Cisco Systems ASA 5505 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Cisco Systems ASA 5505, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Cisco Systems ASA 5505 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Cisco Systems ASA 5505. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Cisco Systems ASA 5505 should contain:
- informations concerning technical data of Cisco Systems ASA 5505
- name of the manufacturer and a year of construction of the Cisco Systems ASA 5505 item
- rules of operation, control and maintenance of the Cisco Systems ASA 5505 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Cisco Systems ASA 5505 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Cisco Systems ASA 5505, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Cisco Systems service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Cisco Systems ASA 5505.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Cisco Systems ASA 5505 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco we bsite at www.cisco.com/go/ offices. Cisco A S A S eries Fire w all CLI Conf iguration Guide Sof tw are V ers ion 9.1 For the AS A 5505, AS A 551 0, AS A 5520, AS A 5540, ASA 5550, AS A 5512-X, AS A 551 5-[...]

  • Page 2

    THE SPECIFICATION S AND INFORMAT ION REGARDING THE PRODUCTS IN THIS MA NUAL ARE SUBJ ECT TO CHANGE WITHOUT NOT ICE. ALL STATEMENTS , INFORMATION , AND RECOMMEN DATIONS I N THIS MANUA L ARE BELIEVE D TO BE ACCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FUL L RESPONSIBILITY FOR THEIR APPLICAT ION OF ANY[...]

  • Page 3

    iii Cisco ASA Series Firewall CLI Configuration Guide CONTENTS About This Guide xxv Document Objectives xxv Related Documentation xxv Conventi ons xxv Obtaining Documentation and Submitting a Serv ice Request xxvi PART 1 Configuring Service P olicies Using the Modul ar Policy Fram ework CHAPTER 1 Configuring a Service Policy Usin g the Modular Poli[...]

  • Page 4

    Contents iv Cisco ASA Series Firewall CLI Configuration Guide Applying Inspection and Connection Limits to HTTP Traffic to Sp ecific Servers 1-20 Applying Inspection to HTTP Traffic with NAT 1-21 Feature History for Service Policies 1-22 CHAPTER 2 Configuring Special Actions for Application Inspectio ns (Inspection Policy Map) 2-1 Information About[...]

  • Page 5

    Contents v Cisco ASA Series Firewall CLI Configuration Guide Main Differences Between Network Ob ject NAT and Twice NAT 3-13 Information About Network Object NAT 3-14 Information About Twice NAT 3-14 NAT Rule Order 3-18 NAT Interfaces 3-19 Routing NAT Packets 3-19 Mapped Addresses and Routing 3-19 Transparent Mode Routin g Requirements for Remote N[...]

  • Page 6

    Contents vi Cisco ASA Series Firewall CLI Configuration Guide DNS Server and FTP Server on Ma pped Interface, FTP Server is Translate d (Static NAT with DNS Modification) 4-25 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real In terface (Static NAT64 with DNS64 Modification) 4-26 Feature History fo r Network Object NAT 4-28 CHAP[...]

  • Page 7

    Contents vii Cisco ASA Series Firewall CLI Configuration Guide Access Rule s for Returning Traffic 6-5 Allowing Broadcast and Multicast Traffic through the Transparent Fire wall Using Access Rules 6-5 Management Access Rules 6-6 Information About EtherType Rules 6-6 Supported EtherT ypes and Other Traffic 6-6 Access Rule s for Returning Traffic 6-7[...]

  • Page 8

    Contents viii Cisco ASA Series Firewall CLI Configuration Guide Configuring a RADIUS Server to Downl oad Per-User Ac cess Control List Names 7-21 Configuring Accounting for Network Access 7-21 Using MAC Addresses to Exempt Traffic from Authentic ation and Authorization 7-23 Feature History for AAA Rules 7-25 PART 4 Configuring Applic ation Inspecti[...]

  • Page 9

    Contents ix Cisco ASA Series Firewall CLI Configuration Guide IP Options Inspec tion Overview 10-24 Configuring an IP Options Inspection Poli cy Map fo r Additional Inspection Control 10-25 IPsec Pass Thro ugh Inspection 10-25 IPsec Pass Thro ugh Inspection Ove rview 10-26 Example for Defining an IPsec Pa ss Through Parameter Map 10-26 IPv6 Inspect[...]

  • Page 10

    Contents x Cisco ASA Series Firewall CLI Configuration Guide Verifying and Monitorin g MGCP Inspection 11 -14 RTSP Inspection 11-14 RTSP Inspection Overv iew 11-15 Using RealPlayer 11-1 5 Restrictions and Limitations 11-15 Configuring an RTSP Inspection Policy Map for Additional Inspe ction Control 11 -16 SIP Inspection 11-18 SIP Inspection Overvie[...]

  • Page 11

    Contents xi Cisco ASA Series Firewall CLI Configuration Guide RSH Inspection 13-10 SNMP Insp ection 13-10 SNMP Insp ection Ove rview 13-10 Configuring an SNMP Inspection Policy Ma p for Additional Inspection Control 13-10 XDMCP Inspection 13-11 PART 5 Configuring Unified Communications CHAPTER 14 Information About Cisco Unified Communications Proxy[...]

  • Page 12

    Contents xii Cisco ASA Series Firewall CLI Configuration Guide Working with Certificates in the Unified Communication Wizard 15 -23 Exporting an Identity Certificate 15-23 Installing a Certificate 15-23 Generating a Certificate Sign ing Request (CSR) for a Unified Communicatio ns Proxy 15-24 Saving the Identity Certificate Request 15-25 Installing [...]

  • Page 13

    Contents xiii Cisco ASA Series Firewall CLI Configuration Guide Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster 16-20 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-21 Creating the Media Termination Instance 16 -23 Creating the Phone Proxy In stance 16-24 Enabling the Phone Proxy with SIP and Skinny Inspection 16-26[...]

  • Page 14

    Contents xiv Cisco ASA Series Firewall CLI Configuration Guide CTL Client Overview 17-3 Licensing for the TLS Proxy 17-5 Prerequisites for the TLS Proxy for Encrypted Voice Inspection 17-7 Configuring the TLS Proxy for Encryp ted Voice Inspection 17-7 Task flow for Configuring the TLS Pr o xy for Encrypted Voice Inspec tion 17-8 Creating Trustpoint[...]

  • Page 15

    Contents xv Cisco ASA Series Firewall CLI Configuration Guide Configuration Requirements for XMPP Federation 19-6 Licensing for Cisco Unified Presence 19 -7 Configuring Cisco Unified Presen ce Proxy for SIP Federation 19-8 Task Flow for Configuring Cisco Unified Prese nce Federation Proxy for SIP Federation 19-9 Creating Trustpoints and Generating [...]

  • Page 16

    Contents xvi Cisco ASA Series Firewall CLI Configuration Guide Configuring the Cisco UC-IMC Pro xy by usin g the UC-IME Proxy Pane 20-30 Configuring the Cisco UC-IMC Proxy by us ing the Unified Communications Wizard 20-32 Troubleshooting Cisco Intercompany Me dia Engine Proxy 20 -33 Feature History for Cisco Intercompany Media Engine Proxy 20-36 PA[...]

  • Page 17

    Contents xvii Cisco ASA Series Firewall CLI Configuration Guide Licensing Requirement s for QoS 23-5 Guidelines and Limitations 23-5 Configuring QoS 23-6 Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Configuring a Service Rule for Standard Prio rity Queuing [...]

  • Page 18

    Contents xviii Cisco ASA Series Firewall CLI Configuration Guide Cloud Web Security Actions 25-5 Bypassing Scanning with White lists 25-6 IPv4 and IPv6 Support 25 -6 Failover from Primary to Backup Proxy Server 25-6 Licensing Requirements fo r Cisco Cloud Web Security 25-6 Prerequisites for Cloud Web Security 25-7 Guidelines and Limitations 25-7 De[...]

  • Page 19

    Contents xix Cisco ASA Series Firewall CLI Configuration Guide Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 Information About the Dynamic Database 26-2 Information About the Static Database 26-3 Information About the DNS Reverse Lookup Cache and DNS Host Cache 2[...]

  • Page 20

    Contents xx Cisco ASA Series Firewall CLI Configuration Guide Configuring Advanced Threat Detection Statistics 27-6 Information About Advanced Threat Detection Statistics 27-6 Guidelines and Limitations 27-6 Default Settings 27-7 Configuring Advanced Threat Detectio n Statistics 27-7 Monitoring Advan ced Threat Detection Statistics 27-9 Feature His[...]

  • Page 21

    Contents xxi Cisco ASA Series Firewall CLI Configuration Guide Configuration Examples for Java Applet Filtering 29-5 Feature History for Java Applet Filtering 29-6 Filtering URLs and FTP Requests with an External Server 29-6 Information About URL Filtering 29-6 Licensing Requirements fo r URL Filtering 29-7 Guidelines and Limitations for URL Filter[...]

  • Page 22

    Contents xxii Cisco ASA Series Firewall CLI Configuration Guide (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module 30-12 (ASA 5585-X) Changing the ASA CX Management IP Address 30-14 Configuring Basic ASA CX Settings at the ASA CX CLI 30-15 Configuring the Security Policy on the ASA CX Module Using PRSM 30-16 (Optional) [...]

  • Page 23

    Contents xxiii Cisco ASA Series Firewall CLI Configuration Guide ASA 5512-X through ASA 5555-X (Software Mo dule) 31-9 ASA 5505 31-10 Sessioning to the M odule from the ASA 31-11 (ASA 5512-X through ASA 5555-X) Booting th e Software Module 31-11 Configuring Basic IPS Module Network Settings 31-12 (ASA 5510 and Hig her) Configuring Basic Networ k Se[...]

  • Page 24

    Contents xxiv Cisco ASA Series Firewall CLI Configuration Guide Additional References 32-18 Feature History for the CSC SSM 32-19 I NDEX[...]

  • Page 25

    xxv Cisco ASA Series Firewall CLI Configuratio n Guide About This Guide This preface introduces Cisco ASA Series F ir e wall CLI Conf igur ation Guide and includes the follo wing sections: • Document Objectiv es, page xxv • Related Documentati on, page xxv • Con v entions, page xxv • Obtaining Documentati on and Submitting a Ser vice Reques[...]

  • Page 26

    xxvi Cisco ASA Series Firewall CLI Configuration Guide Note Means reader take note . Ti p Means the following inf ormation will help you sol ve a pr o blem . Caution Means re a d e r b e c a re f u l . In this situation, you might perform an action t hat could result in equipment damage or loss of dat a. Obtaining Documentation and Submitting a Ser[...]

  • Page 27

    P AR T 1 Conf iguring Service P olicies Using the Modular P olicy F rame work[...]

  • Page 28

    [...]

  • Page 29

    CH A P T E R 1-1 Cisco ASA Series Firewall CLI Configuratio n Guide 1 Configuring a Service Policy Using the Modular Policy Framework Service polici es using Modular Pol icy Fram ew ork provide a consistent and f lexible w ay to configure ASA features. For example, you can us e a service polic y to create a time out conf iguration that is specific [...]

  • Page 30

    1-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies Supported Features Ta b l e 1 - 1 lists the features supported by Modul ar Policy Frame work. Feature Directionality Actions are applied to t raffic bid irectionally or unidir ectionall[...]

  • Page 31

    1-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Note When you use a global policy , all features are unidire ctional; features that are normally bidirectional when applied to a single interf ace only apply to the ingress of each inte[...]

  • Page 32

    1-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies For e x ample, if a packet matches a class map for co nnection limits, and also matches a class map fo r an application inspection, then both actions are applied. If a packet matches a [...]

  • Page 33

    1-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Incompatibility of Certain Feature Actions Some features are not compatible w i th each other for the same traf fic. Th e following list may not include all incompatibilities; fo r info[...]

  • Page 34

    1-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Licensing Requirement s for Service Policies class ftp inspect ftp Feature Matching for Multiple Service Policies For TCP a nd UDP traf fic (and ICMP w hen you enable stateful ICMP in spection), servi ce policies operate[...]

  • Page 35

    1-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Guidelines and Limitations • TCP normalization • TCP state bypass • User statistics for Id entity Fire wall Class Map Guidelines The maximum number of class mapsof all types is 255 in sin gle mode or per conte xt i[...]

  • Page 36

    1-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Default Settings Default Settings The follo wing topics describe the defaul t settings for Modular Polic y Framew ork: • Default Co nfiguration, page 1-8 • Default Cl ass Maps, page 1-9 Default Configuration By defau[...]

  • Page 37

    1-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es inspect ip-options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tft[...]

  • Page 38

    1-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Task Flows for Configuring Service Policies Step 1 Identify the traf fic—Identify th e traf fic on which you want t o perform Modular Polic y Framework actions by creating Layer 3/4 class maps. For e xample, you might[...]

  • Page 39

    1-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es See the “Defining Actions (Layer 3/ 4 Policy Map)” section on pa ge 1-15 and the “ Applying Actions to an Interface (Service Policy)” section on page 1-17 . Task Fl[...]

  • Page 40

    1-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) T raff ic shaping can only be applied the to class-default class map. Step 4 For the same class map, identify the prio rity polic y map that you created in Step 2 using the ser[...]

  • Page 41

    1-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Cla ss Maps) match access-list access_list_name Example: hostname(config-cmap)# match access-list udp Matches traffic specified by an extended A CL. If t he ASA is operating in transparent[...]

  • Page 42

    1-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) Examples The follo wing is an example for the class-map command: ciscoasa(config)# access-list udp permit udp any any ciscoasa(config)# access-list tcp permit tcp any any cisco[...]

  • Page 43

    1-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Defining Act ions (Layer 3/4 Poli cy Map) Detailed Steps Defining Actions (Layer 3/4 Policy Map) This section describes how to associate actions with Layer 3/4 class ma ps by creatin g a Layer 3/4 policy map. Restrictio[...]

  • Page 44

    1-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Examples The follo wing is an example of a policy-map command for con nection polic y . It limits the number of connections allo wed to the web serv er 10.1.1.1: ci[...]

  • Page 45

    1-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Applying Actions to an Interface (Service Policy) The follo wing example sho ws how traf fic matches the f irst a vail able class map, and will not match an y subsequent class maps that specify actions in the same featu[...]

  • Page 46

    1-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Monitoring Modular Policy Framework Detailed Steps Examples For e xample, the followin g command enables the inbo und_polic y policy map on the outside interf ace: ciscoasa(config)# service-policy inbound_policy interfa[...]

  • Page 47

    1-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork Applying Inspection and QoS Policing to HTTP Traffic In this e x ample (see Figure 1-1 ) , any HTTP conn ection (TCP traf fic on port 80) that enters or e xits the AS[...]

  • Page 48

    1-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Configuration Examples for Modular Policy Framework ciscoasa(config)# policy-map http_traffic_policy ciscoasa(config-pmap)# class http_traffic ciscoasa(config-pmap-c)# inspect http ciscoasa(config)# service-policy http_[...]

  • Page 49

    1-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork ciscoasa(config)# service-policy policy_serverB interface inside ciscoasa(config)# service-policy policy_serverA interface outside Applying Inspection to HTTP Traffic[...]

  • Page 50

    1-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Feature History for Service Policies Feature History for Service Policies Ta b l e 1 - 3 lists the release history for this feature. T able 1 -3 Feat ure Hist ory for Service P olicies Feature Name Releases Feature Info[...]

  • Page 51

    CH A P T E R 2-1 Cisco ASA Series Firewall CLI Configuratio n Guide 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Frame work lets you conf igure specia l actions for man y application inspections. When you enable an inspection engine in the Layer 3/4 poli c y map, you can also optionally enable act[...]

  • Page 52

    2-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Guidelines and Limitations policy map is that you can create more comple x match criteria and you can reuse class maps. Ho we ver , you cannot set different actions for dif ferent matches. Note: Not all [...]

  • Page 53

    2-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Default Inspection Policy Maps A class map is determined to be the same t ype as another class map or match command based on the lo west priority match command in the class map (th e priority is based on [...]

  • Page 54

    2-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Defining Actions in an Inspection Policy Map Note There are other default inspect ion policy maps such as _default_esmtp_map . For example, inspect esmtp implicitly uses the polic y map “_default_esmtp[...]

  • Page 55

    2-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Examples The follo wing is an example o f an HTTP inspection polic y map and the related class maps. This pol icy map is acti vated by the Laye r 3/4 polic y[...]

  • Page 56

    2-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Identifying Traffic in an Inspection Class Map Restrictions Not all application s support inspection cl ass maps. See the CLI help for class-map type inspect for a list of supported applications. Detaile[...]

  • Page 57

    2-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Where to Go Nex t Where to Go Next T o use an inspection pol icy , see Chapter 1, “Configuring a Service Poli cy Using the Modular Po licy Frame work. ” Feature History for Inspection Policy Maps Ta b[...]

  • Page 58

    2-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Feature History for Inspection Policy Maps[...]

  • Page 59

    P AR T 2 Conf iguring Network A ddress T ranslation[...]

  • Page 60

    [...]

  • Page 61

    CH A P T E R 3-1 Cisco ASA Series Firewall CLI Configuratio n Guide 3 Information About NAT This chapter pro vides an ove rview of h ow Netw ork Address T ranslation (N A T) works on the ASA. This chapter includes the following sections: • Why Use N A T?, page 3-1 • N A T T erm inology , page 3-2 • N A T T ypes, page 3-3 • N A T in Routed a[...]

  • Page 62

    3-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Terminology One of the main functions of N A T is to enable pr iv ate IP networks to conn ect to the In ternet. NA T replaces a priv ate IP address with a public IP addre ss, translating the priv ate addresses in the inter nal pri v ate network into legal, r[...]

  • Page 63

    3-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types NAT Types • N A T T ypes Overvi ew , page 3-3 • Static NA T , page 3-3 • Dynamic N A T , page 3-7 • Dynamic P A T , page 3-8 • Identity N A T , page 3-10 NAT Types Overview Y o u can implement N A T using the following meth ods: • Static N [...]

  • Page 64

    3-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Figure 3-1 sho ws a typical static NA T scenar io. The translation is always act iv e so both real and remote hosts can initiate co nnections. Figure 3-1 Static NA T Note Y ou can disable bidirect ionality if desired. Information About Static NAT with [...]

  • Page 65

    3-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Note For ap plications that r equire application i nspection for secondary channels (for example, FTP and V oIP), the ASA automatically transl ates the second ary ports. Static NAT with Identi ty Port Translation The follo wing static N A T with port t[...]

  • Page 66

    3-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types For e xample, you hav e a load balancer at 10.1.2 .27. Depending on the URL requested, it redirects traf fic to the correct web server . Information About Other Mapping Scenarios (Not Recommended) The ASA has the fle xibility to allow an y kind of stat[...]

  • Page 67

    3-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-5 sho ws a typical many-to- few static N A T scenario. Figure 3-5 Man y-t o-Few Static NA T Instead of usin g a static rule this way , we suggest that you c reate a one-to-one rule for the traff ic tha t needs bidirectional initiation, a nd th[...]

  • Page 68

    3-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Note For the duratio n of the translatio n, a remote host can initiate a connection to th e translated host if an access rule allows it. Because the address is unpr edictabl e, a connectio n to the ho st is unlikely . Nev ertheless, in this case you ca[...]

