Cisco Systems ASA 5580 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Cisco Systems ASA 5580, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Cisco Systems ASA 5580 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Cisco Systems ASA 5580. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Cisco Systems ASA 5580 should contain:
- informations concerning technical data of Cisco Systems ASA 5580
- name of the manufacturer and a year of construction of the Cisco Systems ASA 5580 item
- rules of operation, control and maintenance of the Cisco Systems ASA 5580 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Cisco Systems ASA 5580 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Cisco Systems ASA 5580, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Cisco Systems service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Cisco Systems ASA 5580.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Cisco Systems ASA 5580 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco we bsite at www.cisco.com/go/ offices. Cisco A S A S eries Fire w all A SDM Conf iguration Guide Sof tw are V ersion 7 .1 For the AS A 5505, AS A 551 0, AS A 5520, AS A 5540, ASA 5550, AS A 5512-X, AS A 551 [...]

  • Page 2

    THE SPECIFICATION S AND INFORMAT ION REGARDING THE PRODUCTS IN THIS MA NUAL ARE SUBJ ECT TO CHANGE WITHOUT NOT ICE. ALL STATEMENTS , INFORMATION , AND RECOMMEN DATIONS I N THIS MANUA L ARE BELIEVE D TO BE ACCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FUL L RESPONSIBILITY FOR THEIR APPLICAT ION OF ANY[...]

  • Page 3

    1 Cisco ASA Series Firewall ASDM Configuration Guide CONTENTS About This Guide 21 Document Objectives 21 Related Documentation 21 Conventi ons 22 Obtaining Documentation and Submitting a Serv ice Request 22 PART 1 Configuring Service Policies CHAPTER 1 Configuring a Service Policy 1-1 Information About Service Poli cies 1-1 Supported F eatures 1-1 [...]

  • Page 4

    Contents 2 Cisco ASA Series Firewall ASDM Configuration Guide Defining Acti ons in an I nspection P olicy Map 2-3 Identifying Traffic in an Inspection Class Map 2-3 Where to Go Next 2-4 Feature History for Inspection Policy Maps 2-4 PART 2 Configuring Network Address Translation CHAPTER 3 Information About NAT (ASA 8.3 and Later) 3-1 Why Use NAT? 3[...]

  • Page 5

    Contents 3 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 4 Configuring Network Object NAT (ASA 8.3 and Later) 4-1 Information About Network Object NAT 4-1 Licensing Requirement s for Network Obje ct NAT 4-2 Prerequisites for Network Object NAT 4-2 Guidelines and Limitations 4-2 Default Settings 4-3 Configuring Network Object NAT 4-4 Co[...]

  • Page 6

    Contents 4 Cisco ASA Series Firewall ASDM Configuration Guide Monitoring Twice NAT 5-29 Configuration Examples fo r Twice NAT 5-30 Different Translation Dependin g on the Destination (Dynamic PAT) 5-30 Different Translation Dependin g on the Destination Address and Port (Dynamic PAT) 5-39 Feature History for T wice NAT 5-48 CHAPTER 6 Configuring NA[...]

  • Page 7

    Contents 5 Cisco ASA Series Firewall ASDM Configuration Guide Default Settings 7-7 Configuring Access Rules 7-8 Adding an Access Rule 7-8 Adding an EtherType Rule (Transparent Mode Only) 7-9 Configuring Management Access Rule s 7-10 Advanced Access Rule Con figuration 7-11 Configuring HTTP Redirect 7-12 Feature History fo r Access Rules 7-14 CHAPTE[...]

  • Page 8

    Contents 6 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 10 Getting Started with Applicatio n Layer Protocol Inspection 10-1 Information about Application Layer Protocol Inspection 10-1 How Inspection Engines Work 10-1 When to Use Application Protocol Inspection 10 -2 Guidelines and Limitations 10-3 Default Settings and NAT Limitations[...]

  • Page 9

    Contents 7 Cisco ASA Series Firewall ASDM Configuration Guide ICMP Inspection 11 -39 ICMP Error Inspection 11-39 Instant Messaging Inspectio n 11-39 IM Inspection Overview 11-40 Adding a Class Ma p for IM Inspection 11-40 Select IM Map 11-41 IP Options Inspec tion 11-41 IP Options Inspec tion Overview 11-41 Configuring IP Options Inspe ction 11-42 [...]

  • Page 10

    Contents 8 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 12 Configuring Inspection for Voic e and Video Protocols 12-1 CTIQBE Inspec tion 12-1 CTIQBE Inspection Ov erview 12-1 Limitations and Restrictions 12 -2 H.323 Insp ection 12-2 H.323 Inspection Overview 12 -3 How H.323 Works 12-3 H.239 Support in H.245 Mes sages 12-4 Limitations [...]

