 8080 retry-c[...]
-
Page 532
25-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Note Y ou must confi gure a route pointing to the Scansafe to wers in both; the admin context an d the specif ic context. This ensures that the Scansafe to wer does not become un reac hable in the[...]
-
Page 533
25-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Command Purpose Step 1 policy-map type inspect scansafe name1 Example: ciscoasa(config)# policy-map type inspect scansafe cws_inspect_pmap1 Creates an inspection policy map so you [...]
-
Page 534
25-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 7 policy-map type inspect scansafe name2 parameters default { [user user ] [ group group ]} class whitelist_name2 whitelist Example: ciscoasa(config)# policy-map type inspect scansafe cws_ins[...]
-
Page 535
25-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 10 match access-list acl1 Example: ciscoasa(config-cmap)# match access-list SCANSAFE_HTTP Specifies an A CL created in Step 8 . Although you can use other match st atements for thi s rule, w[...]
-
Page 536
25-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Examples The follo wing example conf igures two classes: one for HTTP and one for HTTPS. Each A CL exempts traf fic to www .cisco.com and to tools.cisco.com, and to the DMZ netw ork, for both HTTP[...]
-
Page 537
25-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security (Optional) Configuring Whitelisted Traffic If you use user authenti cation, you can e xempt some traf fic from being f iltered by Cloud W eb Security based on the username and/or gro upname. When[...]
-
Page 538
25-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security hostname(config-pmap-p)# https hostname(config-pmap-p)# default group2 default_group2 hostname(config-pmap-p)# class whitelist1 hostname(config-pmap-c)# whitelist (Optional) Configuring the User I[...]
-
Page 539
25-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Se curity Monitoring Cloud Web Security The show scansafe s erv er command shows whether or not the Cloud W eb Security proxy serv ers are reachable: hostname# show scansafe server ciscoasa# Primary: proxy197.sca[...]
-
Page 540
25-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security • Single Mode Example, page 25-18 • Multiple Mode Example, page 25-19 • Whitelist Example, page 25 -19 • Directory Integr[...]
-
Page 541
25-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(cfg-scansafe)# server primary ip 192.168.115.225 web 8080 hostname(cfg-scansafe)# retry-count 5 hostname(cfg-scansafe)# license 366C1D3F5CE67D33D3E9ACEC265261E5 Multiple Mo[...]
-
Page 542
25-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security parameters default user user1 group group1 https class whiteListCmap whitelist After creating this inspect policy , attach it to the policy map to be assigned to the ser vice group:[...]
-
Page 543
25-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuring the Active Di rectory Agent Using RADIUS The follo wing example sho ws how to confi g ure the Acti ve Directory Agent on y our ASA using RADIUS: hostname(config)# aaa-se[...]
-
Page 544
25-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(config)# user-identity inactive-user-timer minutes 60 hostname(config)# user-identity action netbios-response-fail remove-user-ip hostname(config)# user-identity user-not-f[...]
-
Page 545
25-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security domain-name uk.scansafe.net enable password liqhNWIOSfzvir2g encrypted passwd liqhNWIOSfzvir2g encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 19[...]
-
Page 546
25-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout si[...]
-
Page 547
25-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp policy[...]
-
Page 548
25-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security T able 25-1 lists each feature change and the plat form release in which it w as implemented. Related Documents URL Cisco ScanSafe Clo ud W eb Security [...]
-
Page 549
CH A P T E R 26-1 Cisco ASA Series Firewall CLI Configuratio n Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unkno wing host. Malware that attempts netw ork activ ity such as sending priv ate data (passwords, cred it card numbers, ke y strokes, or proprietary data) can be detected by the Botnet[...]
-
Page 550
26-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter • Botnet T raff ic Filter Actions for Kno wn Addresses, page 26-2 • Botnet T raff ic Filter Databases, p age 26-2 • How the Botnet T raff ic Filter W orks, page 26-5 Botnet Traffic Filter Address[...]
-
Page 551
26-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 2. When the infected hos t starts a connection to the IP address of the malw are site, then the ASA sends a syslog message informing you o f the suspicious act iv ity and optionally d rops the traf fic[...]
-
Page 552
26-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter When you add a domain name to the static datab ase, the ASA waits 1 minut e, and then sends a DNS request for that domain name an d adds th e domain name/IP address pairing to the DNS host cac he . (Th[...]
-
Page 553
26-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 sho ws how the Botnet T raf fic Filter works with the dynamic database pl us DNS inspection with Botnet T raffic Filter snooping. Figur e 26-1 How the Bo[...]
-
Page 554
26-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements fo r the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The follo wing table shows the licensing requirements for this feature: Prerequisites for the Botnet Traffic Filter T o use the dynamic dat[...]
-
Page 555
26-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: • T ask Flow for Configuring the Botnet Traf fic Filter , page 26-7 • Config uring the Dynamic Database, page 26 -8 • E[...]
-
Page 556
26-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the do wnloaded dynamic database by the ASA. In multiple conte xt mode, the system downloads the database for[...]
-
Page 557
26-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter ciscoasa(config)# dynamic-filter use-database What to Do Next See the “ Adding Entries to the Static Datab ase” section on page 26-9 . Adding Entries to the Static Database The static database lets you a[...]