  • Page 69

    3-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-7 sho ws a typical dynamic P A T scenario. Only real hosts can crea te a NA T session, and responding traf fic is al lo wed back. The mapped addr ess is the same for each translation, b ut the port is dynamically assigned. Figur e 3-7 Dynamic [...]

  • Page 70

    3-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Identity NAT Y o u might ha ve a N A T configur ation in which you need to transl ate an IP address to itself. F or example, if you create a broad rule that applies N A T to every netw ork, but want to e x clude one network [...]

  • Page 71

    3-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-9 sho ws a typical N A T example in rou ted mode, with a pri vate netw ork on the inside. Figure 3-9 NA T Exam pl e: Routed Mode 1. When the inside host at 10.1.2.27 sends a packet to a w eb server [...]

  • Page 72

    3-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Figure 3-1 0 NA T Exampl e: T ranspar ent Mode 1. When the inside host at 10.1.1.75 sends a packet to a w eb server , the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15. 2. When [...]

  • Page 73

    3-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT and IPv6 NAT and IPv6 Y ou can use N A T to translate between IPv6 netw orks, and also to translate between IPv4 and IPv6 networks (rou ted mode only). W e recommend the followi ng best practices: • N A T66 (IPv6-to-IPv6)—W e recommend using static N A [...]

  • Page 74

    3-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted • How source and destinati on N A T is implemented. – Network obj ect N A T— Each rule can apply to either the source or desti n ation of a pack et. So two rules m ight be used, one for the source IP a ddress, and one for the desti[...]

  • Page 75

    3-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented T wice N A T also lets you use service objects for static N A T with port translation; networ k object NA T only accepts inline def inition. T o start confi guring twice N A T , see Chapter 5, “Conf iguring T wice NA T . ” Figure 3-[...]

  • Page 76

    3-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted Figure 3-12 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices. When the host accesses the server for web services, the real address is[...]

  • Page 77

    3-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented Figure 3-13 sho ws a remote host con n ecting to a mapp ed host. The mapped h ost has a twice static N A T translation that translates the real address only for traf fic to and from the 2 09.165.201.0/27 network. A translation does not [...]

  • Page 78

    3-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Rule Order NAT Rule Order Network ob ject N A T rules an d twice NA T rules a re stored in a single table that is divided into t hree sections. Sectio n 1 rules are appl ied first, then section 2, an d finally section 3, unt il a match is fo und. For e xamp[...]

  • Page 79

    3-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Interfaces For section 2 r ules, for example, you ha ve the foll ow ing IP addresses def ined within netw ork objects: 192.168.1.0/24 ( static) 192.168.1.0/ 24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 ( static) 172.16.1.0/24 (dynamic) ( object def) 172[...]

  • Page 80

    3-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Routing NAT Packets Mapped Addresses and Routing When you translate the real addres s to a mapped address, the mapped address you choose determines ho w to conf igure routing , if necessary , for the mapped address. See additional guidelines about mapped IP add[...]

  • Page 81

    3-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Routing NAT Packets Figur e 3-14 Pro xy ARP Problems with Identity NA T In rare cases, you need proxy ARP for identity N A T ; for example for virt ual T elnet. When using AAA for network access, a host needs to authenti cate with the ASA using a service like T[...]

  • Page 82

    3-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Determining the Egress Interface When the ASA receives traf fic for a mapped address, the ASA unstran slates the destination address according to the NA T rule, and then it sends the packet on to the real address. The ASA determines the egress inter[...]

  • Page 83

    3-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN NAT and Remote Access VPN Figure 3-17 sh ow s both an inside serv er (10.1.1.6) and a VPN cli ent (209.165.201.10) accessi ng the Internet. Unless you conf igure split tunnelling for the VPN client (where only specif ied traff ic goes through the VP[...]

  • Page 84

    3-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Figur e 3-18 Identity NA T for VPN Clients See the follo wing sample N A T conf iguration for the abo ve network: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, [...]

  • Page 85

    3-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figur e 3-19 Interf ace P A T and Identity NA T for Sit e-to-Site VPN Figure 3-20 sho ws a VPN clie nt connected to ASA1 (Boul der), with a T elnet request for a server (10.2.2.78) accessibl e ov er a site-to-site tunnel betw een ASA1 and ASA2 (San [...]

  • Page 86

    3-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 [...]

  • Page 87

    3-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figure 3-21 sho ws a VPN client T elnet ting to the ASA inside interface. When yo u use a management-access interface, and you configure identity N A T according to the “NA T and Remote Access VPN” or “N A T and Site-to-Site VPN” section, yo[...]

  • Page 88

    3-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup Tr[...]

  • Page 89

    3-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-22 sho ws a D NS server that is access ible from the outside interface. A serv er, ftp .cisco.com, is on the inside interface. Y ou co nfigure the ASA to st atic ally translate the ft p.cisco.com real a ddress (10.1.3.14) to a mapped addres[...]

  • Page 90

    3-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT a static rule between the inside and DMZ, then you al so need to enable DNS reply modif ication on this rule. The DNS reply will then be modif ied two times. In this case, the ASA ag ain translates t he address inside the DNS reply to 192.168.1.10 a[...]

  • Page 91

    3-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-24 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside serv er . In this case, when an inside us er requests the address fo r ftp.cisco.com from the DNS server , the DNS server responds with [...]

  • Page 92

    3-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (200 1:DB8::D1A5:C8E1) you need to conf igure DNS reply modif ication for the stat ic translation. This e xample also includes a static N A T translation for th e DNS server ,[...]

  • Page 93

    3-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Where to Go Nex t Figure 3-26 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside server . In this case, wh en an inside user performs a rev e rse DNS lookup for 10.1.2.56, the ASA modifies the re verse DNS query[...]

  • Page 94

    3-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Where to Go Next[...]

  • Page 95

    CH A P T E R 4-1 Cisco ASA Series Firewall CLI Configuratio n Guide 4 Configuring Network Object NAT All N A T rules that are configured as a paramete r of a network object are considered to be network object NAT rules. Net work object N A T is a quick an d easy way to configure N A T for a single IP address, a range of addresses, or a subnet. Afte[...]

  • Page 96

    4-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Licensing Requirements for Network Object NAT Licensing Requirements for Network Object NAT The follo wing table shows the licensing requirements for this feature: Prerequisites for Network Object NAT Depending on the conf iguration, you can conf igure [...]

  • Page 97

    4-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Default Settings Additional Guidelines • Y ou can only def ine a single NA T rule for a gi ven object; if you w ant to conf igure multiple N A T rules for an object, you need to create multiple objects with d iff erent names that specify the same IP a[...]

  • Page 98

    4-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Configuring Network Object NAT This section descri bes ho w to conf igure network object N A T and includes the follow ing topics: • Adding Netw ork Objects for Mapp ed Addresses, page 4-4 • Conf iguring Dynamic N A T [...]

  • Page 99

    4-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Detailed Steps Configuring Dynamic NAT This section descri bes ho w to conf igure network object N A T for dynamic NA T . For more information, see the “Dynamic N A T” section on page 3-7 . Detailed Steps Command Purp[...]

  • Page 100

    4-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic N A T that hides 192.168.2.0 network beh ind a range of outside addresses 10.2.2 .1 through 10.2.2.10: ciscoasa(config)# object network my-range-obj ciscoasa(config-netwo[...]

  • Page 101

    4-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT ciscoasa(config-network-object)# host 10.10.10.21 ciscoasa(config-network-object)# object-group network nat-pat-grp ciscoasa(config-network-object)# network-object object nat-range1 ciscoasa(config-network-object)# networ[...]

  • Page 102

    4-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT • If you enable e xtended P A T for a dynamic P A T rule, then you cannot also us e an address in the P A T pool as the P A T address in a separate static N A T -with-port-translation rule. F o r example, if t he P A T p[...]

  • Page 103

    4-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] dynamic { mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] | interface [ ipv6 ]} [ interface [ ipv6 ]] [ dns ] Exam[...]

  • Page 104

    4-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic P A T that hides the 192.168.2.0 netw ork behind address 10.2.2.2: ciscoasa(config)# object network my-inside-net ciscoasa(config-network-object)# subnet 192.168.2.0 255[...]

  • Page 105

    4-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT The follo wing example conf igures dynamic P A T with a P A T pool to translate the inside IPv6 network to an outside IPv4 network: ciscoasa(config)# object network IPv4_POOL ciscoasa(config-network-object)# range 203.0.[...]

  • Page 106

    4-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Step 3 { host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2 } Example: ciscoasa(config-network-object)# subnet 10.2.1.0 255.255.255.0 If you are creating a ne w network object, def ines the [...]

  • Page 107

    4-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] static { mapped_inline_ip | mapped_obj | interface [ ipv6 ]} [ net-to-net ] [ dns | service { tcp | udp } real_port mapped_port ] [ no-proxy-arp ] Example: ciscoasa(config-network[...]

  • Page 108

    4-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures static N A T for the real host 10.1.1.1 o n the inside to 10.2.2.2 on the outside with DNS rewrite enabled. ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network[...]

  • Page 109

    4-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Example The follo wing example maps a host address to it self using an inline mapped ad dress: ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)#[...]

  • Page 110

    4-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT The follo wing example maps a host address to it self using a network o bject: ciscoasa(config)# object network my-host-obj1-identity ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)# object [...]

  • Page 111

    4-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Monitoring Ne twork Object NAT Detailed Steps Examples The follo wing example creates a deny rule for H.323 traf fic, so that it uses multi-session P A T : ciscoasa(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 ciscoasa(config)# xlate [...]

  • Page 112

    4-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Configuration Examples for Network Object NAT This section includes the following conf iguration examples: • Providing Access to an Inside W eb Server (Static N A T), pa ge 4-19 • N A T for Inside Host[...]

  • Page 113

    4-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Providing Access to an Inside Web Server (Static NAT) The follo wing example performs static N A T for an inside web server . The real address is on a priv ate network, so a pu blic address is required . [...]

  • Page 114

    4-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Figur e 4-2 Dynamic NA T for Inside, Static NA T for Outside W eb Server Step 1 Create a network obj ect for the dynamic N A T pool to which you w ant to translate the insi de addresses: ciscoasa(config)# [...]

  • Page 115

    4-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) The follo wing example sho ws an inside load balancer that is translated to multiple IP addresses. When an outside host access[...]

  • Page 116

    4-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) The follo wing static N A T -with-port-translation e xample pro vides a single address for remo te users to access FTP , HTTP , and[...]

  • Page 117

    4-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 5 Create a network object for the SMTP server address: ciscoasa(config)# object network SMTP_SERVER Step 6 Defin e the SMTP server address, and co nfi gure static N A T with identity port tran slatio[...]

  • Page 118

    4-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209. 165.201.10). The ASA refers to the stat ic rule for the inside server and tr[...]

  • Page 119

    4-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 sho ws an FTP server and DNS server on the outs id e. The ASA has a static translation[...]

  • Page 120

    4-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 sho ws an FTP server and DNS server on the outside IPv4 netw ork. The ASA h[...]

  • Page 121

    4-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 2 Configure N A T for the DNS server . a. Create a network object for the DNS server address. ciscoasa(config)# object network DNS_SERVER b. Define the DNS server address, and conf ig ure static N A [...]

  • Page 122

    4-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Feature History for Network Object NAT Ta b l e 4 - 1 lists each feature change and the platfo rm release in which it was impl emented. T able 4-1 Feat ure Hist ory for Netw ork Ob ject NA T Feature Name Platform [...]

  • Page 123

    4-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T Flat range of P A T ports for a P A T pool 8.4(3) If av aila ble, the real source port number is used for the mapped port. Ho wev er , if the real port is not a v ailable, by default th e mapped ports are chose[...]

  • Page 124

    4-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network in[...]

  • Page 125

    4-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T N A T support for rev erse DNS lookups 9.0(1) N A T now supports t ranslation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for th[...]

  • Page 126

    4-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT[...]

  • Page 127

    CH A P T E R 5-1 Cisco ASA Series Firewall CLI Configuratio n Guide 5 Configuring Twice NAT T wice N A T lets you identify both the source and destin ation address in a single rule. This chapt er sho ws you how to configure twice NA T a nd includes the following sections: • Information Ab out T wice N A T , page 5-1 • Licensing Requ irements fo[...]

  • Page 128

    5-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Licensing Require ments for Twice NAT T wice N A T also lets you use service objects for static N A T -with-port-translation; netw ork object N A T only accepts inline definition. For detailed in formation about th e differences between twice N A T and network obj[...]

  • Page 129

    5-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Guidelines and Limitations • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 netw orks is not supported. T ranslating between two IPv6 networks, or between t wo IPv4 netw orks is support[...]

  • Page 130

    5-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Default Settings • Y ou can use the same objects in mul tiple rules. • The mapped IP address pool cann ot include: – The mapped interface IP address. If you specify any interf ace for the rule, then all interface I P addresses are disallowed. For interf a ce[...]

  • Page 131

    5-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Guidelines • A network ob ject group can contain objects and/or in line addresses of eith er IPv4 or IPv6 addresses. The group cannot co ntain both IPv4 and IPv6 addresses; it must co ntain one type only . • See the “Guidelines and Li[...]

  • Page 132

    5-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps (Optional) Adding Service Objec ts for Real and Mapped Ports Config ure service objects for: • Source r eal port (Static only) or Destination real port • Source mapped port (Static only) or Destination mapped port For more [...]

  • Page 133

    5-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT • Source Dynami c P A T (Hide)—Source Dynamic P A T does not support port transl ation. • Source Static N A T or Static N A T with port transl ation—A service object can contain both a source and destination port; howe ver , you sho[...]

  • Page 134

    5-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses See the “ Adding Networ k Objects for Rea[...]

  • Page 135

    5-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { real_obj | any } { mapped_obj [ interface [ ipv6 ]]} [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service mapped_dest_svc_obj [...]

  • Page 136

    5-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (Continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation only , specify the interfac e keyw ord. If you specify ipv6 , then the IPv6 address of th[...]

  • Page 137

    5-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example configures dynamic N A T for inside network 10 .1.1.0/24 whe n accessing servers on the 209.165.201 .1/27 network as well as serv ers on the 203.0.113.0/24 network: ciscoasa(config)# object network INSIDE_NW[...]

  • Page 138

    5-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT • If av ailable, the real source port number is used for the mapped port. Ho wev er, if the real port is not av ailable, by defaul t the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, a[...]

  • Page 139

    5-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses See the “ Adding Networ k Objects for [...]

  • Page 140

    5-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { real-obj | any } { mapped_obj [ interface [ ipv6 ]] | [ pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] [ interface [ ipv6[...]

  • Page 141

    5-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT (continued) For a P A T pool, you can specify one or more of t he follo wing options: -- Round robin—Th e round-r obin keyw ord enables round-robin address allocati on for a P A T pool. W ithout round robin, by defa ult all ports for a P[...]

  • Page 142

    5-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation o nly (routed mode), specify the interf ace keyw ord. If you specify ipv6 , then the IPv6[...]

  • Page 143

    5-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example conf igures interface P A T for inside network 192 .168.1.0/24 when accessi ng outside T elnet server 209.165 .201.23, and Dynamic P A T using a P A T pool when accessing any serv er on the 203.0.113.0/24 ne[...]

  • Page 144

    5-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes ho w to configure a static N A T rule using twice NA T . For more informatio n about static N A T , see the “S tatic NA T” section on page 3-3 . Detailed S[...]

  • Page 145

    5-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static real_ob [ mapped_obj | interface [ ipv6 ]] [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj m[...]

  • Page 146

    5-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Examples The following e xample shows the use of static interface N A T with port translation. Hosts on the outside access an FTP server on the inside by connecting t o the outside interf ace IP address with destin ation port 65000 through 6[...]

  • Page 147

    5-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT to the command k eyw ords; the actual source and dest ination address and port in a packet depends on which host sent the packet. In this example, connections are originat ed from outside to inside, so t he “source” address and port of[...]

  • Page 148

    5-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source real addresses ( you will typically use the same object for the sour ce mapped addresses) • Destination real addresses • Destination mapped addre[...]

  • Page 149

    5-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static { nw_obj nw_obj | any any } [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj mapped_src_real_[...]

  • Page 150

    5-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Monitoring Twice NAT Configuring Per-Session PAT Rules By default, all TCP P A T traffic and all UDP DNS traf fic uses per-session P A T . T o use multi-session P A T for traf fic, you can conf igure per-sessi on P A T rules: a permit rule uses per-sessio n P A T[...]

  • Page 151

    5-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Configuration Examples for Twice NAT This section includes the following conf iguration examples: • Different T ranslat ion Dependin g on the Desti nation (Dynami c P A T), page 5-25 • Different T ranslation Depending on [...]

  • Page 152

    5-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 4 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1 Because you do not want to t ranslate the destination ad dr[...]

  • Page 153

    5-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the De stination Address and Port (Dynamic PAT) Figure 5-2 sho ws the use of source and destination port s. The host on the 10.1.2.0/24 network accesses a single host for both web ser vices [...]

  • Page 154

    5-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 5 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not [...]

  • Page 155

    5-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platfo rm release in which it was imple mented. T able 5-1 Feature Hist ory for T wice NA T Feature Name Platform Releases Feature Information T wice N A[...]

  • Page 156

    5-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Round robin P A T pool allocation uses the same IP address for existing hosts 8.4(3) When using a P A T pool with round robin allocation, if a host has an existing con nection, then subsequent connections from that host will use the [...]

  • Page 157

    5-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network inst ead of an assign[...]

  • Page 158

    5-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT N A T support for rev erse DNS lookups 9.0(1) N A T now supports tran slation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for the N A T rule. Per-sessi[...]

  • Page 159

    P AR T 3 Conf iguring Access Contr ol[...]

  • Page 160

    [...]

  • Page 161

    CH A P T E R 6-1 Cisco ASA Series Firewall CLI Configuratio n Guide 6 Configuring Access Rules This chapter describes ho w to control netw ork acce ss through t he ASA using access rul es and includes the following sections: • Information Ab out Access Rules, page 6-1 • Licensing Requirements for Access Rules, page 6-7 • Prerequisites, page 6[...]

  • Page 162

    6-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules • Information Ab out EtherT ype Rules, page 6-6 General Information About Rules This section describes informati on for both access rules and EtherT ype rules, and it includes the follo wing topics: • Implicit Permits, page 6[...]

  • Page 163

    6-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Implicit Deny A CLs have an implicit deny at the end of the list, so un less you exp licitly permit i t, traf fic cannot pass. For e xample, if you want to allow all users to a ccess a network through the ASA except for particula[...]

  • Page 164

    6-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Figur e 6-1 Outbound ACL See the follo wing commands for this example: ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14 host 209.165.200.225 eq www ciscoasa(config)# access-list OUTSIDE extended permit tcp[...]

  • Page 165

    6-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Firewall Mode Guidelines Supported in routed an d tr ansparent f irewall mod e. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations Ev aluate the follo wing alternati ves befo re using the transactional comm it m[...]

  • Page 166

    6-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Ta b l e 6 - 1 lists common traff ic types that you can allow through the transparen t fire wa ll. Management Access Rules Y ou can config ure access rules that control management traff ic destined to the ASA. Ac cess control rul[...]

  • Page 167

    6-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Licensing Requiremen ts for Access Ru les Access Rules for Returning Traffic Because EtherT ypes are conne ctionless, you need to a pply the rule to both interf aces if you want traf fic to pass in both direct ions. Allowing MPLS If you allo w MPLS, ensure tha[...]

  • Page 168

    6-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Guidelines and Limitations Per-User ACL Guidelines • The per-user A CL uses the value in the timeout uauth command, b u t it can be ov erridden by the AAA per-u ser session timeout v alue. • If traf f ic is denied because of a per -user A CL, syslog messag[...]

  • Page 169

    6-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Guidelines and Limitations Detailed Steps Examples The follo wing example sho ws how to use the access-group command: hostname(config)# access-list outside_access permit tcp any host 209.165.201.3 eq 80 hostname(config)# access-group outside_access interface o[...]

  • Page 170

    6-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Monitoring Access Rule s Monitoring Access Rules T o monitor network access, enter the follo w ing command: Configuration Examples for Permitting or Denying Network Access This section includes typical conf iguration e xamples for permitting or den ying netwo[...]

  • Page 171

    6-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Feature History for Access Rules hostname (config-service)# service-object tcp source range 2000 3000 hostname (config-service)# service-object tcp source range 3000 3010 destinatio$ hostname (config-service)# service-object ipsec hostname (config-service)# s[...]

  • Page 172

    6-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Feature History for Access Rules Unif ied A CL for IPv4 and IPv6 9.0(1) A CLs now supp ort IPv4 and IPv6 addresses. Y ou can e ven specify a mix of IPv4 and IPv6 addresses fo r the source and destination. The any ke yword was chan ged to represent IPv4 and IP[...]

  • Page 173

    CH A P T E R 7-1 Cisco ASA Series Firewall CLI Configuratio n Guide 7 Configuring AAA Rules for Network Access This chapter describes ho w to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the general operations configuration guide. This chapte r includes the follo wing sections: • [...]

  • Page 174

    7-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed [...]

  • Page 175

    7-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access One-Time Authentication A user at a gi ven I P address only needs to authenticat e one time for all rules and types, u ntil the authentication session e xpires. (See the timeout uauth co mmand in t[...]

  • Page 176

    7-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Note If you use HTTP authenticati on, by defaul t the user name and passw ord are sent from the cli ent to the ASA in clear te xt; in addition, the username and password are sen t on to the destina[...]

  • Page 177

    7-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access • For T elnet and FTP traf fic, users must log in thro ugh the cut-throug h proxy server and again to the T elnet and FTP servers. • A user can specify an A ctiv e Directory domain wh ile pr ov[...]

  • Page 178

    7-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Inst ead, the ASA sends an error message to the w eb bro wser , indicating that the user [...]

  • Page 179

    7-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Configuring Network Access Authentication T o conf igure network access auth entication, perform the fo llo wing steps: Command Purpose Step 1 aaa-server Example: ciscoasa(config)# aaa-server AuthO[...]

  • Page 180

    7-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Examples The follo wing example authenticates all in side HTTP traf fic and SMTP traff ic: ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+ ciscoasa(config-aaa-server-group)# exit ciscoas[...]

  • Page 181

    7-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access The following e xample shows a typical cut-through proxy co nfigu ration to allo w a user to log in through the ASA. In this e xample, the follow ing conditions app ly: • The ASA IP address is 19[...]

  • Page 182

    7-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access For more inf ormation about authentication, see the “Info rmation About Authen tication” section on page 7-2 . Enabling Secure Authentication of Web Clients If you use HTTP authenti cation, by[...]

  • Page 183

    7-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access nat (inside,outside) static 10.132.16.200 service tcp 443 443 Authenticating Directly with the ASA If you do not w a nt to allo w HTTP , HTTPS, T elnet, or FTP through the ASA b ut want to authent[...]

  • Page 184

    7-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Authenticating Telnet Connecti ons with a Virtual Server Although you can configure network access authenti cation for an y protocol or service (see the aaa authentication match or aaa authenticat[...]

  • Page 185

    7-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Examples The follo wing example sho ws how to enable virtual T elnet together with AAA authentication for ot her services: ciscoasa(config)# virtual telnet 209.165.202.129 ciscoasa(config)# access[...]

  • Page 186

    7-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring Authorization for Network Access After a user authenticates for a giv en connection, the ASA can use authorization to further control traff ic from the user . This section includes the f[...]

  • Page 187

    7-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss T o conf igure T A CA CS+ authorization, perform the foll owing steps: Command Purpose Step 1 aaa-server Example: ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+ Identifi es your AAA se[...]

  • Page 188

    7-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Examples The follo wing example authenticates an d authorizes inside T elnet traff ic. T e lnet traf fic to serv e rs other than 209.165.201.5 can be authenticated alone, bu t traf fic to 209.165.20[...]

  • Page 189

    7-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss ciscoasa(config-aaa-server-host)# key TACPlusUauthKey ciscoasa(config-aaa-server-host)# exit ciscoasa(config)# aaa authentication match TELNET_AUTH inside AuthOutbound ciscoasa(config)# aaa author[...]

  • Page 190

    7-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access • Simplified and centralize d manage ment of ACLs—Do w nloadable ACLs enable you to w rite a set of A CLs once and apply it to many user or gro up prof iles and distrib ute it to many ASAs. This[...]

  • Page 191

    7-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss . ip:inacl# n = ACE-n ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 6. If the A CL required is more than approximately 4 KB in length, Cisco Secure A CS responds with an access-chall[...]

  • Page 192

    7-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access The do wnloaded A C L on the ASA consists of th e follo wing lines: access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 p[...]

  • Page 193

    7-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accounting fo r Network Access Converting Wildcard Netma sk Expressions in Downloadable ACLs I f a R A D I U S s e r v e r p r o v i d e s d ow n l oa d a b l e AC L s to Cisco VPN 3000 series concentrators as well as to the ASA, y[...]

  • Page 194

    7-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accoun ting for Network Ac cess T o conf igure accounting, perform the follo wing steps: Examples The follo wing example authenticates, au thorizes, and accoun ts for inside T elnet traf f ic. T elnet traf fic t o servers other than[...]

  • Page 195

    7-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Ex empt Traffi c from Authentica tion and Authorization ciscoasa(config)# aaa accounting match SERVER_AUTH inside AuthOutbound AAA provides an extra le vel of protection and cont rol for user access than using A CLs alon[...]

  • Page 196

    7-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization T o use MA C addresses to ex empt traff ic from authentication and aut horization, perform th e follo wing steps: Examples The follo wing example bypasses au thenticat[...]

  • Page 197

    7-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules The follo wing example bypasses au thentication for a a group of MAC addresses e xcept for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement [...]

  • Page 198

    7-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules[...]

  • Page 199

    P AR T 4 Conf iguring Applic ation Inspection[...]

  • Page 200

    [...]

  • Page 201

    CH A P T E R 9-1 Cisco ASA Series Firewall CLI Configuratio n Guide 9 Getting Started with Application Layer Protocol Inspection This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels [...]

  • Page 202

    9-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Information about Application Layer Protoc ol Inspection Figur e 9-1 How Inspec tion En gines W o r k In Figure 9-1 , operations are numbered in the order th ey occur , and are described as follows: 1. A TCP SYN packet arri[...]

  • Page 203

    9-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable applicat ion inspection for a service that embeds IP addres ses, the ASA t ranslates embedded addresses and up dates any checksum or other fi elds that are aff ected by the translatio[...]

  • Page 204

    9-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations Inspected protocols are subject to adv anced TCP-state tracking, and th e TCP state of these connections is not automatically replicated. Wh ile these connections are replicated to the s[...]

  • Page 205

    9-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limita tions ICMP ERR OR — — — — ILS (LD AP) TCP/389 No extended P A T . No N A T64. —— Instant Messagin g (IM) V aries by client No ext ended P A T . No N A T64. RFC 3860 — IP Options ?[...]

  • Page 206

    9-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations The default po licy conf iguration includes the follo wing commands: SIP TCP/5060 UDP/5060 No outside N A T . No N A T on same security interfaces. No ext ended P A T . No per-session P [...]

  • Page 207

    9-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum [...]

  • Page 208

    9-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Y ou can specify a match access-list command along with the match default-inspection- traffi c command to narro w the matched traff ic to specific IP addresses. Because th[...]

  • Page 209

    9-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection • H323—See the “Conf iguring an H.323 Inspection Polic y Map for Additional Inspection Cont rol” section on page 11-6 • HTTP—See the “Configuring an HTTP Insp e[...]

  • Page 210

    9-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection class in Step 5 . Do not add another class that matches SNMP . Step 5 Enable application insp ection by entering the follo wing command: ciscoasa(config-pmap-c)# inspect [...]

  • Page 211

    9-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection http [ map_name ] If you added an HTTP in spection polic y map according to the “Configuring an HTTP In specti on Policy Map fo r Additional Insp ection Control” s ectio[...]

  • Page 212

    9-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Step 6 T o acti v a te the polic y map on one or more interfaces, enter the follo wing command: ciscoasa(config)# service-policy policymap_name { global | interface inter[...]

  • Page 213

    CH A P T E R 10-1 Cisco ASA Series Firewall CLI Configuratio n Guide 10 Configuring Inspection of Basic Internet Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dyn[...]

  • Page 214

    10-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • Config uring DNS Inspection, page 10-8 • Monitoring DNS Inspecti on, page 10-9 Information About DNS Inspection • General Information A bout DNS, page 10-2 • DNS Inspection A ctions, page 10 -2 General Info[...]

  • Page 215

    10-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default inspe[...]

  • Page 216

    10-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection policy-map type inspect dns name Example: ciscoasa(config)# policy-map type inspect dns dns-map Creates an inspection polic y map in which you want t o match traf fic di rectly . Y ou can specify multiple match comma[...]

  • Page 217

    10-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 4 match [ not ] dns-class { eq { in | c_val }} | range c_val1 c_val2 } For di rect match only: { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | log } Example: ciscoasa(config-pmap)# [...]

  • Page 218

    10-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 6 match [ not ] domain-name regex { regex_id | class class_id ] For direct match only: { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | log } Example: ciscoasa(config-pmap)# match doma[...]

  • Page 219

    10-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 7 (If you are using a DNS inspection class map) policy-map type inspect dns name class class_map_name { drop [ log ] | drop-connection [ log ]| enforce-tsig {[ drop ] [ log ]} | mask [ log ] | log } Example: c[...]

  • Page 220

    10-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Examples The follo wing example sho ws a how to d efine a DN S inspection polic y map. regex domain_example “example.com” regex domain_foo “foo.com” ! define the domain names that the server serves class-ma[...]

  • Page 221

    10-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Examples The follo wing example sho ws a how to use a ne w inspection polic y map in the global default configuration: policy-map global_policy class inspection_default no inspect dns preset_dns_map inspect dns new[...]

  • Page 222

    10-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection For connections using a DNS serv er, the source port of the connection may be replaced by the IP address of DNS server i n the sho w conn command output. A single connection i s created for multiple DNS sess ions, a[...]

  • Page 223

    10-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection Using the strict Option Using the strict option with the inspect ftp command increases the security of protected netw orks by prev ent ing web browsers from sending embedded commands in FTP requests. Note T o spec[...]

  • Page 224

    10-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Configuring an FTP Inspection Policy Map for Additional Inspection Control FTP command fi ltering and securit y checks are pro vided using strict FTP inspection for impro ved security and contr ol. Protocol conforma[...]

  • Page 225

    10-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection d. (Optiona l) T o ma tch a file type for F TP transfe r , enter the following comm and: ciscoasa(config-cmap)# match [ not ] filetype regex [ regex_name | class regex_class_name ] Where the rege x _ n a m e is th[...]

  • Page 226

    10-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Step 5 (Optional) T o add a description to the polic y map, enter the followi ng command: ciscoasa(config-pmap)# description string Step 6 T o apply actions to mat ching traf fic, perform the follo wing steps. a. Sp[...]

  • Page 227

    10-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# mask-banner ciscoasa(config)# class-map match-all ftp-traffic ciscoasa(config-cmap)# match port tcp eq ftp ciscoasa(config)# policy-map ftp-policy ciscoa[...]

  • Page 228

    10-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection The enhanced HTTP inspection feature, wh ich is also kno wn as an application fire wall and is av ailable when you configure an HTTP map (see “Conf iguring an HTTP Inspection Polic y Map for Additional Inspection[...]

  • Page 229

    10-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-cmap)# description string c. (Optiona l) T o ma tch traffic with a content-type f ield in the HTTP response that does not match the accept field in the corresponding HTTP re quest message, enter t[...]

  • Page 230

    10-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . The length gt max_bytes is [...]

  • Page 231

    10-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection The res e t ke yword drops t h e packet, cl oses the connec tion, and sends a TCP reset to the server and/or client. The log ke yword, which you can use alone or with one o f the other ke ywords, sends a system l[...]

  • Page 232

    10-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols ICMP Inspection ICMP Inspection The ICMP inspection engine allows ICMP traff ic to ha ve a “session” so it can be inspected like TCP and UDP traf fic. W ithout the ICMP inspection engine, we recommend that you do not allow ICM[...]

  • Page 233

    10-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s Instant Messa ging Inspection Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control T o specify actions when a message violates a parame ter , create an IM inspection po licy map. Y ou can then[...]

  • Page 234

    10-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols Instant Messaging In spection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . f. (Optional)[...]

  • Page 235

    10-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection Y ou can specify multiple class or match commands in the policy map. F or information about the order of class and match commands, see the “Def ining Actions in an Insp ection Policy Map ” section on pa[...]

  • Page 236

    10-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection • IP Options Inspection Ov erview , page 10-24 • Config uring an IP Options Inspection Polic y Map for Additional Inspection Co ntrol, page 10-25 IP Options Inspection Overview Each IP pack et contains an[...]

  • Page 237

    10-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection Configuring an IP Options Inspecti on Policy Map for Additional Inspection Control Step 1 T o create an IP Options insp ection polic y map, enter the follo wing command: ciscoasa(config)# policy-map[...]

  • Page 238

    10-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection • IPsec Pass Through Insp ection Ov ervie w , page 10-26 • “Example for Def ining an IPsec Pass Throu gh Param eter Map” section on page 10-26 IPsec Pass Through Inspection Overview Internet Protocol Securi[...]

  • Page 239

    10-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection Information about IPv6 Inspection IPv6 inspection lets you selecti vely log or drop IPv6 traf fic based on the extensio n header . In addition, IPv6 inspection can check co nformance to RFC 2460 for type and o rd[...]

  • Page 240

    10-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection Detailed Steps Examples The following e xam ple creates an insp ection policy map that will dro p and log all IPv6 packets with the hop-by-hop, destinat ion-option, rout ing-address, and routin g type 0 headers: po[...]

  • Page 241

    10-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection drop log match header destination-option drop log match header routing-address count gt 0 drop log match header routing-type eq 0 drop log Configuring IPv6 Inspection T o enable IPv6 inspection, perform th e foll[...]

  • Page 242

    10-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols NetBIOS Inspection Examples The follo wing example drops all IPv6 traf fic with the hop-by-hop, destinatio n-option, routing-addr ess, and routing type 0 headers: policy-map type inspect ipv6 ipv6-pm parameters match header hop-by[...]

  • Page 243

    10-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s NetBIOS Inspection Step 4 (Optional) T o add a description to the polic y map, enter the follo wing command: ciscoasa(config-pmap)# description string Step 5 T o apply actions to matching traf fic, perform the follo wing steps. [...]

  • Page 244

    10-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols PPTP Inspection ciscoasa(config)# policy-map netbios_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect netbios netbios_map PPTP Inspection PPTP is a protocol for tunneling PPP tr af fic. A PPT[...]

  • Page 245

    10-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session b ut an ESMTP sess ion is considerably faster and of fers more op[...]

  • Page 246

    10-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection T o specify actions when a message viola tes a parame ter , create an ESMTP inspect ion polic y map. Y ou can then apply the inspection polic y map when you en able ESMTP inspection. T o create a[...]

  • Page 247

    10-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s TFTP Inspec tion Step 6 T o conf igure parameters that af fect the inspection engine, perform the follo wing steps: a. T o enter parameters conf iguratio n mode, enter the fo llo wing command: ciscoasa(config-pmap)# parameters c[...]

  • Page 248

    10-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion[...]

  • Page 249

    CH A P T E R 11-1 Cisco ASA Series Firewall CLI Configuratio n Guide 11 Configuring Inspection for Voice and Video Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on d[...]

  • Page 250

    11-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols CTIQBE Inspection Limitations and Restrictions The follo wing summarizes limitations that appl y when using CTIQBE applicat ion inspection: • CTIQBE application insp ection does not suppor t config urations with the alias comman[...]

  • Page 251

    11-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The line be ginning with RTP/R TCP: PAT xlate s: appears onl y if an internal CTI de vice has register ed with an external Call Manager and th e CTI de vice address and ports are P A T ed to that external interf a[...]

  • Page 252

    11-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt appl ications such as Cisco CallManage r and V ocalT e c Gatekeeper . H.323 is a suite of protocol s defined by the Int ernational T[...]

  • Page 253

    11-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, t he ASA opens the H.245 channel and then inspects traf fic sent ov er the H.245 channel as well. All H.245 messages passing t hrough the ASA u ndergo H .245 application inspec[...]

  • Page 254

    11-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection • Only static N A T is fully supported. Static P A T may not properly translate IP addresses embedded in optional f ields within H.323 messages. If you e xperience this kind of problem, do not use static P A T w[...]

  • Page 255

    11-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection b. (Optional) T o add a description to the class map , enter the follo wing command: ciscoasa(config-cmap)# description string Where string is th e description of the cl ass map (up to 200 characters). c. (Optiona[...]

  • Page 256

    11-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Y ou can specify multiple class or match commands in the policy map. F or information about the order of class and match commands, see the “Def ining Actions in an Insp ection Policy Map ” section on page 2-4 [...]

  • Page 257

    11-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The follo wing example sho ws how to confi g ure phone number f iltering: ciscoasa(config)# regex caller 1 “5551234567” ciscoasa(config)# regex caller 2 “5552345678” ciscoasa(config)# regex caller 3 “555[...]

  • Page 258

    11-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection 0 Concurrent Call(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.205/1720 This output indi cates that there is curr ently 1 acti ve H.323 call goin g through the ASA between the local endpoint 10.130.5 6.3 an[...]

  • Page 259

    11-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection Total: 1 GK Caller 172.30.254.214 10.130.56.14 This output sho ws that there is one acti ve registration between the gatekeeper 1 72.30.254.214 an d its client 10.130 .56.14. MGCP Inspection This section descri be[...]

  • Page 260

    11-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols MGCP Inspection MGCP transactions are composed of a command an d a mandatory response. There a re eight types of commands: • CreateConnection • ModifyConnection • DeleteCo nnection • Notifi cationRequest • Notify • Au[...]

  • Page 261

    11-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# b. T o configure the call agents, enter the follo wing command fo r each call agent: ciscoasa(config-pmap-p)# call-agent ip_address group_id Use the call-[...]

  • Page 262

    11-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection Verifying and Monitoring MGCP Inspection The show mgcp com mands command lists the number of MGCP com mands in the command queue. The show mgcp ses sions command lists the number of e xis ting MGCP sessions. The d[...]

  • Page 263

    11-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection RTSP Inspection Overview The R TSP inspection engine lets the ASA pass R TSP packets. R TSP is used by RealAudio, RealNetworks, Ap ple QuickT ime 4, Real Player, and Cisco IP/TV connections. Note For Cisco IP/TV ,[...]