-
Page 558
26-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing example creates entrie s for the blacklist and whi telist: ciscoasa(config)# dynamic-filter blacklist ciscoasa(config-llist)# name bad1.example.com ciscoasa(config-llist)# name bad2.[...]
-
Page 559
26-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Default DNS Inspection Configura tion and Recommended Configura tion The default conf iguration for DNS inspection inspec t s all UDP DNS traf fic on all interfaces, and does not have DNS snooping enabled .[...]
-
Page 560
26-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing recommended confi guration creates a cl ass map for all UDP DNS traf fic, enable s DNS inspection and Botnet T raf fic Fil ter snooping with the d efault DNS in spection polic y map,[...]
-
Page 561
26-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Recommended Configuration Although DNS snoopi ng is not required, we recommen d conf iguring DNS snooping for maximum use of the Botnet T raffic Filter (see the “Enabling DNS Snoopi ng” section on p age[...]
-
Page 562
26-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Step 3 (Optional) dynamic-filter drop blacklist [ interface name ] [ action-classify-list subset_access_list ] [ threat-level { eq level | range min max }] Example: ciscoasa(config)# dynamic-filter drop bla[...]
-
Page 563
26-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Examples The follo wing recommended confi guration monitors all traf fic on the outside in terface and drops all traff ic at a threat lev el of moderate or higher: ciscoasa(config)# dynamic-filter enable in[...]
-
Page 564
26-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Note A CLs block all future connections. T o block the cu rrent connection, if it is still acti ve, enter the clear c onn command. F or example, t o clear only the connection list ed in the syslog message, [...]
-
Page 565
26-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter bad.example.net Found more than 2 matches, enter a more specific string to find an exact match Monitoring the Botnet Traffic Filter Whene ver a kno wn address is classified by the Botnet T raff ic Filter , t[...]
-
Page 566
26-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Examples The follo wing is sample output from the show dynamic-filter statistics command: ciscoasa# show dynamic-filter statistics Enabled on interface outside Total conns classified 11, ingress 11, egress 0 [...]
-
Page 567
26-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter horrible.example.net(10.232.224.2) 2 2 3 Botnet nono.example.org(209.165.202.130) 1 1 3 Virus Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009 The follo wing is sample outp[...]
-
Page 568
26-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside ciscoasa(config)# dynamic-filter[...]
-
Page 569
26-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Nex t ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0 ciscoasa/context1(config-llist)# dynamic-filter whitelist ciscoasa/context1(config-llist)# name good.example.com ciscoasa/context1(config-llist)# name great.examp[...]
-
Page 570
26-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Feature History for t he Botnet Traffic Filter Feature History for the Botnet Traffic Filter T able 26-1 lists each feature change and the plat form release in which it w as implemented. T able 26-1 Featur e History for the Botnet T r affic Filt[...]
-
Page 571
CH A P T E R 27-1 Cisco ASA Series Firewall CLI Configuratio n Guide 27 Configuring Threat Detection This chapter descri bes how to configure threat detection statistics and sc anning threat det ection and includes th e following sections: • Information About Threat Detection, page 27-1 • Licensing Requ irements for Threat D etection, page 27-1[...]
-
Page 572
27-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detect ion statistics includ e acti vity that mi ght be re lated t o an atta ck, such as a DoS attack. This section includes the following topics: ?[...]
-
Page 573
27-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics For each recei ved event, the ASA checks the a verage an d b urst rate limits; if bot h rates are e xceeded, then the ASA sends two separate system messages, wi th a maximum of one message for each rate [...]
-
Page 574
27-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics This section describes ho w to conf igure basic threat detection statistics, includ ing enabling or disabli ng it and changing the defau lt limits. Detailed Step[...]
-
Page 575
27-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics Monitoring Basic Threat Detection Statistics T o monitor basic threat detection stati stics, perform one of the follo wing tasks: Examples The follo wing is sample output from the show threat-detection r[...]
-
Page 576
27-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Basic Threat Detection Statistics T able 27-2 lists each feature change and the plat form release in which it w as implemented. Configuring Advanced Threat Detection Statistics Y ou c[...]
-
Page 577
27-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are a vailable in multiple mode. Firewall Mode Guidelines Supported in routed an d transparent f irewall mod e. Types of Traffic Monitored Only t[...]
-
Page 578
27-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Step 3 threat-detection statistics host [ number-of-rate { 1 | 2 | 3 }] Example: ciscoasa(config)# threat-detection statistics host number-of-rate 2 (Optional) Enables statist ics for hosts. The number -[...]
-
Page 579
27-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Monitoring Advanced Threat Detection Statistics The display output sho ws the follo wing: • The av erage rate in events/sec o ver f ixed time periods. • The current b urst rate in e vents/sec o ver t[...]
-
Page 580
27-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics The ASA stores the count at the end of each b urst period, for a total of 30 com pleted burst intervals. The unfinished burst interv al presently occurring is no t included in the av erage ra te. For e [...]
-
Page 581
27-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics T o monitor adv anced threat detection statistics, perform one of the fo llo wing tasks: Command Purpose show threat-detection statistics [ min-display-rate min_display_rate ] top [[ access-list | host [...]