  • Page 264

    11-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection • Y o u can conf igure N A T for Apple QuickT ime 4 or RealPlayer . Cisco IP/TV only works with NA T if the V iewer and Content Manager are on the ou tside network and the serv er is on the inside network. Confi[...]

  • Page 265

    11-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expression you created i n Step 1 . The class r e gex_cl ass_name is the regular e xpression class map you create d in Step 2 . Step 4 T o create an R TS[...]

  • Page 266

    11-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection ciscoasa(config-pmap-p)# url-length-limit length Where the length ar gument specifies the URL length i n bytes (0 to 6000). The follo wing example sho ws a how to d efine an R TSP inspection polic y map. ciscoasa(c[...]

  • Page 267

    11-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection T o support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connectio ns for the media must be inspected, because whil e the signaling is sent ov er a we[...]

  • Page 268

    11-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection SIP inspection has a database with indices CALL_ID/FR OM/TO from the SIP payload. These ind ices identify the call, the source, and the destination. Th is database contains the media addresses and media ports found[...]

  • Page 269

    11-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the class_map_name is the name of the class map. The match-all ke yword is the def ault, and specifies that t raff ic must match all criteria to match the class map. The match-an y keyw ord specifies that the[...]

  • Page 270

    11-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 . k. (Optiona l) T o ma tch a[...]

  • Page 271

    11-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection b. T o enable or disable instant messaging, enter the f o llo wing command: ciscoasa(config-pmap-p)# im c. T o enable or disable IP address pri vacy , enter the follow ing command: ciscoasa(config-pmap-p)# ip-addre[...]

  • Page 272

    11-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Configuring SIP Timeout Values The media connections are torn do wn within two min utes after the connection becomes idle. This is, ho we ver , a configurable timeout an d can be set for a shorter or l on[...]

  • Page 273

    11-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • SCCP Inspecti on Overview , page 11-25 • Supporting Cisco IP Phon es, page 11-25 • Restrictions and Limitat ions, page 11-26 • Config uring a Skinn y (SCCP) Inspection Polic y Map for Additional[...]

  • Page 274

    11-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection When the Cisco IP Phones are on a lower security interface compared to the TFTP server , you must use an A CL to connect to the protected TF TP server on UD P port 69. While you do need a stati c entry fo[...]

  • Page 275

    11-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Step 5 T o apply actions to matching traf fic, perform the follo wing steps. a. Specify the traf fic on which you want to perf orm actions using one of the follo wing methods: • Specify the SCCP class m[...]

  • Page 276

    11-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Where the value_length ar gument is a maximum or minim u m v alue. f. T o config ure the timeout v alue for signaling and media connection s, enter the follo wing command: ciscoasa(config-pmap-p)# timeout[...]

  • Page 277

    CH A P T E R 12-1 Cisco ASA Series Firewall CLI Configuratio n Guide 12 Configuring Inspection of Database and Directory Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channel[...]

  • Page 278

    12-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols SQL*Net Inspection During connection negotiati on time, a BIND PDU is sent from the client to the server . Once a successful BIND RESPONSE from the server is receiv ed, othe r operational messages may be e xchanged (such a[...]

  • Page 279

    12-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t, Refuse, Resend, and Marker) will not be scanned for addresses to N A T nor will inspection open dynamic connections for any embedd ed ports in the pack[...]

  • Page 280

    12-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection Managing Sun RPC Services Use the Sun RPC services table to co ntrol Sun RPC traf fic through t he ASA based on established Sun RPC sessions. T o create entries in the Sun RPC services table, use th e su[...]

  • Page 281

    12-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:[...]

  • Page 282

    12-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection[...]

  • Page 283

    CH A P T E R 13-1 Cisco ASA Series Firewall CLI Configuratio n Guide 13 Configuring Inspection for Management Application Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channe[...]

  • Page 284

    13-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for nati ve TCP communication between the EPM and client on well known TCP port 135. Map a nd lookup op erations of the E PM are supported for clients. Cli ent and server can be[...]

  • Page 285

    13-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection The follo wing example sho ws how to def ine a DCERPC inspection polic y map with the timeout confi gured for DCERPC pinholes. ciscoasa(config)# policy-map type inspect dcerpc dcerpc_map ciscoasa(config-pmap[...]

  • Page 286

    13-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection Configuring a GTP Inspection Policy Ma p for Additional Inspection Control If you w ant to enforce additi onal parameters on GTP t raf fic, creat e and conf igure a GTP map. If you do not specify a map with t[...]

  • Page 287

    13-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# The mnc network_code argument is a two or th ree-digit v alue identifying the network cod e. By default, t he security appliance does not ch eck for[...]

  • Page 288

    13-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection a. Use the object-group command t o define a ne w network object group that w ill represent the SGSN that sends GTP requests to the GSN po ol. ciscoasa(config)# object-group network SGSN-name ciscoasa(config-[...]

  • Page 289

    13-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection Enter this command separately for each timeout. The gsn keyw ord specif ies the period of inacti vity after which a GSN will be remo ved. The pdp-context key word specif ies the maximum period of time allo w[...]

  • Page 290

    13-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection total created_pdpmcb 0 total deleted_pdpmcb 0 pdp_non_existent 0 Y ou can use the v e rtical bar (|) to f ilter the display . T ype ?| for more display f iltering optio ns. The follo wing is sa[...]

  • Page 291

    13-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols RADIUS Accounting Inspection RADIUS Accounting Inspection Overview One of the well kno wn problems is the over -billing attack in GPRS networks. The o ver-billi ng attack can cause consumers anger an d frustration by being[...]

  • Page 292

    13-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RSH Inspection service-policy global_policy global RSH Inspection RSH inspection is enabled by default. The RSH prot ocol uses a TCP connection from th e RSH client to the RSH server on TCP port 514. The client and serv er[...]

  • Page 293

    13-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols XDMCP Inspection ciscoasa(config-snmp-map)# deny version 2 XDMCP Inspection XDMCP inspection is enabled by def ault; howe ver , the XDMCP inspection engi ne is dependent upon proper conf iguration of the established comma[...]

  • Page 294

    13-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols XDMCP Inspection[...]

  • Page 295

    P AR T 5 Conf iguring Unif ied Communications[...]

  • Page 296

    [...]

  • Page 297

    CH A P T E R 14-1 Cisco ASA Series Firewall CLI Configuratio n Guide 14 Information About Cisco Unified Communications Proxy Features This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information Ab out the Adapti ve Securi[...]

  • Page 298

    14-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Information About the A daptive Security Appliance in Cisco U nified Communications TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encr yption ofte n leaves network s[...]

  • Page 299

    14-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features TLS Proxy Ap plications in Cisco Unified Communications The ASA prov ides perimeter security by en crypting signalin g connections between enterpri ses and pre venting unathorized calls. An ASA running the Cisco In terc[...]

  • Page 300

    14-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobi lity solution , the TLS clien t is a Cisco UM A client and the TLS server is a Cisco UMA server . The ASA is between a Cisco UM A clie[...]

  • Page 301

    14-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features Licensing for Cisc o Unified Communications Proxy Features ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 10[...]

  • Page 302

    14-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features T able 14-2 sho ws the default and maximum TLS sessio n details by platform. The follo wing table shows the Uni fied Co mmunications Proxy licen se details by pl[...]

  • Page 303

    CH A P T E R 15-1 Cisco ASA Series Firewall CLI Configuratio n Guide 15 Using the Cisco Unified Communication Wizard This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Unif ied Communication W iz[...]

  • Page 304

    15-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Information about the Cis co Unified Communication Wizard The wizard simplif ies the configuration of the Unified Communications proxi es in the follo wing ways: • Y ou enter all required data in the wizard steps. Y ou are not required t[...]

  • Page 305

    15-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Licensing Requirements for the Unified Communication W izard Using the ASA as a sec ure presence federation pr oxy , businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Ci sco or Microsoft Presence se[...]

  • Page 306

    15-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in r[...]

  • Page 307

    15-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard Note Any conf iguration created by the wizard should be maintained t hrough the wizard to ensure pr oper synchronization. F or example, if you create a ph one proxy c[...]

  • Page 308

    15-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Step 2 Specify each entity in th e network (al l Cisco UCM and TFTP servers) that the IP phones mu st trust. Click Add to add the servers. See Confi guring Serv ers for[...]

  • Page 309

    15-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard statements, you must delete them manually by using the appropriate area of AS DM or rerun the Unified Communications wizard without making any changes and apply the c[...]

  • Page 310

    15-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button conf igures the server to use the IP address of the public interface. Y ou select the publi c interface in step 4 of the wiz[...]

  • Page 311

    15-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard See also the Cisco Unif ied Communications Manage r Securit y Guide for in formation on Usin g the Certif icate Authority Proxy Function (CAPF) to instal l a locally [...]

  • Page 312

    15-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard • PC Port • V oice VL AN access • Gratuitous ARP • Span to PC Port Step 3 T o configure address translation for IP phones, check the Enable addre ss translatio[...]

  • Page 313

    15-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the pri vate IP addr ess, enter the IP ad dress on which pr i vate media traf fic terminates. The IP address must be within the same su[...]

  • Page 314

    15-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring the Topology for the Cisco Mobility Advantage Proxy When config uring the Mobility Adv antage Proxy , you specify settings to def ine the pri vate an[...]

  • Page 315

    15-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to co nfigu re the Cisco Mobilit y Adv antage proxy , the wizard only supports installing self-sig ned certificates. Step 2 Export th[...]

  • Page 316

    15-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Pr esence Federation Pr oxy by using the Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Note The Unified Commu nication W izard is supported for the AS A ve[...]

  • Page 317

    15-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Presence Federation Proxy by using the Unified Communication W izard Step 3 In the FQDN f ield, enter the domain name for the Unif ied Presence server . This domain name is incl uded in the certif icate signing request t[...]

  • Page 318

    15-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard For th e TLS handshake, t he two en tities, namely the local entity and a remote en tity , could v alidate the peer certificate via a certif icate c hain to trusted th ird[...]

  • Page 319

    15-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard T o config ure the Cisco Intercompan y Media Engine Proxy by using ASDM, choose W izards > Unif ied Communication Wi zard from the menu. The Unified Communication W iz[...]

  • Page 320

    15-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Step 2 Click Next . Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sits i n-line with the Internet f irewa ll such that all Internet tr[...]

  • Page 321

    15-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Step 1 T o configure the Cisco Interco mpany Media Engine Proxy as part of a basic de ployment, select the interface that connects to the local Cisco Unified Communicatio[...]

  • Page 322

    15-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Y ou must incl ude an entry fo r each Cisco U CM in the clust er with Cisco Inte rcompany Media E[...]

  • Page 323

    15-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard gen erates a self-signed certif icate for the ASA[...]

  • Page 324

    15-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Configuring the Remote-Side Certificat es for the Cisco Intercompany Media Engine Proxy Establishing a trust relation ship cross enterprises or across administrati ve doma[...]

  • Page 325

    15-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: • Exporting an Identit y Certif icate, page 15-23 • Installing [...]

  • Page 326

    15-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Presence Federation server , and the Cisco Unifie d Communications Manager servers, respectiv ely , on the ASA. See the documentatio n for each of these products for informat [...]

  • Page 327

    15-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard • Remote Presence Federati on serv ers for the Cisco Presence Fede ration Proxy • The remote ASAf or the Cisco In tercom pany Media Engine Prox y Before generating the C[...]

  • Page 328

    15-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Submit the CSR to the cert ificat e authority (CA), for example, by pastin g the CSR text in to the CSR enrollment page on th e CA website. When the CA returns the signed iden[...]

  • Page 329

    15-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard T ypically , a certificate aut hority returns tw o certif icates: your signed identity certif icate and the certif icate authority’ s certif icate (r eferred to as the roo[...]

  • Page 330

    15-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard[...]

  • Page 331

    CH A P T E R 16-1 Cisco ASA Series Firewall CLI Configuratio n Guide 16 Configuring the Cisco Phone Proxy This chapter describes ho w to confi gure the ASA for Cisco Phon e Proxy feature. This chapte r includes the follo wing sections: • Information Abou t the Cisco Phone Proxy , page 16-1 • Licensing Requ irements for the Pho ne Proxy , page 1[...]

  • Page 332

    16-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figur e 16-1 Phone Pro xy Secur e Deploy ment The phone proxy supports a Cisc o UCM cluste r in mixed mode or n onsecure mode . Regardless of the cluster mode , the remote phones th at are capable of encryptio[...]

  • Page 333

    16-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng. W ith LSC prov isioning you create a pass word for each remote [...]

  • Page 334

    16-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unif ied IP Phone 7941 • Cisco Unif ied IP Phone 7941G-GE • Cisco Unif ied IP Phone 7940 (SCCP p rotocol support only) • Cisco Unif ied W ireless IP Phone 7921 • Cisco Unif ied Wireless I [...]

  • Page 335

    16-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5525-X Base Lice[...]

  • Page 336

    16-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more inf ormation about licensing, see the general operati ons config uration guide. Prerequisites for the Phone Proxy This section contains the following topics: • Media T ermination Instance Prerequisites, p[...]

  • Page 337

    16-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy • For IP pho nes behind a router or gate way , you must also meet this prerequisite. On the router or gatew ay , ad d routes to the m edi a termination address on the ASA interface that the IP phones communicate [...]

  • Page 338

    16-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy If N A T is configured for the TFTP server or Cisco UCMs, the translated “globa l” address must be used in the ACLs. T able 16-1 lists the ports that are required to be conf igured on the exi sting fire wall: No[...]

  • Page 339

    16-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy host 10.0.0.2 nat (inside,outside) static interface service tcp 2443 7443 Note Both P A T configurations—for the non secure and secure ports—m ust be configured. • When the IP phones must co ntact the CAPF on[...]

  • Page 340

    16-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note If an IP phone already has an LSC installed on it from a different Cisco UCM cluster , delete the LSC from the dif ferent cluster and install an LSC from the current Cisco UCM cl uster . Note Y ou can confi gu[...]

  • Page 341

    16-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Prerequisites for Rate Limiting TFTP Requests In a remote access scenario, we recommend that you conf igure rate limiting of TFTP requests b ecause any IP phone co nnecting through the I nternet is allo wed to sen[...]

  • Page 342

    16-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations End-User Phone Provisioning The phone proxy is a tr ansparent proxy with resp ect to the TFTP and signaling t ransactions. If N A T is not configured for the Cisco UCM TFTP se rver , then th e IP phones need t[...]

  • Page 343

    16-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Phone Proxy Guidelines a nd Limitations • General Guidelines and Limitations, page 16-1 3 • Media T ermination Address Guidel ines and Limitation s, page 16-14 General Guidelines and Limitations The phone proxy has the foll ow ing general limit[...]

  • Page 344

    16-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy – T wo SIP IP phones: both in non-secure mo de T wo SCCP IP phones: one IP phone in authenti ca ted mode and one in encr ypted mode, both in authentic ated mode, bo th in encr ypted mode – T wo SIP IP phones: on e I[...]

  • Page 345

    16-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y • Creating the TLS Proxy for a Mixed-mode Ci sco UCM Cluster , page 16-21 • Creating the Media T e rmination Instance, page 16-23 • Creating the Phone Proxy Instance, page 16-24 • Enabling the Phone Proxy with S[...]

  • Page 346

    16-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 3 Click Find and it wi ll display all the certif icates. Step 4 Find the f ilename Cisco_Manuf acturing_CA . This is the certif icate need to verify the IP p hone certificate. Click the .PEM f ile Cisco_Manufacturi[...]

  • Page 347

    16-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Note For mix ed-mode clusters, the phone proxy does not support the Cisco Unif ied Call Manager using TFTP to send encrypted conf iguration fil[...]

  • Page 348

    16-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Prerequisites Import the required certif icates, whic h are stored on the Cisco UCM. See Certificates from the Cisco UCM, page 16-7 and Importing Certif icates from the Cisco UCM, page 16-15 . What to Do Next Once you h[...]

  • Page 349

    16-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Prerequisites If you are usin g domain name s for your Cisco UCM and TFTP server , you must configure DNS l ookup on the ASA. Add an entry for each of the outside in terfaces on the ASA into your DNS server , if such en[...]

  • Page 350

    16-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Using an Existing CTL File Note Only when the phone prox y is running in mix ed-mode clusters, you hav e the option to use an exi sting CTL file to install tr ustpoints. If you hav e an existing CTL file that contains t[...]

  • Page 351

    16-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What to Do Next Once you have created the TLS proxy inst ance, create the phone proxy instance. See Creating the Phone Proxy Instance, page 16-24 . Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster For mix ed mo[...]

  • Page 352

    16-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 6 hostname(config-ca-trustpoint)# subject-name X.500_name Example: hostname(config-ca-trustpoint)# subject-name cn=FW_LDC_SIGNER_172_23_45_200 Includes the indicated subj ect DN in the certificate during enrollment[...]

  • Page 353

    16-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What To Do Next Once you hav e created the TLS proxy instance a nd installe d the certificate on the Cisco Unif ied Communications Manager, create the p hone proxy instance. See Cr eating the Phon e Proxy Instan ce, pag[...]

  • Page 354

    16-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What To Do Next Once you ha ve created the media termin ation instan ce, create th e phone prox y instance. See Crea ting the Phone Proxy Instance, page 16-24 . Creating the Phone Proxy Instance Create the phone proxy i[...]

  • Page 355

    16-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Command Purpose Step 1 hostname(config)# phone-proxy phone_proxy_name Example: hostname(config)# phone-proxy myphoneproxy Creates the phone proxy instance. Only one phone proxy instance can be con fi gured on the securi[...]

  • Page 356

    16-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What to Do Next Once you ha ve created the phon e proxy instance, con figur ing SIP and Skinny for the phone proxy . See Enabling the Phon e Proxy with SIP an d Skinny Inspection, page 16-26 . Enabling the Phone Proxy w[...]

  • Page 357

    16-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Configuring Linksys Routers with UDP Po rt Forwarding for the Phone Proxy When IP phones are behind a N A T -ca pable router , the router can be co nfigured to forward the UDP ports to the IP address of the IP phone. Sp[...]

  • Page 358

    16-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Configuring Your Router Y our fire wall/router needs to be conf igured to forward a range of UDP ports to the IP pho ne. This will allow the IP phone to recei ve audio when you make/recei ve calls. Note Different C[...]

  • Page 359

    16-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-5 lists the captu re commands to use with the phone p roxy . Use the capture command on the appropriate interfaces (IP phones and Cisco UCM) to enable packet capture capabilities for pack et snif fing and [...]

  • Page 360

    16-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y T able 16-5 Security Appliance Captur e Co mmands to Use with the Phone Pro xy T o Use the Command Notes T o capture packets on the A SA interfaces. capture ca ptur e_name interface interface_name Use this command [...]

  • Page 361

    16-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-6 lists the sho w commands to use with the phone proxy . T able 16-6 Secur ity Appliance Show Com mands to Use with the Phone Pr o xy T o Use the Command Notes T o show the packets or connections dropped b[...]

  • Page 362

    16-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Debugging Information from IP Phones On the IP phone, perform th e follo wing actions: • Check the Status messages on th e IP phone by selecting the Settings b utton > Status > Status Messages and selecting[...]

  • Page 363

    16-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y • Check the Security sett ings on the IP phone by selecting the Set tings button > Secu rity Config uration. Settings fo r web access, Security mode, MIC, LSC, CTL file, tru st list, and CAPF appear . Under Sec[...]

  • Page 364

    16-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Step 2 From the ASA, verify that the CTL f ile for the phone proxy contains on e record entry for each entity in the network—Primary Cisco UCM, Secon dary Cisco UCM, TFTP serv er—by entering the fo llo wing com[...]

  • Page 365

    16-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Solution Step 1 V erify that DNS lookup is config ured on the ASA. Step 2 If DNS lookup is conf igured, determine whether you can p ing the FQDN for the Ci sco UCM from the ASA. Step 3 If ASA cannot ping the Cisco U[...]

  • Page 366

    16-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.[...]

  • Page 367

    16-37 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Step 3 If the router is a Linksys router , see Configu ring Linksys Routers wit h UDP Port Fo rwarding for t he Phone Proxy , page 16 -27 for information on the con fig uration requiremen ts. IP Phone Requesting Uns[...]

  • Page 368

    16-38 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Make sure that each media-termination instance is cr eated correctly and that th e address or addresses are set correctly . The ASA must meet specif ic criter ia for media termination. See Media T ermination Instan[...]

  • Page 369

    16-39 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y b. V erify that the list o f installed certif icates contains all required certif icates for the phone proxy . See Ta b l e 1 6 - 2 , Certificates Required by the Secu rity Appliance fo r the Phone Proxy , for infor[...]

  • Page 370

    16-40 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y SSL Handshake Failure Problem The phone proxy is not fu nctioning. Initial troub leshooting unco vered the follo wing errors in the ASA syslogs: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl h[...]

  • Page 371

    16-41 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y [3des-sha1] [des-sha1] [rc4-md5] [p ossibly others] See the command reference for more informatio n about setting ciphers wit h the ssl encry ption command. Certificate Validation Errors Problem Errors in the ASA lo[...]

  • Page 372

    16-42 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y phone-proxy mypp media-termination address 10.10.0.25 cipc security-mode authenticated cluster-mode mixed disable service-settings timeout secure-phones 0:05:00 hostname(config)# Make sure that each media-terminati[...]

  • Page 373

    16-43 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y The SAST keys can be seen via the show crypto k ey mypubkey rsa command. The SAST keys are associated with a trustpoint that is labeled _inter nal_ ctl-file _name _SAST_ X where ctl-f ile-name is the name of the CTL[...]

  • Page 374

    16-44 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy mGF/hfDDNAICBAA= hostname(config)# quit INFO: Import PKCS12 operation completed successfully hostname(config)# Step 3 Create the CTL file instance on the ne w A SA using the same name as the one used in th[...]

  • Page 375

    16-45 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-2 Nonsecure Cisco UCM clust er , Ci sco UCM and TFTP Se rver on Publisher object network obj-192.0.2.101 host 192.0.2.101 nat (inside,outside) static 10.10.0.26 access-list pp extended permit u[...]

  • Page 376

    16-46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Example 2: Mixed-mode Cisco UCM clu ster, Cisco UCM and TFTP Server on Publisher Figure 16-3 sho ws an example of the configuration fo r a mixed-mode Cisco UCM cluster using the follo wing topology . Figur[...]

  • Page 377

    16-47 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.101 interface inside tls-proxy mytls ctl-file myctl cluster-mode mixed class-map sec_sccp m[...]

  • Page 378

    16-48 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy host 192.0.2.101 nat (inside,outside) static interface udp 69 69 access-list pp extended permit udp any host 10.10.0.24 eq 69 access-group pp in interface outside crypto key generate rsa label cucm_kp modu[...]

  • Page 379

    16-49 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figure 16-5 Mixed-mode Cisco UCM cluster , Pr i mar y Cisco UCM, Secondary Cisco UCM, and TFTP Serv er on Dif f erent Serv ers object network obj-192.0.2.105 host 192.0.2.105 nat (inside,outside) static 1[...]

  • Page 380

    16-50 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my-ldc-ca.exmaple.com subject-name cn=FW_LDC_SIGNER_172_23_45_200 keypair ldc_signer_key crypto ca enroll ldc_server tls-proxy my_proxy[...]

  • Page 381

    16-51 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-6 LSC Pro visioning in Mix ed-mode Cisco UCM clust er; Cisco UCM and TFTP Serv er on Publisher object network obj-192.0.2.105 host 192.0.2.105 nat (inside,outside) static 10.10.0.26 object netw[...]

  • Page 382

    16-52 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.25 interface in[...]

  • Page 383

    16-53 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-7 VLAN T ransv ersal Between CIPC Softphon es on the Da ta VLAN and Har d Phones on the V oice VLAN object network obj-10.130.50.0 subnet 10.130.50.0 255.255.255.0 nat (data,voice) dynamic 192.[...]

  • Page 384

    16-54 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Feature History for the Phone Proxy class sec_sip inspect sip phone-proxy mypp service-policy pp_policy interface data Feature History for the Phone Proxy T able 16-7 lists the release h ist ory for this feature . T able 16-7 Feat ure Hist ory for [...]

  • Page 385

    CH A P T E R 17-1 Cisco ASA Series Firewall CLI Configuratio n Guide 17 Configuring the T LS Proxy for Encrypted Voice Inspection This chapter describes ho w to configure t he ASA for the TLS Proxy for Encrypted V oice Inspection feature. This chapter includ es the follo wing sections: • Information ab out the TLS Proxy for En crypted V oice Insp[...]

  • Page 386

    17-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection The security appliance acts as a TLS proxy betwee n the Cisco IP Phone an d Cisco UCM. The proxy is transparent for the voice calls be tween the pho ne and theC[...]

  • Page 387

    17-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Information about the TLS Pro xy for Encrypted Voice Inspection • Cisco Unif ied IP Phone 7941G-GE • Cisco Unif ied IP Phone 7940 • Cisco Unif ied Wirel ess IP Phone 7921 • Cisco Unif ied Wirel ess IP Phone 7925 • [...]

  • Page 388

    17-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection Figure 1 7 -2 CTL Client TLS Pro xy Featur es — ASA IP Address or Domain Name Figure 17-2 sh ow s support for entering the security app liance IP address or d[...]

  • Page 389

    17-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Licensing for the TLS Proxy Figure 1 7 -4 CTL Client TLS Pro xy Featur es — CTL File Installed on the ASA The security appliance does not store the raw CTL file in the flash, rather , it parses the CTL file and installs ap[...]

  • Page 390

    17-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Licensing for the TLS Proxy ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 20 00, 3000, 5000, or 10,000 sessions. 2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100[...]

  • Page 391

    17-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Prerequisites for the T LS Prox y for Encrypted Voice Inspection T able 17-1 sho ws the default and maximum TLS sessio n details by platform. For more inf ormation about licensing, see the general operations con figurat ion [...]

  • Page 392

    17-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n • Creating T rustpoints and Generating Certif icates, page 17-9 • Creating an Intern al CA, page 17-10 • Creating a CTL Provider Instance, page 17-11 • Creat[...]

  • Page 393

    17-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection Step 8 Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL f ile and install the CTL file on the secu rity appliance. See the Ci[...]

  • Page 394

    17-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you have created the tr ustpoints and generate d th e certificates, create the internal CA to sign the LDC for Cisco IP Phones. See Creating an[...]

  • Page 395

    17-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you ha ve created the internal CA, create the CTL provider instance. See Creating a CTL Provider Instance, page 17-11 . Creating a CTL Provider [...]

  • Page 396

    17-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you hav e created the CTL provider instance, create the TLS proxy instance. See Creating the TLS Proxy Instance, page 17-12 . Creating the TLS [...]

  • Page 397

    17-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you hav e created TLS proxy ins tance, enab le the TLS proxy instance fo r Skinny and SIP inspection. See Enabling the TLS Proxy Instance f or S[...]

  • Page 398

    17-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n Command Purpose Step 1 hostname(config)# class-map class_map_name Example: ciscoasa(config)# class-map sec_skinny Configures the se cure Skin ny class of traff ic t[...]

  • Page 399

    17-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Monitoring the TLS Proxy Monitoring the TLS Proxy Y ou can enable TLS proxy d ebug flag s along with SSL syslogs to deb ug TLS proxy connection problems. F or example, using th e follo wing commands to enable TLS proxy-rela[...]

  • Page 400

    17-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Monitoring the TLS Proxy Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Data channel ready for the Client Apr 17 2007 23:13:47: %ASA-7-725013: SSL Server inside:195.168.2.201/5061 choose cipher : AES128-SHA Apr 17 2007[...]

  • Page 401

    17-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Feature History for the TLS Pro xy for Encrypted Voice Inspection Public Key Type: RSA (1024 bits) Issuer Name: cn=TLS-Proxy-Signer Subject Name: cn=SEP0002B9EB0AAD o=Cisco Systems Inc c=US Validity Date: start date: 09:25:[...]

  • Page 402

    17-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Feature History for the TLS Proxy for Encrypted Voice Inspection[...]

  • Page 403

    CH A P T E R 18-1 Cisco ASA Series Firewall CLI Configuratio n Guide 18 Configuring Cisco Mobility Advantage This chapter de scribes how to configure the ASA for Ci sco Unified Communic ations Mobi lity Advantage Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Mobility Adv antage Proxy Feature, page [...]

  • Page 404

    18-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature The TCP/TLS default por t is 5443. There are no embedded N A T or secondary connections. Cisco UMA client and server communications can be proxied via TLS, w hich decrypts the data, pa[...]

  • Page 405

    18-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figur e 18-1 Securi ty Appliance as Fir ewall wi th Mobility A dvantag e Proxy and MMP Inspection In Figure 18-1 , the ASA performs static N A T by translating the Cisco UMA serv er [...]

  • Page 406

    18-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figur e 1 8-2 Cisco UMC/Cisco UMA Ar chitect ure – Scenar io 2: Secur ity Appliance as Mobility Adv antage Pr oxy Only Mobility Advantage Pr oxy Using NAT/PAT In both scenarios ( Fig[...]

  • Page 407

    18-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Trust Relationships for Cisco UMA Deployments T o establish a trust relatio nship between the Cisco U MC client and the ASA, t he ASA uses the Cisco UMA server certificate and ke ypa[...]

  • Page 408

    18-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Licensing for the Cisco M obility Advantage Proxy Feature Figure 1 8-4 How the Secur ity Applia nce Repr es ents Cisco UMA – Cer tificat e Impersonation A trusted relationship betw ee n the ASA and the Cisco UMA se rver can be established wi t[...]

  • Page 409

    18-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage • Enabling the TLS Proxy for MMP Insp ection, page 18-9 Task Flow for Configuring Cisco Mobility Advantage T o conf igure for the ASA to perfo rm TLS proxy and MMP inspection as sh own i n Figure 18-1 and F[...]

  • Page 410

    18-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuring Cisc o Mobility Advantage What to Do Next Once you hav e created the trustpoints and installed the Cisco UMA cer tificate on the ASA, create the TLS proxy instance. See Creating t he TLS Proxy Instance, page 18-8 . Creating the TLS P[...]

  • Page 411

    18-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage What to Do Next Once you ha ve created the TLS proxy inst ance, enable it for MMP inspection. See Enabling the TLS Proxy for MMP Inspection , page 18-9 . Enabling the TLS Proxy for MMP Inspection Cisco UMA cl[...]

  • Page 412

    18-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Monitoring for Ci sco Mobility Advantage Monitoring for Cisco Mobility Advantage Mobility adv antage proxy can be deb ugged the same w a y as IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy conne[...]

  • Page 413

    18-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage • Example 1: Cisco UMC/Cisco UMA Architecture – Secur ity Appliance as Fire wall with TLS Proxy and MMP Inspection, page 18 -11 • Examp[...]

  • Page 414

    18-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuration Examples for Cisco Mobility Advantage object network obj-10.1.1.2-01 host 10.1.1.2 nat (inside,outside) static 192.0.2.140 crypto ca import cuma_proxy pkcs12 sample_passphrase <cut-paste base 64 encoded pkcs12 here> quit ! f[...]

  • Page 415

    18-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Figur e 18-6 Cisco UMC/Cisco UMA Arc hitectur e – Scenario 2: Secur ity Appliance as TLS Pro xy Only object network obj-172.16.27.41-01 host 172.16.27.41 nat (inside,outside) static 192.0.2.1[...]

  • Page 416

    18-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Feature History for Cisco Mobility Advantage tls-proxy cuma_proxy server trust-point cuma_proxy no server authenticate-client client cipher-suite aes128-sha1 aes256-sha1 class-map cuma_proxy match port tcp eq 5443 policy-map global_policy class[...]

  • Page 417

    CH A P T E R 19-1 Cisco ASA Series Firewall CLI Configuratio n Guide 19 Configuring Cisco Unified Presence This chapter descri bes how to configure the adapti v e security applia nce for Cisco Unified Presence. This chapter includ es the follo wing sections: • Information Abo ut Cisco Unified Presenc e, page 19-1 • Licensing for Cisco Unified P[...]

  • Page 418

    19-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence Figur e 19-1 T ypical Cisco Unified Pr esence/LCS Federation Scenar io In the abov e a rchitecture, the ASA functions as a fire wall, N A T , and TLS proxy , which is the recommended architecture. Howe ver ,[...]

  • Page 419

    19-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For an other Cisco UP with the address 10.0 .0.3, you must use a d if ferent set of P A T ports, such as 45062[...]

  • Page 420

    19-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence http://www .cisco.com/en/ US/products/ps6837/produc ts_i nstallation_and_co nfiguration_guid es_list.ht ml Trust Relationship in the Presence Federation W ithin an enterprise, setting up a tru st relationshi[...]

  • Page 421

    19-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e Security Certificate Exchange Between C isco UP and the Security Appliance Y ou need to generate the ke ypai r for the certificate ( such as cup_proxy_key ) used by the A SA, and confi gure a trustpoint [...]

  • Page 422

    19-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence For furt her information about config uring Cisco Un ified Presence Federation for XMPP Federation, see the Integr ation Gu ide for Configurin g Cisco Un ified Pr esen ce Release 8.0 for Interdomain F ed era[...]

  • Page 423

    19-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Licensing for Cisco Unifie d Presence nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<privat[...]

  • Page 424

    19-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation For more inf ormation about licensing, see the general operati ons config uration guide. Configuring Cisco Unified Presence Proxy for SIP Federation This section contains the following to[...]

  • Page 425

    19-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation • Creating T rustpoints and Generating Certif icates, page 19-9 • Installing Certif icates, page 19-10 • Creating the TLS Proxy Instance, page 19-12 • Enabling the TLS Proxy for[...]

  • Page 426

    19-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity . See the “ Installing Ce r[...]

  • Page 427

    19-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation Command Purpose Step 1 hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export ent_y_proxy identity-certificate Export the ASA se[...]

  • Page 428

    19-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Once you hav e created the trustpoi nts and installed the certif icates for the local and remote entities on the ASA, create the TLS proxy instance. Se e Creating the TLS[...]

  • Page 429

    19-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation What to Do Next Once you ha ve created the TLS proxy i nst ance, enable it for SIP inspection. See Enabli ng the TLS Proxy for SIP Inspection, page 19-13 . Enabling the TLS Proxy for S[...]

  • Page 430

    19-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Monitoring Cisco Unified Presence Monitoring Cisco Unified Presence Debug ging is similar to deb ugging TLS proxy for IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy connection problems. For e xampl[...]

  • Page 431

    19-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Example A CL Configuration for XMPP Federat ion, page 19-17 • Example NA T Configuration for XMPP Federation, pa ge 19-18 Example Configuration for SIP Federation Deployments The follo wing [...]

  • Page 432

    19-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence Figur e 19-5 T ypical Cisco Unified Pr esence/LCS Federation Scenar io object network obj-10.0.0.2-01 host 10.0.0.2 nat (inside,outside) static 192.0.2.1 service tcp 5061 5061 object network obj-10[...]

  • Page 433

    19-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence quit ! for Entity Y’s CA certificate crypto ca trustpoint ent_y_ca enrollment terminal crypto ca authenticate ent_y_ca Enter the base 64 encoded CA certificate. End with a blank line or the word[...]

  • Page 434

    19-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence The follo wing values are used in th is sample conf iguration: • Priv ate XMPP federation Cisco Unified Presence Release 8.0 IP address = 1.1.1.1 • Priv ate second Cisco Uni fied Presence Relea[...]

  • Page 435

    19-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Pri vate third Cisco Unifi ed Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening po rt = 5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serv[...]

  • Page 436

    19-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Feature History fo r Cisco Unified Presence Feature History for Cisco Unified Presence T able 19-1 lists the release h ist ory for this feature . T able 19-1 Feat ure Hist ory for Cisco Unified Pr esence Feature Name Releases Feature Information C[...]

  • Page 437

    CH A P T E R 20-1 Cisco ASA Series Firewall CLI Configuratio n Guide 20 Configuring Cisco Inte rcompany Media Engine Proxy This chapter descri bes how to configure the AS A for Cisco Intercompan y Media Engine Proxy . This chapter includ es the follo wing sections: • Information About Cisco Intercom pany Media Engi ne Proxy , page 20-1 • Licens[...]

  • Page 438

    20-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Cisco Intercompany Media Engine h as the follo wing ke y features: • W orks with existi ng phone numbers: Cisco Intercompan y Media Engine works with the phone numbers an [...]

  • Page 439

    20-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy On successful verif ica tion, the terminating side creates a tick et that grants permission to the call originator to mak e a Cisco IM E call to a specif ic number . See Tick [...]

  • Page 440

    20-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy As illustr ated in Figure 20-1 . Enterprise B makes a P STN call to enterprise A. That call compl etes successfully . Later , Enterprise B Cisco Intercompa ny Media Engine s[...]

  • Page 441

    20-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy The TLS signaling connections from the Cisco UCM are terminated on the adapti ve security appliance and a TCP or TLS connecti on is initiated to the Cisco UCM. SR TP (media) s[...]

  • Page 442

    20-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Figur e 20-2 Cisco Inter compan y Media En gine Ar chit ectur e in a Basic Deplo yment Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sit[...]

  • Page 443

    20-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Licensing for Cisc o Intercompany Me dia Engine Off Path Deployment In an of f path deployment, inbound and outbound Cisco Intercom pany Media Engine calls pass t hrough an adapti ve securi ty appliance enab led with the Ci sco Inte[...]

  • Page 444

    20-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Guidelines and Limitations For more information about licensing, see Chapter 4, “Managing Feature Licenses, ” in the general operations conf iguration guide. Guidelines and Limitations Context Mode Guidelines Supported in singl[...]

  • Page 445

    20-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Guidelines and Limitations • Stateful failover of Cisco Unified Intercomp any Media Engine is no t supported. Durin g failover , existi ng calls tra versing the Cisco In tercompany Medi a Engine Proxy disconnect; ho wever , new ca[...]

  • Page 446

    20-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Assume for e x ample, the ASA is conf igured to hav e a maximum of 100 TLS pro xy sessions and IME calls between SCCP IP phon es establish 101 TLS proxy sessions. In t his ex ampl[...]

  • Page 447

    20-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note Step 1 through Step 8 apply to both basic (in- line) and of f path deployments and Step 9 applies onl y to of f path deployment. T o confi gure a Ci sco Intercompan y Media E[...]