-
Page 582
27-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Examples The follo wing is sample output from the show threat-detection statistics host command: ciscoasa# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.0.[...]
-
Page 583
27-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics fw-drop Sho ws the number of f irewall d rops. Fire wall drops is a combined rate that includes all f irewall-r elated packet dro ps tracked in basic threat detection, including A CL denials, bad packet[...]
-
Page 584
27-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Advanced Threat Detection Statistics T able 27-4 lists each feature change and the plat form release in which it w as implemented. 20-min, 1-hour , 8-hour , and 24-hour Sho ws statis[...]
-
Page 585
27-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection This section includes the following topics: • Information Ab out Scanning Threat Detection, page 27-15 • Guidelines and Limit ations, page 27-16 • Default Setti ngs, pag[...]
-
Page 586
27-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Guidelines and Limitations This section includes the guid elines and limitations for th is feature: Security Context Guidelines Supported in single mode only . Multiple mode is not supported. Firewall Mode Guidelin[...]
-
Page 587
27-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection Detailed Steps Monitoring Shunned Hosts, Attackers, and Targets T o monitor shunned hosts and at tackers and tar gets, perform one of the follo wing tasks: Command Purpose Ste[...]
-
Page 588
27-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Examples The follo wing is sample output from the show threat-detection shun command: ciscoasa# show threat-detection shun Shunned Host List: 10.1.1.6 192.168.6.7 T o release the host at 10.1 .1. 6, enter the f oll[...]
-
Page 589
27-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuration Examples for Threat Detection Configuration Examples for Threat Detection The follo wing example conf igures basic threat detect ion statistics, and changes the D oS attack rate settings. All adv anced threat detection statistics are ena[...]
-
Page 590
27-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuration Examples for Threat Detection[...]
-
Page 591
CH A P T E R 28-1 Cisco ASA Series Firewall CLI Configuratio n Guide 28 Using Protection Tools This chapter describes some o f the many too ls av ailable to protect your netw ork and includes the follo wing sections: • Pre venting IP Spoof ing, page 28-1 • Config uring the Fragment Size, page 28-2 • Blocking Unwan ted Connections, page 28-2 ?[...]
-
Page 592
28-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring the Fr agment Size Configuring the Fragment Size By default, th e ASA allo ws up to 24 fragments per IP p acket, and up to 200 frag ments awaiting reassembly . Y ou might need to let fragments on your netw ork if you hav e an application that routi [...]
-
Page 593
28-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature p rovides basic IPS support for the ASA t hat does not ha ve an AIP SSM. It supp orts a basic list of signatures, and you can conf igure the ASA to perfo[...]
-
Page 594
28-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support IP Audit Signature List T able 28-1 lists supp orted signatures and system message nu mbers. T able 28-1 Signatur e IDs and Syst em Message Numbers Signature ID Message Number Signature T itle Signature T ype Descripti[...]
-
Page 595
28-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1103 400009 IP Overlapp ing Fragments (T eardrop) At tack T riggers when two fragments contained within the same IP datagram ha ve of fsets that indicat e that they sha re positio ning wi thin the datagram. This could[...]
-
Page 596
28-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2008 400018 ICM P T ime stamp Reply I nformational T riggers when a IP da tagram is receiv ed with the protocol f ield of the IP header set to 1 (ICMP) and the typ e fiel d in the ICMP header set to 14 (T imestamp Repl[...]
-
Page 597
28-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 3042 400028 TCP FIN only flags A ttack T riggers when a single orphaned TCP FIN packet is sent to a pri vileged por t (hav ing port number less than 1024) on a specific host. 3153 400029 FTP Improper Address Sp ecifie[...]
-
Page 598
28-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6152 400044 yppasswdd (YP passwo rd daemon) Portmap Request Informational T riggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. 6153 400045 ypupdated (YP update daem on) Portma[...]
-
Page 599
CH A P T E R 29-1 Cisco ASA Series Firewall CLI Configuratio n Guide 29 Configuring Filtering Services This chapter describe s how to use f iltering servic es to provide greater control over traf fic passing through the ASA and includes the follo wing sections: • Information Abou t W eb Traf fic Filtering, page 29 -1 • Config uring Activ eX Fil[...]
-
Page 600
29-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring ActiveX Filtering Configuring ActiveX Filtering This section includes the following topics: • Information Ab out Acti veX Filtering, page 29-2 • Licensing Requirements for ActiveX Filter ing, page 29-2 • Guidelines and Limit ations for[...]
-
Page 601
29-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mo[...]
-
Page 602
29-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring Java Applet Filtering Feature History for ActiveX Filtering T able 29-1 lists the release histor y for Active X Filtering. ASDM is backwards-compatibl e with multi ple platform releases, so the specific ASDM rele ase in which support wa s ad[...]
-
Page 603
29-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Configuring Java Applet Filtering Guidelines and Limitations for Java Applet Filtering This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guid[...]
-
Page 604
29-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server The follo wing example remov es the co nfiguration for do wnloading Ja va applets to a host on a protected network: ciscoasa(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 This comma[...]