  • Page 448

    20-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Figure 20-6 Exampl e for Configur in g NA T for a Deployment T o configure auto N A T rules for the Cisc o UCM server , perform the following steps: Local Cisco UCMs Local ASA Cor[...]

  • Page 449

    20-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the A CLs for the Cisco Intercompany Media Engine Proxy . See Creating A CLs for Cisco Intercompany Medi a Engine Proxy , page 20-15 . Configuring PAT for t[...]

  • Page 450

    20-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Confi gures a network object for the outside IP add[...]

  • Page 451

    20-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating ACLs for Cisco Intercompany Media Engine Proxy T o conf igure A CLs for the Cisco Intercompany Media Engine Prox y to reach the Cisco UCM serv er, perform the follo wing [...]

  • Page 452

    20-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the media termination inst ance on the ASA fo r the Cisco Intercompany Media Engi ne Proxy . See Creating the Media T e rmination Instance, page 20-16 . Cre[...]

  • Page 453

    20-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What To Do Next Once you hav e created the media termination instance, c reate the Cisco Intercompan y Media Engine Proxy . See Creating the Cisco Intercompany Media Engine Pro xy[...]

  • Page 454

    20-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note Y ou cannot change an y of the conf iguration settings for the Cisco Intercompan y Media Engine Proxy described in this pr ocedure when the pr oxy is enabled for SIP inspecti[...]

  • Page 455

    20-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 4 hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket ep och and password f[...]

  • Page 456

    20-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity . Creating Trustpoints[...]

  • Page 457

    20-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy connections between the local Ci sco UCM and the local ASA. The instructions in that task describe ho w to create tr ustpoint s between the local Cisc o UCM and t he local A SA. P[...]

  • Page 458

    20-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engi ne. See the “Creating the TLS Proxy” section on page 20 -23 . Step 4 hostname(config-ca-trustpoint)#[...]

  • Page 459

    20-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating the TLS Proxy Because either enterprise, n amely the local or remote Cisco UCM servers, can in itiate the TLS handshake (unlik e IP T elephony or Ci sco Mobility Adv anta[...]

  • Page 460

    20-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you hav e created the TLS prox y , enable it for SIP inspect ion. Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Enable the TLS proxy f[...]

  • Page 461

    20-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inboun d Cisco Intercompany Media E[...]

  • Page 462

    20-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve enabled the TLS proxy for SIP i nspection, if necessary , configur e TLS within the enterprise. See (Optional) Config uring TLS within the Local Ent[...]

  • Page 463

    20-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Commands Purpose Step 1 hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enrol[...]

  • Page 464

    20-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve conf igured the TLS within the enterprise, if ne cessary , configure of f path signaling for an off path deployment. See (Optional) Conf iguring Off[...]

  • Page 465

    20-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy (Optional) Configuring Off Path Signaling Perform this task only w hen you are conf iguring the Cisco Intercompan y Media Engine Proxy as part of an of f path deployment. Y ou mig[...]

  • Page 466

    20-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy This section contains the follo wing sections: • Config uring the Cisco UC-IMC Proxy by using th e UC-IME Proxy P ane, page 20-30 • Config uring the Cisco UC-IMC Proxy by usin[...]

  • Page 467

    20-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 2 Check the Enable Cisco UC-IME prox y check box to enable the feature. Step 3 In the Unif ied CM Server s area, enter an IP addre s s or hostname for t he Cisco Unified Comm[...]

  • Page 468

    20-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note In an of f path deployment any e xisting ASA that you ha ve deployed in your en vironment are not capable of transmitting Cisco Intercompan y Medi a Engine traf fic. Of f-pat[...]

  • Page 469

    20-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Step 4 Specify the public netw ork settings. Step 5 Specify the media termin ation address settings of Cisco UCM. Step 6 Configure the local-side certif icate management, nam[...]

  • Page 470

    20-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Troublesho oting Cisco Intercom pany Medi a Engine Proxy Local SRTP key set : Remote SRTP key set Remote Media (audio) conn: 192.168.10.51/19520 to 192.168.10.3/30930 Call-ID: ab6d7980-a7d11b08-50-1e0aa8c0@192.168.10.30 FB Sensiti[...]

  • Page 471

    20-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Sum_all_packets : 20196 Codec_payload_format : 9 RTP_ptime_ms : 20 Max_RBLR_pct_x100 : 0 Max_ITE_count_in_8_sec : 0 Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_av[...]

  • Page 472

    20-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy T able 20-1 lists the release h ist ory for this feature . T able 20-1 Feat ure Hist ory for Cisco Phone Pr oxy Fe[...]

  • Page 473

    P AR T 6 Conf iguring Connection Set tings and QoS[...]

  • Page 474

    [...]

  • Page 475

    CH A P T E R 22-1 Cisco ASA Series Firewall CLI Configuratio n Guide 22 Configuring Connection Settings This chapter describe s how to configure connection settings for connections th at go through the A SA, or for manage ment connec tions, that go to the ASA. Co nnection sett ings include: • Maximum connection s (TCP and UDP connect ions, embryo[...]

  • Page 476

    22-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Information Abou t Connection Settings TCP Intercept and Limiti ng Embryonic Connections Limiting the number of embryonic connections pro tects you from a DoS att ack. The ASA uses the per -client limits and the embryon ic connection limi t to trigger[...]

  • Page 477

    22-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Information About Connec tion Settings TCP Sequence Randomization Each TCP connection has tw o ISNs: one generated by the client and one generated by the server . The ASA randomizes the ISN of the TCP S YN passing in both the inbound and outb ound di[...]

  • Page 478

    22-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Licensing Requirement s for Connection Settings fast path (an established con nection), or the co ntrol plane path (advanced inspection). See the “Stateful Inspection Ov erview” section on page 1-17 in the general operations con figur ation guide [...]

  • Page 479

    22-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d transparent mode. Failover Guidelines Failo ver is supported. TCP State B[...]

  • Page 480

    22-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings no check-retransmission no checksum-verification exceed-mss allow queue-limit 0 timeout 4 reserved-bits allow syn-data allow synack-data drop invalid-ack drop seq-past-window drop tcp-options range 6 7 clear tcp-option[...]

  • Page 481

    22-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Step 2 (Optional) Conf igure the TCP map criteria by entering one o r more of the follo wing commands (see T able 22-1 ). If you w ant to customize some settings, th en the d e faults are used for any commands you do [...]

  • Page 482

    22-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings T able 22-1 tcp-map Commands Command Notes check-retransmission Pre vents inconsistent TCP retransmissions. checksum-verif ication V erifies the checksum. exceed-mss { allow | drop } Sets the action for packets whose d[...]

  • Page 483

    22-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings queue-limit pkt_num [ timeout seconds ] Sets the maximum number of out - of-order packets that can be buf fered and put in order for a TCP connection, between 1 and 250 packets. The default is 0, whi ch means this set[...]

  • Page 484

    22-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings synack-data { allow | dr op } Sets the action for TCP SYNA C K packets that contain data. The allow k eyword allows TCP SYN A C K packets that contain data. (Default) The drop ke yword drops TCP SYN A CK packets that [...]

  • Page 485

    22-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Configuring Connection Settings T o set connection sett ings, perform the foll ow ing steps. Detailed Steps urgent-flag { allo w | clear } Sets the action for packets with the URG flag. The URG flag is used to indica[...]

  • Page 486

    22-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings Step 3 policy-map name Example: ciscoasa(config)# policy-map tcp_bypass_policy Adds or edits a polic y map that sets the actions to take with the class map traf fic. Step 4 class name Example: ciscoasa(config-pmap)# c[...]

  • Page 487

    22-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings set connection {[ conn-max n ] [ embryonic-conn-max n ] [ per-client-embryonic-max n ] [ per-client-max n ] [ random-sequence-number { enable | disable }]} Example: ciscoasa(config-pmap-c)# set connection conn-max 25[...]

  • Page 488

    22-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings set connection timeout {[ embryonic hh : mm : ss ] { idle hh : mm : ss [ reset ]] [ half-closed hh : mm : ss ] [dcd hh : mm : ss [ max_retries ]]} Example: ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 em[...]

  • Page 489

    22-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Monitoring Con nection Settings Monitoring Connection Settings T o monitor TCP state byp ass, perform one of the follo wing tasks: Configuration Examples for Connection Settings This section includes the following topics: • Config uration Examples[...]

  • Page 490

    22-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuration Exampl es for Connection Settings ciscoasa(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000 ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd ciscoasa(config-pmap-c)# [...]

  • Page 491

    22-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Feature History for Connection Setting s Feature History for Connection Settings T able 22-2 lists each feature change and the plat form release in which it w as implemented. T able 22-2 Featur e History for Connection Set tings Feature Name Platfor[...]

  • Page 492

    22-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Feature History for Connection Settings Increased maximum connection limi ts for service polic y rules 9.0(1) The maximum number of conn ections for service polic y rules was increased from 65 535 to 2000000. W e modif ied the follo wing commands: se[...]

  • Page 493

    CH A P T E R 23-1 Cisco ASA Series Firewall CLI Configuratio n Guide 23 Configuring QoS Hav e you ev er participated in a long-distance phon e call that in volv ed a satellite connection? The con versation might be interrup ted with brief, b ut per ceptible, gaps at odd intervals. Those gaps are the time, called the latency , between the arriv al o[...]

  • Page 494

    23-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the foll ow ing QoS features: • Policing—T o prev ent indi vidual flows fr om hogging the netw ork bandwidth, you can limit the maximum bandwidth used per flo w . See the “Information About Pol icing?[...]

  • Page 495

    23-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Information About QoS For traf fic shap ing, a token b ucket permits b urstiness but bounds i t. It guarantees that the bu rstiness is bounded so that the flo w will nev er send faster than the tok en b ucket capacity , divi ded by the time interv al, plus the establ[...]

  • Page 496

    23-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping T raff ic shaping is used to match de vice and link spee ds, ther eby controlling pack et loss, variable delay , and link saturation , which can cause jitter and delay . Note T raff ic shaping is only suppor ted [...]

  • Page 497

    23-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Licensing Requirements for Qo S Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical prio rity queuing is allo wed. For e xample, if you conf igure standard pr iority queuing for the global p olicy , and the[...]

  • Page 498

    23-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority q ueuing is not support e d on the Management 0/0 interface. • (ASASM) Only policing is suppo rted. Additional Guidelines and Limitations • QoS is applied unidirect ionally; only traf fic that enters (or[...]

  • Page 499

    23-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue T o determine the priority queue and TX ri ng limits, use the w orksheets belo w . T able 23-1 sho ws how to calculate the prio rity queue size. Because queues are not of infinite[...]

  • Page 500

    23-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Configuring the Standard Priority Queue for an Interface If you enable standard pr iority queuing for t raff ic on a physical interface, then you need to also create the priori ty queue on each interface. Each physical interf ace us es two queues: one [...]

  • Page 501

    23-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples The follo wing example establishes a priority queue on interface “out side” (the GigabitEthernet0/1 interface), with th e default queue-li mit and tx-ring-limit: ciscoasa(config)# priority-queue outside The follo wing example establishes[...]

  • Page 502

    23-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Restrictions • Y ou cannot use the class-default class map for priority traf fic. • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priori ty queuing is allo wed. • (ASASM) The ASA[...]

  • Page 503

    23-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples Example 23-1 Class Map Exam ples for VPN T r affic In the follo wing example, the class-map command classifies all non-tunn eled TCP traf fic, using an A CL named tc p_traff ic: ciscoasa(config)# access-list tcp_traffic permit tcp any any S[...]

  • Page 504

    23-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS ciscoasa(config)# class-map tcp_traffic ciscoasa(config-cmap)# match access-list tcp_traffic In the follo wing example, other , more specif ic match criteria are used for classifying traffi c for specific, security-r elated tunne l groups. These speci[...]

  • Page 505

    23-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Example 23-2 Prior ity and P olicing Exa mple In this exampl e, the maximum rate for traf fic of the tcp_traf fic class is 56,00 0 bits/second and a maximum b urst size of 10,500 bytes per second. F o r the TC1-BestEf fort class, the maximum rate is[...]

  • Page 506

    23-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • For hierarchical pr iority queuing, you do not need to create a priority queue on an interface. Restrictions • For hierarchical priority queuing, for encrypted VP N traf fic, you can only match traf fic based on the DSCP or precedence setting; y[...]

  • Page 507

    23-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priority queui ng is allowed. See the “Ho w QoS Features Interac t” section on page 23-4 for information about v alid QoS config[...]

  • Page 508

    23-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS ciscoasa(config-cmap)# match access-list ike ciscoasa(config-cmap)# class-map voice_traffic ciscoasa(config-cmap)# match dscp EF AF13 ciscoasa(config-cmap)# policy-map qos_class_policy ciscoasa(config-pmap)# class voice_traffic ciscoasa(config-pmap-c)#[...]

  • Page 509

    23-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Monitorin g QoS Viewing QoS Standard Priority Statistics T o view statistics for service policies implementi ng the priority command, use the show service-policy command with the priority ke yword: ciscoasa# show service-policy priority The follo wing is sample outp[...]

  • Page 510

    23-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS Service-policy: voip Class-map: voip Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: class-default queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts ou[...]

  • Page 511

    23-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Feature History for QoS Feature History for QoS T able 23-3 lists each feature change and the plat form release in which it w as implemented. T able 23-3 Featur e History for QoS Feature Name Platform Releases Feature Information Priority queuing and pol icing 7.0(1[...]

  • Page 512

    23-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Feature History for QoS[...]

  • Page 513

    CH A P T E R 24-1 Cisco ASA Series Firewall CLI Configuratio n Guide 24 Troubleshooting Connec tions and Resources This chapter describes ho w to troubleshoot the ASA and includes the follo wing sections: • T esting Y our Confi guration, page 24 -1 • Monitoring Per -Process CPU Usage, page 24-7 Testing Your Configuration This section descri bes[...]

  • Page 514

    24-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Debugging messages and syslog messages can help you troubleshoot why yo ur pings are not successful. The ASA only shows ICMP deb ugging messa ges for pings to t[...]

  • Page 515

    24-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Pinging ASA Interfaces T o test whether the ASA interfaces are up and r unning and that the ASA and connected routers are operating correctly , you ca n ping the ASA interfaces. T o ping the ASA interfaces, perfo[...]

  • Page 516

    24-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Figur e 24-2 Ping Failur e at the ASA Int er f ace If the ping reaches the ASA, and it r e sponds, debu gging messages similar to the follo wing appear: ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209[...]

  • Page 517

    24-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Passing Traffic Through the ASA After you successfully ping the ASA interf aces, make sure that traff ic can pass successfully through the ASA. By defaul t, you can ping from a high securit y interface to a lo w [...]

  • Page 518

    24-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Disabling the Test Configuration After you complete your testing, d isable the test c onf iguration that allo ws ICMP to and through the ASA and that prints debugging messages. If you lea ve this co nf iguration i[...]

  • Page 519

    24-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring Per-Process CPU Usage Determining Packet R outing with Traceroute Y ou can trace the route of a packet using the traceroute feature, w hich is accessed with the traceroute command. A traceroute w orks by sending UDP pack ets to a[...]

  • Page 520

    24-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Per-Pro cess CPU Usage[...]

  • Page 521

    P AR T 7 Conf iguring Adv anced Netw ork Pr otection[...]

  • Page 522

    [...]

  • Page 523

    CH A P T E R 25-1 Cisco ASA Series Firewall CLI Configuratio n Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud W eb Security pro vides web security and web f iltering services through the Software-as-a-Service (SaaS ) mode l. Enterpr ises with the A SA in thei r network c an use Cloud W eb Security services without having to i[...]

  • Page 524

    25-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapte r includes the follo wing sections: • Information Abo ut Cisco Cl oud W eb Se curity , page 25 -2 • Licensing Requ irements for C isco Cloud W eb Secu rity , page 25-6 • Pre[...]

  • Page 525

    25-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security The ASA supports the follo wing methods of determining the identi ty of a user, or of providin g a default identity: • AAA rules—When the ASA performs user authe n tication using a AAA r[...]

  • Page 526

    25-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more inf ormation, see the Cloud W eb Security documentation: http://www .cisco.com/en/ US/products/ps11720/produ ct s_installation_and_conf iguration_guides_list.h tml . ScanCenter Polic[...]

  • Page 527

    25-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security – AAA usernames, when u sing RADIUS or T ACA CS+, are sent in the follo wing format: LOCAL username – AAA username s, when using LD AP , ar e sent in the fo llowing format: domain-nam e[...]

  • Page 528

    25-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Licensing Require ments for Cisco Cloud Web Se curity Bypassing Scanning with Whitelists If you use AAA rules o r IDFW , you can configu re th e ASA so that web traff ic from specific users or groups that otherwise match the serv ice [...]

  • Page 529

    25-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud W eb Security On the Cloud W eb Security side, you must purchase a Cisco Cloud W eb Security license and identi fy the number of users that the ASA handles. Then log into ScanCenter , and generate your authenti[...]

  • Page 530

    25-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Clo ud W eb Security proxy serv ers goes down, output fro m the show scansafe server command sho ws both servers up for appro ximately 15-25 minutes. Th is condition may occur because the [...]

  • Page 531

    25-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Examples The follo wing example conf igures a primary and backup server: scansafe general-options server primary ip 10.24.0.62 port 8080 server backup ip 10.10.0.7 port 8080 retry-c[...]

  • Page 532

    25-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Note Y ou must confi gure a route pointing to the Scansafe to wers in both; the admin context an d the specif ic context. This ensures that the Scansafe to wer does not become un reac hable in the[...]

  • Page 533

    25-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Command Purpose Step 1 policy-map type inspect scansafe name1 Example: ciscoasa(config)# policy-map type inspect scansafe cws_inspect_pmap1 Creates an inspection policy map so you [...]

  • Page 534

    25-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 7 policy-map type inspect scansafe name2 parameters default { [user user ] [ group group ]} class whitelist_name2 whitelist Example: ciscoasa(config)# policy-map type inspect scansafe cws_ins[...]

  • Page 535

    25-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 10 match access-list acl1 Example: ciscoasa(config-cmap)# match access-list SCANSAFE_HTTP Specifies an A CL created in Step 8 . Although you can use other match st atements for thi s rule, w[...]

  • Page 536

    25-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Examples The follo wing example conf igures two classes: one for HTTP and one for HTTPS. Each A CL exempts traf fic to www .cisco.com and to tools.cisco.com, and to the DMZ netw ork, for both HTTP[...]

  • Page 537

    25-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security (Optional) Configuring Whitelisted Traffic If you use user authenti cation, you can e xempt some traf fic from being f iltered by Cloud W eb Security based on the username and/or gro upname. When[...]

  • Page 538

    25-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security hostname(config-pmap-p)# https hostname(config-pmap-p)# default group2 default_group2 hostname(config-pmap-p)# class whitelist1 hostname(config-pmap-c)# whitelist (Optional) Configuring the User I[...]

  • Page 539

    25-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Se curity Monitoring Cloud Web Security The show scansafe s erv er command shows whether or not the Cloud W eb Security proxy serv ers are reachable: hostname# show scansafe server ciscoasa# Primary: proxy197.sca[...]

  • Page 540

    25-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security • Single Mode Example, page 25-18 • Multiple Mode Example, page 25-19 • Whitelist Example, page 25 -19 • Directory Integr[...]