-
Page 605
29-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Note URL caching will only work if the version of th e URL server software from the URL server v endor supports it. Although ASA perf ormance is less af fected when us ing an external server , yo[...]
-
Page 606
29-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Identifying the Filtering Server Y o u can identify up to four f iltering server s per contex t. The ASA uses the serv ers in order until a serv er responds. In single mode, a maximum o f 16 of th[...]
-
Page 607
29-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server For W eb s en s e: hostname(config)# url-server ( if_name ) host local_ip [ timeout seconds ] [ protocol TCP | UDP version [1|4] [ connections num_conns ]] Example: ciscoasa(config)# url-server ([...]
-
Page 608
29-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Configuring Additional URL Filtering Settings After you hav e acce ssed a website, the filtering server can allo w the A SA to cache the server address for a certain period of time, as long as ea[...]
-
Page 609
29-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Caching Server Addresses After you access a website, the filtering server can allo w the ASA to cache the server address for a certain period of time, as long as each website host ed at the addr[...]
-
Page 610
29-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Enabling HTTP Filtering Y ou must identify and enable the URL fi ltering server bef ore enabling HTTP f iltering. When the f iltering server appro ves an HTTP connection requ est, the ASA all ows[...]
-
Page 611
29-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Truncating Long HTTP URLs By default, if a URL e xceeds the maximum permitted size, then it is dropped. T o av oid this occurrence, truncate a long URL by ente ring the follo wing command: Exemp[...]
-
Page 612
29-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server T o enable HTTPS f iltering, enter the follo wing command: Filtering FTP Requests Y ou must identify and enable the URL filtering serv er before enabling FTP filtering. Note W ebsense and Se cu r[...]
-
Page 613
29-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Monitoring Filtering Statistics T o monitor f iltering statistics, ent er one of the f ollo wing commands: Examples The follo wing is sample output from the show url-server command: ciscoasa# show url-server url-serve[...]
-
Page 614
29-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST 0 NA Errors: ------- RFC noncompliant GET method 0 URL buffer update failure 0 The follo wing is sample output from the show url-block command: ciscoasa# show[...]
-
Page 615
29-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Feature History for URL Filtering T able 29-5 lists the release h istory for URL f iltering. ASDM is backwards-compatibl e with multiple platform releases, so the specific ASDM rele ase in which support wa s added is [...]
-
Page 616
29-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics[...]
-
Page 617
P AR T 8 Conf iguring Modules[...]
-
Page 618
[...]
-
Page 619
CH A P T E R 30-1 Cisco ASA Series Firewall CLI Configuratio n Guide 30 Configuring the ASA CX Module This chapter descri bes how to configure the ASA CX modul e that runs on the A SA. • Information Ab out the ASA CX Module, page 30-1 • Licensing Requirements for the ASA CX Module, page 30-6 • Guidelines and Limit ations, page 30-6 • Defaul[...]
-
Page 620
30-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application fro m the ASA. Th e ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly . Any[...]
-
Page 621
30-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module Monitor-Only Mode For demonstr ation purposes, you can conf igure a service policy or a traf fic-forwarding interface in monitor -only mode. For guideli nes and limitations fo r monitor -only mode, see the “Gui del[...]
-
Page 622
30-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module Figur e 30-3 ASA CX T raf fic-Forwar ding Information About ASA CX Management • Initial Conf iguration, page 30-4 • Policy Co nfiguration and Management, page 30 -5 Initial Configuration For ini tial conf iguratio[...]
-
Page 623
30-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module or ASDM). Howe ver , physic al characteristics (suc h as enabling the interface) are configured on the ASA. Y ou can remove the ASA interface conf iguratio n (specifical ly the interface name) to dedicate this inter [...]
-
Page 624
30-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Licensing Requirements for th e ASA CX Module • Do not configure ASA inspection on HTTP traf fic. • Do not conf igure Cloud W eb Security (ScanSafe) inspection. If you conf igure both the ASA CX action and Cloud W eb Security inspection for the same[...]
-
Page 625
30-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Guidelines and Limitations Firewall Mode Guidelines Supported in rout ed and transparent f irew all mode. T raff ic-forwarding interf aces are only supported in transparent mode. Failover Guidelines Does not support failo ver directly; when the ASA fa [...]
-
Page 626
30-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with A SA Features” section on pa ge 30-5 . • Y ou cannot change the softw a re type installed on th e hardware module; if you purchase an ASA CX module, you cannot [...]
-
Page 627
30-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 (ASA 5585-X; Opti onal) Conf igure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the A SA CX Management IP Address” section on page 30-14 . Step 4 On the ASA CX m[...]
-
Page 628
30-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule If you have an inside router If you ha ve an inside router , you can route betwee n the management networ k, which can include both the ASA Mana gement 0/0 a nd ASA CX Ma nagement 1/0 interfaces, and the ASA inside networ[...]
-
Page 629
30-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a softwa re module, and the ASA CX management interface shares the Management 0/0 interf ace with the ASA. F or initial setup, you can [...]
-
Page 630
30-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule CX IP address for that interface. Because the AS A CX module is essentially a separate device from the ASA, you can conf igure the ASA CX management address to be on the same network as t he inside interface. Note Y ou mu[...]
-
Page 631
30-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module http://www .cisco.com/cisco/software/r elease.html?mdf id=284325223&softwareid=2 84399946 The boot softw are lets you set basic ASA CX netw ork configuration, partit ion the SSD, and downlo ad the larger system softw [...]
-
Page 632
30-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Username: buffy Password: angelforever Verifying Downloading Extracting Package Detail Description: Requires reboot: Cisco ASA CX System Upgrade Yes Do you want to continue with upgrade? [n]: Y Warning: Please do not inte[...]
-
Page 633
30-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Configuring Basic ASA CX Settings at the ASA CX CLI Y ou must conf igure basic network settin gs and othe r parameters on the ASA CX module before you can confi gure your security pol icy . Detailed Steps Step 1 Do one of[...]
-
Page 634
30-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Applying... Done. Generating self-signed certificate, the web server will be restarted after that ... Done. Press ENTER to continue... asacx> Note If you change the h ost name, the prompt does not sho w the ne w name u[...]
-
Page 635
30-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module What to Do Next • (Optional) Configure the authen tication proxy port. See the “(Opt ional) Conf iguring the Authentication Proxy Port” section on page 30-17 . • Redirect traff ic to the A SA CX module. See the ?[...]
-
Page 636
30-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Redirecting Traffic to the ASA CX Module Y ou can redirect traffic to the ASA CX module by creating a service polic y that identifies sp ecific t raffic. For demonstr ation purposes only , you can also enable monitor-on l[...]
-
Page 637
30-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map cx_class Creates a class map to identify the traf fic f o r which you want to send to the ASA CX module. If you want t o send multi[...]
-
Page 638
30-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section conf igures traf fic-forw arding interfaces, where all traff ic is forwarded directly to the ASA CX module. This method is for demonstration purpo[...]
-
Page 639
30-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Step 8 Repeat for any additional interfaces. Step 9 Click Send . Examples The follo wing example makes Gi gabitEtherne t 0/5 a traf fic-forwar ding interface: interface gigabitethernet 0/5 no nameif traffic-f[...]
-
Page 640
30-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module Resetting the Password Y ou can reset the module password to the default. F or the user admin , the default password is Admin123 . After resetting the password , you should chan ge it to a unique v alue using the module appl[...]
-
Page 641
30-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically[...]
-
Page 642
30-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image T o uninstall a software module image and associat ed confi guration, perform th e follo wing steps. Guidelines In multiple cont ext mode, perform t his pr[...]
-
Page 643
30-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module • Showing Module Status, pa ge 30-25 • Sho wing Module St atistics, page 30- 26 • Monitoring Modu le Connections, page 30-27 • Capturing M odule Traf fic, page 30-30 • [...]
-
Page 644
30-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module T o check the status of a module, ent er one of the follo wing commands: Examples The follo wing is sample output from the sho w module command for an ASA with an ASA CX SSP installed: hostname# show module Mod Card Type Mo[...]
-
Page 645
30-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module The follo wing is sample output from the show service-policy command sho wing the ASA CX polic y and the current statistics as well as th e module status when the authent ication proxy is enabled; in th is case, the proxie[...]
-
Page 646
30-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module Examples The follo wing is sample output from the show asp table classify domain cxsc command: ciscoasa# show asp table classify domain cxsc Input Table in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false hits=154856[...]
-
Page 647
30-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module dst ip/id=172.23.58.52, mask=255.255.255.255, port=2000, dscp=0x0 input_ifc=mgmt, output_ifc=identity in id=0x7ffed86caa80, priority=121, domain=cxsc-auth-proxy, deny=false hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flag[...]
-
Page 648
30-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Troublesho oting the ASA CX Module cxsc-msg 1 0 1 0 1 0 The follo wing is sample output from the show conn detail command: ciscoasa# show conn detail 0 in use, 105 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - in[...]
-
Page 649
30-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Troubleshooting the ASA CX Module When you enable the authentica tion pro xy , t he ASA generate s a debug messge when it se nds an authentication pro xy TL V to the ASA CX module, gi ving IP and port details: DP CXSC Event: Sent Auth proxy tlv for ad[...]
-
Page 650
30-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuration Examples for the ASA CX Module 2. Check the ou tput of the show service-policy cxsc command to see if an y packets were prox ied. 3. Perform a pack et capture on the backp lane, and chec k to see if tr af fic is being re directed on the c[...]
-
Page 651
30-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module ciscoasa(config-pmap)# class my-cx-class2 ciscoasa(config-pmap-c)# cxsc fail-open auth-proxy ciscoasa(config-pmap-c)# service-policy my-cx-policy interface outside Feature History for the ASA CX Module T able 30-2[...]
-
Page 652
30-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module Monitor -only mode for demonstration purposes ASA 9.1(2) ASA CX 9.1(2) For de monstration purposes o nly , you can enable monitor -only mode for the service policy , which forwards a copy of traf fic to the ASA CX [...]
-
Page 653
30-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module Multiple conte xt mode support for the ASA CX module ASA 9.1(3) ASA CX 9.2(1) Y ou can no w configure ASA CX service po licies per contex t on the ASA. Note Although you can conf igure per conte xt ASA service pol[...]