  • Page 541

    25-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(cfg-scansafe)# server primary ip 192.168.115.225 web 8080 hostname(cfg-scansafe)# retry-count 5 hostname(cfg-scansafe)# license 366C1D3F5CE67D33D3E9ACEC265261E5 Multiple Mo[...]

  • Page 542

    25-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security parameters default user user1 group group1 https class whiteListCmap whitelist After creating this inspect policy , attach it to the policy map to be assigned to the ser vice group:[...]

  • Page 543

    25-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuring the Active Di rectory Agent Using RADIUS The follo wing example sho ws how to confi g ure the Acti ve Directory Agent on y our ASA using RADIUS: hostname(config)# aaa-se[...]

  • Page 544

    25-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(config)# user-identity inactive-user-timer minutes 60 hostname(config)# user-identity action netbios-response-fail remove-user-ip hostname(config)# user-identity user-not-f[...]

  • Page 545

    25-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security domain-name uk.scansafe.net enable password liqhNWIOSfzvir2g encrypted passwd liqhNWIOSfzvir2g encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 19[...]

  • Page 546

    25-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout si[...]

  • Page 547

    25-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp policy[...]

  • Page 548

    25-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security T able 25-1 lists each feature change and the plat form release in which it w as implemented. Related Documents URL Cisco ScanSafe Clo ud W eb Security [...]

  • Page 549

    CH A P T E R 26-1 Cisco ASA Series Firewall CLI Configuratio n Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unkno wing host. Malware that attempts netw ork activ ity such as sending priv ate data (passwords, cred it card numbers, ke y strokes, or proprietary data) can be detected by the Botnet[...]

  • Page 550

    26-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter • Botnet T raff ic Filter Actions for Kno wn Addresses, page 26-2 • Botnet T raff ic Filter Databases, p age 26-2 • How the Botnet T raff ic Filter W orks, page 26-5 Botnet Traffic Filter Address[...]

  • Page 551

    26-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 2. When the infected hos t starts a connection to the IP address of the malw are site, then the ASA sends a syslog message informing you o f the suspicious act iv ity and optionally d rops the traf fic[...]

  • Page 552

    26-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter When you add a domain name to the static datab ase, the ASA waits 1 minut e, and then sends a DNS request for that domain name an d adds th e domain name/IP address pairing to the DNS host cac he . (Th[...]

  • Page 553

    26-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 sho ws how the Botnet T raf fic Filter works with the dynamic database pl us DNS inspection with Botnet T raffic Filter snooping. Figur e 26-1 How the Bo[...]

  • Page 554

    26-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements fo r the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The follo wing table shows the licensing requirements for this feature: Prerequisites for the Botnet Traffic Filter T o use the dynamic dat[...]

  • Page 555

    26-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: • T ask Flow for Configuring the Botnet Traf fic Filter , page 26-7 • Config uring the Dynamic Database, page 26 -8 • E[...]

  • Page 556

    26-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the do wnloaded dynamic database by the ASA. In multiple conte xt mode, the system downloads the database for[...]

  • Page 557

    26-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter ciscoasa(config)# dynamic-filter use-database What to Do Next See the “ Adding Entries to the Static Datab ase” section on page 26-9 . Adding Entries to the Static Database The static database lets you a[...]

  • Page 558

    26-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing example creates entrie s for the blacklist and whi telist: ciscoasa(config)# dynamic-filter blacklist ciscoasa(config-llist)# name bad1.example.com ciscoasa(config-llist)# name bad2.[...]

  • Page 559

    26-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Default DNS Inspection Configura tion and Recommended Configura tion The default conf iguration for DNS inspection inspec t s all UDP DNS traf fic on all interfaces, and does not have DNS snooping enabled .[...]

  • Page 560

    26-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing recommended confi guration creates a cl ass map for all UDP DNS traf fic, enable s DNS inspection and Botnet T raf fic Fil ter snooping with the d efault DNS in spection polic y map,[...]

  • Page 561

    26-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Recommended Configuration Although DNS snoopi ng is not required, we recommen d conf iguring DNS snooping for maximum use of the Botnet T raffic Filter (see the “Enabling DNS Snoopi ng” section on p age[...]

  • Page 562

    26-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Step 3 (Optional) dynamic-filter drop blacklist [ interface name ] [ action-classify-list subset_access_list ] [ threat-level { eq level | range min max }] Example: ciscoasa(config)# dynamic-filter drop bla[...]

  • Page 563

    26-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Examples The follo wing recommended confi guration monitors all traf fic on the outside in terface and drops all traff ic at a threat lev el of moderate or higher: ciscoasa(config)# dynamic-filter enable in[...]

  • Page 564

    26-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Note A CLs block all future connections. T o block the cu rrent connection, if it is still acti ve, enter the clear c onn command. F or example, t o clear only the connection list ed in the syslog message, [...]

  • Page 565

    26-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter bad.example.net Found more than 2 matches, enter a more specific string to find an exact match Monitoring the Botnet Traffic Filter Whene ver a kno wn address is classified by the Botnet T raff ic Filter , t[...]

  • Page 566

    26-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Examples The follo wing is sample output from the show dynamic-filter statistics command: ciscoasa# show dynamic-filter statistics Enabled on interface outside Total conns classified 11, ingress 11, egress 0 [...]

  • Page 567

    26-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter horrible.example.net(10.232.224.2) 2 2 3 Botnet nono.example.org(209.165.202.130) 1 1 3 Virus Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009 The follo wing is sample outp[...]

  • Page 568

    26-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside ciscoasa(config)# dynamic-filter[...]

  • Page 569

    26-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Nex t ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0 ciscoasa/context1(config-llist)# dynamic-filter whitelist ciscoasa/context1(config-llist)# name good.example.com ciscoasa/context1(config-llist)# name great.examp[...]

  • Page 570

    26-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Feature History for t he Botnet Traffic Filter Feature History for the Botnet Traffic Filter T able 26-1 lists each feature change and the plat form release in which it w as implemented. T able 26-1 Featur e History for the Botnet T r affic Filt[...]

  • Page 571

    CH A P T E R 27-1 Cisco ASA Series Firewall CLI Configuratio n Guide 27 Configuring Threat Detection This chapter descri bes how to configure threat detection statistics and sc anning threat det ection and includes th e following sections: • Information About Threat Detection, page 27-1 • Licensing Requ irements for Threat D etection, page 27-1[...]

  • Page 572

    27-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detect ion statistics includ e acti vity that mi ght be re lated t o an atta ck, such as a DoS attack. This section includes the following topics: ?[...]

  • Page 573

    27-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics For each recei ved event, the ASA checks the a verage an d b urst rate limits; if bot h rates are e xceeded, then the ASA sends two separate system messages, wi th a maximum of one message for each rate [...]

  • Page 574

    27-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics This section describes ho w to conf igure basic threat detection statistics, includ ing enabling or disabli ng it and changing the defau lt limits. Detailed Step[...]

  • Page 575

    27-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics Monitoring Basic Threat Detection Statistics T o monitor basic threat detection stati stics, perform one of the follo wing tasks: Examples The follo wing is sample output from the show threat-detection r[...]

  • Page 576

    27-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Basic Threat Detection Statistics T able 27-2 lists each feature change and the plat form release in which it w as implemented. Configuring Advanced Threat Detection Statistics Y ou c[...]

  • Page 577

    27-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are a vailable in multiple mode. Firewall Mode Guidelines Supported in routed an d transparent f irewall mod e. Types of Traffic Monitored Only t[...]

  • Page 578

    27-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Step 3 threat-detection statistics host [ number-of-rate { 1 | 2 | 3 }] Example: ciscoasa(config)# threat-detection statistics host number-of-rate 2 (Optional) Enables statist ics for hosts. The number -[...]

  • Page 579

    27-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Monitoring Advanced Threat Detection Statistics The display output sho ws the follo wing: • The av erage rate in events/sec o ver f ixed time periods. • The current b urst rate in e vents/sec o ver t[...]

  • Page 580

    27-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics The ASA stores the count at the end of each b urst period, for a total of 30 com pleted burst intervals. The unfinished burst interv al presently occurring is no t included in the av erage ra te. For e [...]

  • Page 581

    27-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics T o monitor adv anced threat detection statistics, perform one of the fo llo wing tasks: Command Purpose show threat-detection statistics [ min-display-rate min_display_rate ] top [[ access-list | host [...]

  • Page 582

    27-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Examples The follo wing is sample output from the show threat-detection statistics host command: ciscoasa# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.0.[...]

  • Page 583

    27-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics fw-drop Sho ws the number of f irewall d rops. Fire wall drops is a combined rate that includes all f irewall-r elated packet dro ps tracked in basic threat detection, including A CL denials, bad packet[...]

  • Page 584

    27-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Advanced Threat Detection Statistics T able 27-4 lists each feature change and the plat form release in which it w as implemented. 20-min, 1-hour , 8-hour , and 24-hour Sho ws statis[...]

  • Page 585

    27-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection This section includes the following topics: • Information Ab out Scanning Threat Detection, page 27-15 • Guidelines and Limit ations, page 27-16 • Default Setti ngs, pag[...]

  • Page 586

    27-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Guidelines and Limitations This section includes the guid elines and limitations for th is feature: Security Context Guidelines Supported in single mode only . Multiple mode is not supported. Firewall Mode Guidelin[...]

  • Page 587

    27-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection Detailed Steps Monitoring Shunned Hosts, Attackers, and Targets T o monitor shunned hosts and at tackers and tar gets, perform one of the follo wing tasks: Command Purpose Ste[...]

  • Page 588

    27-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Examples The follo wing is sample output from the show threat-detection shun command: ciscoasa# show threat-detection shun Shunned Host List: 10.1.1.6 192.168.6.7 T o release the host at 10.1 .1. 6, enter the f oll[...]

  • Page 589

    27-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuration Examples for Threat Detection Configuration Examples for Threat Detection The follo wing example conf igures basic threat detect ion statistics, and changes the D oS attack rate settings. All adv anced threat detection statistics are ena[...]

  • Page 590

    27-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuration Examples for Threat Detection[...]

  • Page 591

    CH A P T E R 28-1 Cisco ASA Series Firewall CLI Configuratio n Guide 28 Using Protection Tools This chapter describes some o f the many too ls av ailable to protect your netw ork and includes the follo wing sections: • Pre venting IP Spoof ing, page 28-1 • Config uring the Fragment Size, page 28-2 • Blocking Unwan ted Connections, page 28-2 ?[...]

  • Page 592

    28-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring the Fr agment Size Configuring the Fragment Size By default, th e ASA allo ws up to 24 fragments per IP p acket, and up to 200 frag ments awaiting reassembly . Y ou might need to let fragments on your netw ork if you hav e an application that routi [...]

  • Page 593

    28-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature p rovides basic IPS support for the ASA t hat does not ha ve an AIP SSM. It supp orts a basic list of signatures, and you can conf igure the ASA to perfo[...]

  • Page 594

    28-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support IP Audit Signature List T able 28-1 lists supp orted signatures and system message nu mbers. T able 28-1 Signatur e IDs and Syst em Message Numbers Signature ID Message Number Signature T itle Signature T ype Descripti[...]

  • Page 595

    28-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1103 400009 IP Overlapp ing Fragments (T eardrop) At tack T riggers when two fragments contained within the same IP datagram ha ve of fsets that indicat e that they sha re positio ning wi thin the datagram. This could[...]

  • Page 596

    28-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2008 400018 ICM P T ime stamp Reply I nformational T riggers when a IP da tagram is receiv ed with the protocol f ield of the IP header set to 1 (ICMP) and the typ e fiel d in the ICMP header set to 14 (T imestamp Repl[...]

  • Page 597

    28-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 3042 400028 TCP FIN only flags A ttack T riggers when a single orphaned TCP FIN packet is sent to a pri vileged por t (hav ing port number less than 1024) on a specific host. 3153 400029 FTP Improper Address Sp ecifie[...]

  • Page 598

    28-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6152 400044 yppasswdd (YP passwo rd daemon) Portmap Request Informational T riggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. 6153 400045 ypupdated (YP update daem on) Portma[...]

  • Page 599

    CH A P T E R 29-1 Cisco ASA Series Firewall CLI Configuratio n Guide 29 Configuring Filtering Services This chapter describe s how to use f iltering servic es to provide greater control over traf fic passing through the ASA and includes the follo wing sections: • Information Abou t W eb Traf fic Filtering, page 29 -1 • Config uring Activ eX Fil[...]

  • Page 600

    29-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring ActiveX Filtering Configuring ActiveX Filtering This section includes the following topics: • Information Ab out Acti veX Filtering, page 29-2 • Licensing Requirements for ActiveX Filter ing, page 29-2 • Guidelines and Limit ations for[...]

  • Page 601

    29-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mo[...]

  • Page 602

    29-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring Java Applet Filtering Feature History for ActiveX Filtering T able 29-1 lists the release histor y for Active X Filtering. ASDM is backwards-compatibl e with multi ple platform releases, so the specific ASDM rele ase in which support wa s ad[...]

  • Page 603

    29-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Configuring Java Applet Filtering Guidelines and Limitations for Java Applet Filtering This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guid[...]

  • Page 604

    29-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server The follo wing example remov es the co nfiguration for do wnloading Ja va applets to a host on a protected network: ciscoasa(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 This comma[...]

  • Page 605

    29-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Note URL caching will only work if the version of th e URL server software from the URL server v endor supports it. Although ASA perf ormance is less af fected when us ing an external server , yo[...]

  • Page 606

    29-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Identifying the Filtering Server Y o u can identify up to four f iltering server s per contex t. The ASA uses the serv ers in order until a serv er responds. In single mode, a maximum o f 16 of th[...]

  • Page 607

    29-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server For W eb s en s e: hostname(config)# url-server ( if_name ) host local_ip [ timeout seconds ] [ protocol TCP | UDP version [1|4] [ connections num_conns ]] Example: ciscoasa(config)# url-server ([...]

  • Page 608

    29-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Configuring Additional URL Filtering Settings After you hav e acce ssed a website, the filtering server can allo w the A SA to cache the server address for a certain period of time, as long as ea[...]

  • Page 609

    29-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Caching Server Addresses After you access a website, the filtering server can allo w the ASA to cache the server address for a certain period of time, as long as each website host ed at the addr[...]

  • Page 610

    29-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Enabling HTTP Filtering Y ou must identify and enable the URL fi ltering server bef ore enabling HTTP f iltering. When the f iltering server appro ves an HTTP connection requ est, the ASA all ows[...]

  • Page 611

    29-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Truncating Long HTTP URLs By default, if a URL e xceeds the maximum permitted size, then it is dropped. T o av oid this occurrence, truncate a long URL by ente ring the follo wing command: Exemp[...]

  • Page 612

    29-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server T o enable HTTPS f iltering, enter the follo wing command: Filtering FTP Requests Y ou must identify and enable the URL filtering serv er before enabling FTP filtering. Note W ebsense and Se cu r[...]

  • Page 613

    29-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Monitoring Filtering Statistics T o monitor f iltering statistics, ent er one of the f ollo wing commands: Examples The follo wing is sample output from the show url-server command: ciscoasa# show url-server url-serve[...]

  • Page 614

    29-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST 0 NA Errors: ------- RFC noncompliant GET method 0 URL buffer update failure 0 The follo wing is sample output from the show url-block command: ciscoasa# show[...]

  • Page 615

    29-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Feature History for URL Filtering T able 29-5 lists the release h istory for URL f iltering. ASDM is backwards-compatibl e with multiple platform releases, so the specific ASDM rele ase in which support wa s added is [...]

  • Page 616

    29-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics[...]

  • Page 617

    P AR T 8 Conf iguring Modules[...]

  • Page 618

    [...]

  • Page 619

    CH A P T E R 30-1 Cisco ASA Series Firewall CLI Configuratio n Guide 30 Configuring the ASA CX Module This chapter descri bes how to configure the ASA CX modul e that runs on the A SA. • Information Ab out the ASA CX Module, page 30-1 • Licensing Requirements for the ASA CX Module, page 30-6 • Guidelines and Limit ations, page 30-6 • Defaul[...]

  • Page 620

    30-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application fro m the ASA. Th e ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly . Any[...]

  • Page 621

    30-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module Monitor-Only Mode For demonstr ation purposes, you can conf igure a service policy or a traf fic-forwarding interface in monitor -only mode. For guideli nes and limitations fo r monitor -only mode, see the “Gui del[...]

  • Page 622

    30-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module Figur e 30-3 ASA CX T raf fic-Forwar ding Information About ASA CX Management • Initial Conf iguration, page 30-4 • Policy Co nfiguration and Management, page 30 -5 Initial Configuration For ini tial conf iguratio[...]

  • Page 623

    30-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module or ASDM). Howe ver , physic al characteristics (suc h as enabling the interface) are configured on the ASA. Y ou can remove the ASA interface conf iguratio n (specifical ly the interface name) to dedicate this inter [...]

  • Page 624

    30-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Licensing Requirements for th e ASA CX Module • Do not configure ASA inspection on HTTP traf fic. • Do not conf igure Cloud W eb Security (ScanSafe) inspection. If you conf igure both the ASA CX action and Cloud W eb Security inspection for the same[...]

  • Page 625

    30-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Guidelines and Limitations Firewall Mode Guidelines Supported in rout ed and transparent f irew all mode. T raff ic-forwarding interf aces are only supported in transparent mode. Failover Guidelines Does not support failo ver directly; when the ASA fa [...]

  • Page 626

    30-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with A SA Features” section on pa ge 30-5 . • Y ou cannot change the softw a re type installed on th e hardware module; if you purchase an ASA CX module, you cannot [...]

  • Page 627

    30-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 (ASA 5585-X; Opti onal) Conf igure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the A SA CX Management IP Address” section on page 30-14 . Step 4 On the ASA CX m[...]

  • Page 628

    30-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule If you have an inside router If you ha ve an inside router , you can route betwee n the management networ k, which can include both the ASA Mana gement 0/0 a nd ASA CX Ma nagement 1/0 interfaces, and the ASA inside networ[...]

  • Page 629

    30-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a softwa re module, and the ASA CX management interface shares the Management 0/0 interf ace with the ASA. F or initial setup, you can [...]

  • Page 630

    30-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule CX IP address for that interface. Because the AS A CX module is essentially a separate device from the ASA, you can conf igure the ASA CX management address to be on the same network as t he inside interface. Note Y ou mu[...]

  • Page 631

    30-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module http://www .cisco.com/cisco/software/r elease.html?mdf id=284325223&softwareid=2 84399946 The boot softw are lets you set basic ASA CX netw ork configuration, partit ion the SSD, and downlo ad the larger system softw [...]

  • Page 632

    30-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Username: buffy Password: angelforever Verifying Downloading Extracting Package Detail Description: Requires reboot: Cisco ASA CX System Upgrade Yes Do you want to continue with upgrade? [n]: Y Warning: Please do not inte[...]

  • Page 633

    30-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Configuring Basic ASA CX Settings at the ASA CX CLI Y ou must conf igure basic network settin gs and othe r parameters on the ASA CX module before you can confi gure your security pol icy . Detailed Steps Step 1 Do one of[...]

  • Page 634

    30-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Applying... Done. Generating self-signed certificate, the web server will be restarted after that ... Done. Press ENTER to continue... asacx> Note If you change the h ost name, the prompt does not sho w the ne w name u[...]