-
Page 654
30-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module[...]
-
Page 655
CH A P T E R 31-1 Cisco ASA Series Firewall CLI Configuratio n Guide 31 Configuring the ASA IPS Module This chapter describes h ow to config ure the ASA IPS modul e. The ASA IPS modul e might be a hardw are module or a so ftware module, d epending on your ASA model. For a list of supported ASA I PS modules per ASA model, see the Cisco ASA Compatibi[...]
-
Page 656
31-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application fro m the ASA. The ASA IPS module might in clude an external management interf ace so you can connect to the ASA I PS module d[...]
-
Page 657
31-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS M odule Operating Modes Y ou can send traf fic to the ASA IPS modu le using one of the follo wing modes: • Inline mode—This mode places the ASA IPS module directly in the traf fic f low (see Figure 31-1 ). No traff ic [...]
-
Page 658
31-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module Figur e 31 -3 Securi ty Contexts and V irtual Sen sors Figure 31-4 sho ws a single mode ASA paired with multiple vi rtual sensors (in inline mode); each def ined traf fic flo w goes to a dif ferent sensor . Figur e [...]
-
Page 659
31-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirement s for the ASA IPS module See the follo wing information about the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X —The IPS management interf ace is a separate external Gig abit Ethernet interf ace. ?[...]
-
Page 660
31-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Default Settings http://www .cisco.com/en/US/docs/securi t y/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple conte xt mode, so multiple conte xt features, such as virtual sensors, are not supported on th e AIP SSC. • The AS[...]
-
Page 661
31-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section descri bes ho w to conf igure the ASA IPS module and includes the fol lo wing topics: • T ask Flow for the ASA IPS Module, page 31-7 • Connecting the ASA IPS Management Inte[...]
-
Page 662
31-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to pro viding management access to the IPS module, the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can do wn[...]
-
Page 663
31-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you canno t also hav e a separate m anagemen t network, which would require an inside r outer to route between the netw orks. In this case, y[...]
-
Page 664
31-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you cannot also ha ve a separate mana gement network. In th is case, you can manage the ASA from the inside interface instead of the Managem[...]
-
Page 665
31-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA T o access the IPS module CLI from the ASA, you can session from the ASA. F or software modules, you can either session to the mo dule (using T elnet) or create a virtual console ses[...]
-
Page 666
31-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Do one of the foll o wing: • New ASA wit h IPS pre-installed—T o vie w the IPS module software f ilename in flash memory , enter:. ciscoasa# dir disk0: For e xample, look for a f ilename lik e I[...]
-
Page 667
31-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Confi guring Basic Network Settings Session to the module from the ASA an d config ure basic settings using the setup command. Note (ASA 5512-X through ASA 5555-X) If you cannot session to the mo du[...]
-
Page 668
31-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Restrictions Do not conf igure N A T for the management address if you intend t o access it using ASDM. F o r initial setup with ASDM, you need to acce ss the real address. After initial setup (where you set the password[...]
-
Page 669
31-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example conf igures VLAN 20 as the I PS management VLAN. Only the host at 10.1.1.30 can access the IPS management IP address. VLAN 20 is assigned to switch port Ethernet 0/0. When you connect to A[...]
-
Page 670
31-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Access the ASA IPS module CLI usi ng one of the follo wing methods: • Session from the ASA to the ASA IPS modu le. See the “Sessioning to the Mod ule from the ASA” section on page 31 -11 . •[...]
-
Page 671
31-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 context name Example: ciscoasa(config)# context admin ciscoasa(config-ctx)# Identif ies the context you wa nt to conf igure. Enter this command in the system ex ecution space. Step 2[...]
-
Page 672
31-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example assigns sensor1 and sensor2 t o conte xt A, and sensor1 a nd sensor3 to conte xt B. Both context s map the sensor names to “ips1” and “i ps2. ” In conte xt A, sensor1 is set as the[...]
-
Page 673
31-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map ips_class Creates a class map to identify the traf fic f o r which you want to send to the ASA IPS module. If you want t o send mu[...]
-
Page 674
31-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Step 5 ips { inline | promiscuous } { fail-close | fail-open } [ sensor { sensor_name | mapped_name }] Example: ciscoasa(config-pmap-c)# ips promiscuous fail-close Specif ies that the traf fic shoul d be sent to the ASA [...]
-
Page 675
31-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Managing the ASA IPS module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Installing and Boot ing an Image on the Module, page 31-2 1 • Shuttin[...]
-
Page 676
31-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Note Before you do wnload the IPS software to disk0, make sure at least 50% of the flash memory is free. When you install IPS, IPS reserves 50 % of the internal flas h memory for its f ile system. Detailed Steps Command Pu[...]
-
Page 677
31-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically shu t down, so[...]
-
Page 678
31-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Resetting the Password Y ou can reset the module password to the default . For the user cisco , the default passw ord is cisco . After resetting the password, yo u should change it to a u n ique v alue using the module app[...]
-
Page 679
31-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI. Detailed Steps Monitoring the ASA IPS module T o check the status of a module, ent er one of the foll[...]
-
Page 680
31-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuration Examples for the ASA IPS module Serial Number: JAB11370240 Firmware version: 1.0(14)3 Software version: 6.2(1)E2 MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832 App. Name: IPS App. Status: Up App. Status Desc: Not Applicable App. Ver[...]
-
Page 681
31-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module ciscoasa(config)# class-map my-ips-class ciscoasa(config-cmap)# match access-list my-ips-acl ciscoasa(config)# class-map my-ips-class2 ciscoasa(config-cmap)# match access-list my-ips-acl2 ciscoasa(config-cmap)# p[...]
-
Page 682
31-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Feature History for the ASA IPS module Support for Dual SSPs for SSP-40 an d SSP-60 8.4(2) For SSP-40 and SSP-60, you can use two SSPs of the same le vel in the same chassi s. Mixed-le vel SSPs are not supported (for example, an SSP- 40 with an SSP-60[...]
-
Page 683
CH A P T E R 32-1 Cisco ASA Series Firewall CLI Configuratio n Guide 32 Configuring the ASA CSC Module This chapter descri bes how to configure the Conten t Security and Control (CSC) appl ication that is installed in a CSC SSM in the ASA. This chapte r includes the follo wing sections: • Information About the CSC SSM, page 32-1 • Licensing Req[...]
-
Page 684
32-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Figur e 32-1 Flow of Scanned T raf fic with the CSC SSM Y ou use ASDM for system setup and mo nitoring of th e CSC SSM. For adv a nced co nfiguration of cont ent security policies in the CS C SSM software, you ac cess the [...]
-
Page 685
32-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Information Ab out the CSC SSM Figur e 32-2 CSC SSM Deployment with a Manage ment Networ k Determining What Traffic to Scan The CSC SSM can scan FTP , HTTP/HTTPS, POP3, and SMTP traf fic only when the destinat ion port of the packet requestin g the con[...]
-
Page 686
32-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Based on the conf iguration shown in Figure 32-3 , conf igure the ASA to di vert to the CSC SSM only requests from clients o n the inside netw ork for HTTP , FTP , and POP3 connections to the outside network, and incoming [...]
-
Page 687
32-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside- policy , outside-class matches SMTP tr af fic from an y outside source to the DMZ network. This setting protects the SMTP serv er and inside us ers who do wnload e-mail from the SMTP serv er on the[...]
-
Page 688
32-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Guidelines and Limitations – Domain name and hostname for t he CSC SSM. – An e-mail address and an SMTP server IP addr ess and port numb er for e-mail notif ications. – E-mail address(es) for product l icense rene wal notificatio ns. – IP addre[...]
-
Page 689
32-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section descri bes ho w to conf igure the CSC SSM and includes the followi ng topics: • Before Conf iguring the CSC SSM, page 32-7 • Connecting to the CSC SSM, page 32-8 • Div erting Traf fic t[...]
-
Page 690
32-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, v erify the clock settings, includi ng time zone. Choose Conf iguration > Pr operties > Device Administration > Clock . • If you are using NTP , verify the NTP con figu ratio[...]
-
Page 691
32-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM T o connect to the CSC SSM, perform the follo wing steps: Step 1 In the ASDM main application windo w , click the Content Security tab . Step 2 In the Connecting to CSC dial og box, click one of th e follo wing radio b uttons: ?[...]
-
Page 692
32-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM What to Do Next See the “Div erting Traf fic to the CSC SSM” section on page 32-10 . Diverting Traffic to the CSC SSM Y o u use Modular Polic y Framew ork commands to conf igure the ASA to div ert traff ic to the CSC SSM. P[...]
-
Page 693
32-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Step 6 set connection per-client-max n Example: ciscoasa(config-pmap-c)# set connection per-client-max 5 Lets you conf igure limits to thw art DoS attacks. The per -client-max parameter limits the maximum number of connections [...]
-
Page 694
32-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM Step 7 csc { fail-close | fail-open } Example: ciscoasa(config-pmap-c)# csc {fail-close | fail-open} Enables traf fic scanning with the CSC S SM and assigns the traf fic identif ied by the class map as traff ic to be sent to th[...]
-
Page 695
32-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitorin g the CSC SSM” sect ion on page 32-13 . Monitoring the CSC SSM T o check the status of a module, ent er one of the follo wing commands: Examples The follo wing is sample output from the sho[...]
-
Page 696
32-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module Port Mask: 255.255.224.0 Gateway IP Address: 209.165.200.254 Troubleshooting the CSC Module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Inst[...]
-
Page 697
32-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Detailed Steps Resetting the Password Y ou can reset the module passwor d to the default. The def ault password is cisco. After resetting th e password, you sho uld change it to a unique v alue using the module applicati[...]
-
Page 698
32-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module T o reset the module passw ord to the def ault of cisco, perform th e follo wing steps. Detailed Steps Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CL[...]
-
Page 699
32-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuration Exa mples for the CSC SSM Shutting Down the Module If you restart the ASA, the module is not automatica lly rest arted. T o shut do wn the module, perform th e follo wing steps at th e ASA CLI. Detailed Steps Configuration Examples for t[...]