  • Page 635

    30-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module What to Do Next • (Optional) Configure the authen tication proxy port. See the “(Opt ional) Conf iguring the Authentication Proxy Port” section on page 30-17 . • Redirect traff ic to the A SA CX module. See the ?[...]

  • Page 636

    30-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Redirecting Traffic to the ASA CX Module Y ou can redirect traffic to the ASA CX module by creating a service polic y that identifies sp ecific t raffic. For demonstr ation purposes only , you can also enable monitor-on l[...]

  • Page 637

    30-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map cx_class Creates a class map to identify the traf fic f o r which you want to send to the ASA CX module. If you want t o send multi[...]

  • Page 638

    30-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section conf igures traf fic-forw arding interfaces, where all traff ic is forwarded directly to the ASA CX module. This method is for demonstration purpo[...]

  • Page 639

    30-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Step 8 Repeat for any additional interfaces. Step 9 Click Send . Examples The follo wing example makes Gi gabitEtherne t 0/5 a traf fic-forwar ding interface: interface gigabitethernet 0/5 no nameif traffic-f[...]

  • Page 640

    30-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module Resetting the Password Y ou can reset the module password to the default. F or the user admin , the default password is Admin123 . After resetting the password , you should chan ge it to a unique v alue using the module appl[...]

  • Page 641

    30-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically[...]

  • Page 642

    30-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image T o uninstall a software module image and associat ed confi guration, perform th e follo wing steps. Guidelines In multiple cont ext mode, perform t his pr[...]

  • Page 643

    30-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module • Showing Module Status, pa ge 30-25 • Sho wing Module St atistics, page 30- 26 • Monitoring Modu le Connections, page 30-27 • Capturing M odule Traf fic, page 30-30 • [...]

  • Page 644

    30-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module T o check the status of a module, ent er one of the follo wing commands: Examples The follo wing is sample output from the sho w module command for an ASA with an ASA CX SSP installed: hostname# show module Mod Card Type Mo[...]

  • Page 645

    30-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module The follo wing is sample output from the show service-policy command sho wing the ASA CX polic y and the current statistics as well as th e module status when the authent ication proxy is enabled; in th is case, the proxie[...]

  • Page 646

    30-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module Examples The follo wing is sample output from the show asp table classify domain cxsc command: ciscoasa# show asp table classify domain cxsc Input Table in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false hits=154856[...]

  • Page 647

    30-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module dst ip/id=172.23.58.52, mask=255.255.255.255, port=2000, dscp=0x0 input_ifc=mgmt, output_ifc=identity in id=0x7ffed86caa80, priority=121, domain=cxsc-auth-proxy, deny=false hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flag[...]

  • Page 648

    30-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Troublesho oting the ASA CX Module cxsc-msg 1 0 1 0 1 0 The follo wing is sample output from the show conn detail command: ciscoasa# show conn detail 0 in use, 105 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - in[...]

  • Page 649

    30-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Troubleshooting the ASA CX Module When you enable the authentica tion pro xy , t he ASA generate s a debug messge when it se nds an authentication pro xy TL V to the ASA CX module, gi ving IP and port details: DP CXSC Event: Sent Auth proxy tlv for ad[...]

  • Page 650

    30-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuration Examples for the ASA CX Module 2. Check the ou tput of the show service-policy cxsc command to see if an y packets were prox ied. 3. Perform a pack et capture on the backp lane, and chec k to see if tr af fic is being re directed on the c[...]

  • Page 651

    30-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module ciscoasa(config-pmap)# class my-cx-class2 ciscoasa(config-pmap-c)# cxsc fail-open auth-proxy ciscoasa(config-pmap-c)# service-policy my-cx-policy interface outside Feature History for the ASA CX Module T able 30-2[...]

  • Page 652

    30-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module Monitor -only mode for demonstration purposes ASA 9.1(2) ASA CX 9.1(2) For de monstration purposes o nly , you can enable monitor -only mode for the service policy , which forwards a copy of traf fic to the ASA CX [...]

  • Page 653

    30-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module Multiple conte xt mode support for the ASA CX module ASA 9.1(3) ASA CX 9.2(1) Y ou can no w configure ASA CX service po licies per contex t on the ASA. Note Although you can conf igure per conte xt ASA service pol[...]

  • Page 654

    30-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module[...]

  • Page 655

    CH A P T E R 31-1 Cisco ASA Series Firewall CLI Configuratio n Guide 31 Configuring the ASA IPS Module This chapter describes h ow to config ure the ASA IPS modul e. The ASA IPS modul e might be a hardw are module or a so ftware module, d epending on your ASA model. For a list of supported ASA I PS modules per ASA model, see the Cisco ASA Compatibi[...]

  • Page 656

    31-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application fro m the ASA. The ASA IPS module might in clude an external management interf ace so you can connect to the ASA I PS module d[...]

  • Page 657

    31-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS M odule Operating Modes Y ou can send traf fic to the ASA IPS modu le using one of the follo wing modes: • Inline mode—This mode places the ASA IPS module directly in the traf fic f low (see Figure 31-1 ). No traff ic [...]

  • Page 658

    31-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module Figur e 31 -3 Securi ty Contexts and V irtual Sen sors Figure 31-4 sho ws a single mode ASA paired with multiple vi rtual sensors (in inline mode); each def ined traf fic flo w goes to a dif ferent sensor . Figur e [...]

  • Page 659

    31-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirement s for the ASA IPS module See the follo wing information about the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X —The IPS management interf ace is a separate external Gig abit Ethernet interf ace. ?[...]

  • Page 660

    31-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Default Settings http://www .cisco.com/en/US/docs/securi t y/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple conte xt mode, so multiple conte xt features, such as virtual sensors, are not supported on th e AIP SSC. • The AS[...]

  • Page 661

    31-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section descri bes ho w to conf igure the ASA IPS module and includes the fol lo wing topics: • T ask Flow for the ASA IPS Module, page 31-7 • Connecting the ASA IPS Management Inte[...]

  • Page 662

    31-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to pro viding management access to the IPS module, the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can do wn[...]

  • Page 663

    31-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you canno t also hav e a separate m anagemen t network, which would require an inside r outer to route between the netw orks. In this case, y[...]

  • Page 664

    31-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you cannot also ha ve a separate mana gement network. In th is case, you can manage the ASA from the inside interface instead of the Managem[...]

  • Page 665

    31-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA T o access the IPS module CLI from the ASA, you can session from the ASA. F or software modules, you can either session to the mo dule (using T elnet) or create a virtual console ses[...]

  • Page 666

    31-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Do one of the foll o wing: • New ASA wit h IPS pre-installed—T o vie w the IPS module software f ilename in flash memory , enter:. ciscoasa# dir disk0: For e xample, look for a f ilename lik e I[...]

  • Page 667

    31-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Confi guring Basic Network Settings Session to the module from the ASA an d config ure basic settings using the setup command. Note (ASA 5512-X through ASA 5555-X) If you cannot session to the mo du[...]

  • Page 668

    31-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Restrictions Do not conf igure N A T for the management address if you intend t o access it using ASDM. F o r initial setup with ASDM, you need to acce ss the real address. After initial setup (where you set the password[...]

  • Page 669

    31-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example conf igures VLAN 20 as the I PS management VLAN. Only the host at 10.1.1.30 can access the IPS management IP address. VLAN 20 is assigned to switch port Ethernet 0/0. When you connect to A[...]

  • Page 670

    31-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Access the ASA IPS module CLI usi ng one of the follo wing methods: • Session from the ASA to the ASA IPS modu le. See the “Sessioning to the Mod ule from the ASA” section on page 31 -11 . •[...]

  • Page 671

    31-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 context name Example: ciscoasa(config)# context admin ciscoasa(config-ctx)# Identif ies the context you wa nt to conf igure. Enter this command in the system ex ecution space. Step 2[...]

  • Page 672

    31-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example assigns sensor1 and sensor2 t o conte xt A, and sensor1 a nd sensor3 to conte xt B. Both context s map the sensor names to “ips1” and “i ps2. ” In conte xt A, sensor1 is set as the[...]

  • Page 673

    31-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map ips_class Creates a class map to identify the traf fic f o r which you want to send to the ASA IPS module. If you want t o send mu[...]

  • Page 674

    31-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Step 5 ips { inline | promiscuous } { fail-close | fail-open } [ sensor { sensor_name | mapped_name }] Example: ciscoasa(config-pmap-c)# ips promiscuous fail-close Specif ies that the traf fic shoul d be sent to the ASA [...]

  • Page 675

    31-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Managing the ASA IPS module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Installing and Boot ing an Image on the Module, page 31-2 1 • Shuttin[...]

  • Page 676

    31-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Note Before you do wnload the IPS software to disk0, make sure at least 50% of the flash memory is free. When you install IPS, IPS reserves 50 % of the internal flas h memory for its f ile system. Detailed Steps Command Pu[...]

  • Page 677

    31-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically shu t down, so[...]

  • Page 678

    31-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Resetting the Password Y ou can reset the module password to the default . For the user cisco , the default passw ord is cisco . After resetting the password, yo u should change it to a u n ique v alue using the module app[...]

  • Page 679

    31-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI. Detailed Steps Monitoring the ASA IPS module T o check the status of a module, ent er one of the foll[...]

  • Page 680

    31-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuration Examples for the ASA IPS module Serial Number: JAB11370240 Firmware version: 1.0(14)3 Software version: 6.2(1)E2 MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832 App. Name: IPS App. Status: Up App. Status Desc: Not Applicable App. Ver[...]

  • Page 681

    31-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module ciscoasa(config)# class-map my-ips-class ciscoasa(config-cmap)# match access-list my-ips-acl ciscoasa(config)# class-map my-ips-class2 ciscoasa(config-cmap)# match access-list my-ips-acl2 ciscoasa(config-cmap)# p[...]

  • Page 682

    31-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Feature History for the ASA IPS module Support for Dual SSPs for SSP-40 an d SSP-60 8.4(2) For SSP-40 and SSP-60, you can use two SSPs of the same le vel in the same chassi s. Mixed-le vel SSPs are not supported (for example, an SSP- 40 with an SSP-60[...]

  • Page 683

    CH A P T E R 32-1 Cisco ASA Series Firewall CLI Configuratio n Guide 32 Configuring the ASA CSC Module This chapter descri bes how to configure the Conten t Security and Control (CSC) appl ication that is installed in a CSC SSM in the ASA. This chapte r includes the follo wing sections: • Information About the CSC SSM, page 32-1 • Licensing Req[...]

  • Page 684

    32-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Figur e 32-1 Flow of Scanned T raf fic with the CSC SSM Y ou use ASDM for system setup and mo nitoring of th e CSC SSM. For adv a nced co nfiguration of cont ent security policies in the CS C SSM software, you ac cess the [...]

  • Page 685

    32-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Information Ab out the CSC SSM Figur e 32-2 CSC SSM Deployment with a Manage ment Networ k Determining What Traffic to Scan The CSC SSM can scan FTP , HTTP/HTTPS, POP3, and SMTP traf fic only when the destinat ion port of the packet requestin g the con[...]

  • Page 686

    32-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Based on the conf iguration shown in Figure 32-3 , conf igure the ASA to di vert to the CSC SSM only requests from clients o n the inside netw ork for HTTP , FTP , and POP3 connections to the outside network, and incoming [...]

  • Page 687

    32-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside- policy , outside-class matches SMTP tr af fic from an y outside source to the DMZ network. This setting protects the SMTP serv er and inside us ers who do wnload e-mail from the SMTP serv er on the[...]

  • Page 688

    32-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Guidelines and Limitations – Domain name and hostname for t he CSC SSM. – An e-mail address and an SMTP server IP addr ess and port numb er for e-mail notif ications. – E-mail address(es) for product l icense rene wal notificatio ns. – IP addre[...]

  • Page 689

    32-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section descri bes ho w to conf igure the CSC SSM and includes the followi ng topics: • Before Conf iguring the CSC SSM, page 32-7 • Connecting to the CSC SSM, page 32-8 • Div erting Traf fic t[...]

  • Page 690

    32-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, v erify the clock settings, includi ng time zone. Choose Conf iguration > Pr operties > Device Administration > Clock . • If you are using NTP , verify the NTP con figu ratio[...]

  • Page 691

    32-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM T o connect to the CSC SSM, perform the follo wing steps: Step 1 In the ASDM main application windo w , click the Content Security tab . Step 2 In the Connecting to CSC dial og box, click one of th e follo wing radio b uttons: ?[...]

  • Page 692

    32-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM What to Do Next See the “Div erting Traf fic to the CSC SSM” section on page 32-10 . Diverting Traffic to the CSC SSM Y o u use Modular Polic y Framew ork commands to conf igure the ASA to div ert traff ic to the CSC SSM. P[...]

  • Page 693

    32-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Step 6 set connection per-client-max n Example: ciscoasa(config-pmap-c)# set connection per-client-max 5 Lets you conf igure limits to thw art DoS attacks. The per -client-max parameter limits the maximum number of connections [...]

  • Page 694

    32-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM Step 7 csc { fail-close | fail-open } Example: ciscoasa(config-pmap-c)# csc {fail-close | fail-open} Enables traf fic scanning with the CSC S SM and assigns the traf fic identif ied by the class map as traff ic to be sent to th[...]

  • Page 695

    32-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitorin g the CSC SSM” sect ion on page 32-13 . Monitoring the CSC SSM T o check the status of a module, ent er one of the follo wing commands: Examples The follo wing is sample output from the sho[...]

  • Page 696

    32-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module Port Mask: 255.255.224.0 Gateway IP Address: 209.165.200.254 Troubleshooting the CSC Module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Inst[...]

  • Page 697

    32-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Detailed Steps Resetting the Password Y ou can reset the module passwor d to the default. The def ault password is cisco. After resetting th e password, you sho uld change it to a unique v alue using the module applicati[...]

  • Page 698

    32-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module T o reset the module passw ord to the def ault of cisco, perform th e follo wing steps. Detailed Steps Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CL[...]

  • Page 699

    32-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuration Exa mples for the CSC SSM Shutting Down the Module If you restart the ASA, the module is not automatica lly rest arted. T o shut do wn the module, perform th e follo wing steps at th e ASA CLI. Detailed Steps Configuration Examples for t[...]

  • Page 700

    32-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Additional References ciscoasa(config-pmap)# class csc_inbound_class ciscoasa(config-pmap-c)# csc fail-close ciscoasa(config-pmap-c)# service-policy csc_in_policy interface outside The follo wing example shows ho w to use an A CL to exempt the traf fi[...]

  • Page 701

    32-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Feature History for the CSC SSM Feature History for the CSC SSM T able 32-2 lists each feature change and the plat form release in which it w as implemented. Instructions on use of the CSC SSM GUI. Additional licensi ng requirements of specif ic windo[...]

  • Page 702

    32-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Feature History for the CSC SSM[...]

  • Page 703

    IN-1 Cisco ASA Series Firewall CLI Configuration Guide INDEX A AAA accounting 7-21 authentication network access 7-2 authorization downloadable access lists 7-17 network access 7-14 performance 7-1 web clients 7-10 access lists downloadable 7-17 global access rules 6-2 implicit deny 6-3 inbound 6-3 outbound 6-3 phone prox y 16-7 ActiveX filtering 2[...]

  • Page 704

    Index IN-2 Cisco ASA Series Firewall CLI Configuration Guide IP fragment 28-4 IP impossib le packet 28-4 large ICMP traffic 28-6 ping of death 28-6 proxied RPC request 28-7 statd buffer overflow 28-8 TCP FIN only flags 28-7 TCP NULL flags 28-6 TCP SYN+FIN flags 28-6 UDP bomb 28-7 UDP chargen DoS 28-7 UDP snork 28-7 authentication FTP 7-4 HTTP 7-3 n[...]

  • Page 705

    Index IN-3 Cisco ASA Series Firewall CLI Configuration Guide required by phone prox y 16-16 Cisco IP Communicator 16-10 Cisco IP Phones, application inspection 11-25 Cisco UMA. See Cisco Unified Mo bility. Cisco Unified Mobilit y architecture 18-2 ASA role 14-2, 14-3, 15-2 certificate 18-5 functionality 18-1 NAT and PAT requirements 18-3, 18-4 trus[...]

  • Page 706

    Index IN-4 Cisco ASA Series Firewall CLI Configuration Guide DNS request for all records attack 28-7 DNS zone transfer attack 28-7 DNS zone transfer from high port attack 28-7 downloadable access lists configuring 7-17 converting netmask expressio ns 7-21 DSCP preservati on 23-5 dynamic NAT about 3-7 network object NAT 4-5 twice NAT 5-7 dynamic PAT[...]

  • Page 707

    Index IN-5 Cisco ASA Series Firewall CLI Configuration Guide inspection_default cl ass-map 1-9 inspection engines See application inspection Instant Messaging inspection 11-19 interfaces default settings 6-8, 32-6 IP fragment attack 28-4 IP impossible packet attack 28-4 IP overlapping fragme nts attack 28-5 IP phone phone prox y provisioning 16-12 [...]

  • Page 708

    Index IN-6 Cisco ASA Series Firewall CLI Configuration Guide default polic y 1-8 examples 1-18 feature directionality 1-3 features 1-2 flows 1-6 matching multiple policy maps 1-6 service poli cy, applying 1-17 See also class map See also policy map MPLS LDP 6-7 router-id 6-7 TDP 6-7 multi-session PAT 4-16 N NAT about 3-1 bidirection al initiation 3[...]

  • Page 709

    Index IN-7 Cisco ASA Series Firewall CLI Configuration Guide dynamic NAT 5-7 dynamic PAT 5-11 examples 5-25 guidelines 5-2 identity NAT 5-21 monitoring 5-24 prerequis ites 5-2 static NAT 5-18 types 3-3 VPN 3-22 VPN client rules 3-18 network object NAT about 3-14 comparison with t wice NAT 3-13 configuring 4-1 dynamic NAT 4-5 dynamic PAT 4-7 example[...]

  • Page 710

    Index IN-8 Cisco ASA Series Firewall CLI Configuration Guide CSC SSM 32-5 presence_proxy_remotecert 15-15 proxied RPC request attack 28-7 proxy servers SIP and 11-18 PRSM 30-5 Q QoS about 23-1, 23-3 DiffServ preservation 23-5 DSCP preservati on 23-5 feature interaction 23-4 policies 23-1 priority qu eueing IPSec anti-replay window 23-13 statistics [...]

  • Page 711

    Index IN-9 Cisco ASA Series Firewall CLI Configuration Guide management defaults 31-6 password reset 31-24, 32-15 reload 31-25, 32-16 reset 31-25, 32-16 routing 31-10 sessioning to 31-13 shutdown 31-23, 32-17 Startup Wiza rd licensing requ irements 15-3 statd buffer overflow attack 28-8 stateful inspection bypassing 22-3 static NAT about 3-3 few-to[...]

  • Page 712

    Index IN-10 Cisco ASA Series Firewall CLI Configuration Guide applications supported by A SA 14-3 Cisco Unified Presence architecture 19-1 configuring for Cisco Un ified Presence 19-8 licenses 14-4, 17-5, 18-6, 19-7, 20-7 tocken bucket 23-2 traffic shaping overview 23-4 transmit queue ring l imit 23-2, 23-3 transparent firewall DHCP packet s, allow[...]