-
Page 700
32-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Additional References ciscoasa(config-pmap)# class csc_inbound_class ciscoasa(config-pmap-c)# csc fail-close ciscoasa(config-pmap-c)# service-policy csc_in_policy interface outside The follo wing example shows ho w to use an A CL to exempt the traf fi[...]
-
Page 701
32-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Feature History for the CSC SSM Feature History for the CSC SSM T able 32-2 lists each feature change and the plat form release in which it w as implemented. Instructions on use of the CSC SSM GUI. Additional licensi ng requirements of specif ic windo[...]
-
Page 702
32-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Feature History for the CSC SSM[...]
-
Page 703
IN-1 Cisco ASA Series Firewall CLI Configuration Guide INDEX A AAA accounting 7-21 authentication network access 7-2 authorization downloadable access lists 7-17 network access 7-14 performance 7-1 web clients 7-10 access lists downloadable 7-17 global access rules 6-2 implicit deny 6-3 inbound 6-3 outbound 6-3 phone prox y 16-7 ActiveX filtering 2[...]
-
Page 704
Index IN-2 Cisco ASA Series Firewall CLI Configuration Guide IP fragment 28-4 IP impossib le packet 28-4 large ICMP traffic 28-6 ping of death 28-6 proxied RPC request 28-7 statd buffer overflow 28-8 TCP FIN only flags 28-7 TCP NULL flags 28-6 TCP SYN+FIN flags 28-6 UDP bomb 28-7 UDP chargen DoS 28-7 UDP snork 28-7 authentication FTP 7-4 HTTP 7-3 n[...]
-
Page 705
Index IN-3 Cisco ASA Series Firewall CLI Configuration Guide required by phone prox y 16-16 Cisco IP Communicator 16-10 Cisco IP Phones, application inspection 11-25 Cisco UMA. See Cisco Unified Mo bility. Cisco Unified Mobilit y architecture 18-2 ASA role 14-2, 14-3, 15-2 certificate 18-5 functionality 18-1 NAT and PAT requirements 18-3, 18-4 trus[...]
-
Page 706
Index IN-4 Cisco ASA Series Firewall CLI Configuration Guide DNS request for all records attack 28-7 DNS zone transfer attack 28-7 DNS zone transfer from high port attack 28-7 downloadable access lists configuring 7-17 converting netmask expressio ns 7-21 DSCP preservati on 23-5 dynamic NAT about 3-7 network object NAT 4-5 twice NAT 5-7 dynamic PAT[...]
-
Page 707
Index IN-5 Cisco ASA Series Firewall CLI Configuration Guide inspection_default cl ass-map 1-9 inspection engines See application inspection Instant Messaging inspection 11-19 interfaces default settings 6-8, 32-6 IP fragment attack 28-4 IP impossible packet attack 28-4 IP overlapping fragme nts attack 28-5 IP phone phone prox y provisioning 16-12 [...]
-
Page 708
Index IN-6 Cisco ASA Series Firewall CLI Configuration Guide default polic y 1-8 examples 1-18 feature directionality 1-3 features 1-2 flows 1-6 matching multiple policy maps 1-6 service poli cy, applying 1-17 See also class map See also policy map MPLS LDP 6-7 router-id 6-7 TDP 6-7 multi-session PAT 4-16 N NAT about 3-1 bidirection al initiation 3[...]
-
Page 709
Index IN-7 Cisco ASA Series Firewall CLI Configuration Guide dynamic NAT 5-7 dynamic PAT 5-11 examples 5-25 guidelines 5-2 identity NAT 5-21 monitoring 5-24 prerequis ites 5-2 static NAT 5-18 types 3-3 VPN 3-22 VPN client rules 3-18 network object NAT about 3-14 comparison with t wice NAT 3-13 configuring 4-1 dynamic NAT 4-5 dynamic PAT 4-7 example[...]
-
Page 710
Index IN-8 Cisco ASA Series Firewall CLI Configuration Guide CSC SSM 32-5 presence_proxy_remotecert 15-15 proxied RPC request attack 28-7 proxy servers SIP and 11-18 PRSM 30-5 Q QoS about 23-1, 23-3 DiffServ preservation 23-5 DSCP preservati on 23-5 feature interaction 23-4 policies 23-1 priority qu eueing IPSec anti-replay window 23-13 statistics [...]
-
Page 711
Index IN-9 Cisco ASA Series Firewall CLI Configuration Guide management defaults 31-6 password reset 31-24, 32-15 reload 31-25, 32-16 reset 31-25, 32-16 routing 31-10 sessioning to 31-13 shutdown 31-23, 32-17 Startup Wiza rd licensing requ irements 15-3 statd buffer overflow attack 28-8 stateful inspection bypassing 22-3 static NAT about 3-3 few-to[...]
-
Page 712
Index IN-10 Cisco ASA Series Firewall CLI Configuration Guide applications supported by A SA 14-3 Cisco Unified Presence architecture 19-1 configuring for Cisco Un ified Presence 19-8 licenses 14-4, 17-5, 18-6, 19-7, 20-7 tocken bucket 23-2 traffic shaping overview 23-4 transmit queue ring l imit 23-2, 23-3 transparent firewall DHCP packet s, allow[...]