  • Page 11

    Contents 9 Cisco ASA Series Firewall ASDM Configuration Guide SIP Class Map 12-23 Add/Edit SI P Traffi c Class Ma p 12-24 Add/Edit SIP Match Criterion 12-24 SIP Inspect Map 12-26 Add/Edit SIP Policy Map (Security Level) 12 -27 Add/Edit SIP Policy Map (D etails) 12-28 Add/Edit SIP Inspect 12-30 Skinny (SCCP) Inspectio n 12-32 SCCP Inspection Overvie[...]

  • Page 12

    Contents 10 Cisco ASA Series Firewall ASDM Configuration Guide Add/Edit GTP Map 14-9 RADIUS Accoun ting Inspe ction 14-10 RADIUS Accounting Inspectio n Overview 14-11 Select RADIUS Accounting Map 14-11 Add RADIUS Accounting Policy Map 14-11 RADIUS Inspect Map 14 -12 RADIUS Inspect Map Host 14-12 RADIUS Inspect Map Other 14-13 RSH Inspection 14-13 S[...]

  • Page 13

    Contents 11 Cisco ASA Series Firewall ASDM Configuration Guide Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the Remote-Side Certificates for the Cisco Presence Fede ration Proxy 16-15 Configuring the UC-IME by using the Unified Communicati on Wizard 16-1 6 Configuring the Topology for the Cisco I[...]

  • Page 14

    Contents 12 Cisco ASA Series Firewall ASDM Configuration Guide Adding or Editing a Record Entry in a CTL File 17-16 Creating the Media Termination Instance 17 -17 Creating the Phone Proxy In stance 17-18 Adding or Editing the TFTP Server for a Phone Proxy 17-20 Configuring Linksys Routers with UDP Po rt Forwarding for the Ph one Proxy 17 -21 Featur[...]

  • Page 15

    Contents 13 Cisco ASA Series Firewall ASDM Configuration Guide Architecture for Cisco Unified Presence for SIP Federation Deploym ents 20-1 Trust Relationship in the Presence Federation 20 -4 Security Certificate Exc hange Between Cisco UP and the Security Appliance 20-5 XMPP Federation Deployments 20-5 Configuration Requirements for XMPP Federatio[...]

  • Page 16

    Contents 14 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 22 Configuring Connection Settings 22-1 Information About Connection Settings 22-1 TCP Intercept and Limiting Embryon ic Connections 22 -2 Disabling TCP Intercept for Manage ment Packets for Clientless SSL Compatibility 22-2 Dead Connection Detection (DCD) 22-2 TCP Sequence Rand[...]

  • Page 17

    Contents 15 Cisco ASA Series Firewall ASDM Configuration Guide Viewing QoS Sta ndard Priority Queue Statistics 23-13 Feature History for QoS 23-14 CHAPTER 24 Troubleshooting Connections and Resources 24-1 Testing Yo ur Configur ation 24-1 Pinging ASA Interfaces 24-1 Verifying ASA Configuration a nd Operatio n, and Testing Interfaces Using Ping 24-3[...]

  • Page 18

    Contents 16 Cisco ASA Series Firewall ASDM Configuration Guide (Optional) Configuring the User Identity Monitor 25-25 Configuring the Cloud Web Security Polic y 25-26 Monitoring Cloud Web Security 25-26 Related Documents 25-27 Feature History for Cisco Cloud Web Security 25-27 CHAPTER 26 Configuring the Botnet Traffic Filter 26-1 Information About [...]

  • Page 19

    Contents 17 Cisco ASA Series Firewall ASDM Configuration Guide Monitoring Basic Threat Detection Statistics 27-4 Feature History for Basic Threat Detection Statistics 27-5 Configuring Advanced Threat Detectio n Statistics 27-5 Information About Advanced Threat Detection Sta tistics 27-5 Guidelines and Limitations 27-5 Default Settings 27-6 Configur[...]

  • Page 20

    Contents 18 Cisco ASA Series Firewall ASDM Configuration Guide Feature History for URL F iltering 29-12 PART 8 Configuring Modul es CHAPTER 30 Configuring the ASA CX Module 30-1 Information About the ASA CX Module 30-1 How the ASA CX Module Works with the ASA 30-2 Monitor-Only Mode 30-3 Information About ASA CX Management 30 -4 Information Abou t A[...]

  • Page 21

    Contents 19 Cisco ASA Series Firewall ASDM Configuration Guide Feature History for the ASA CX Module 30-3 3 CHAPTER 31 Configuring the ASA IPS Module 31-1 Information About the ASA IPS Module 31-1 How the ASA IPS Module Works with the ASA 31-2 Operating Modes 31-3 Using Virtual Sensors (ASA 5510 and Higher) 31-3 Information About Management Acces s[...]

  • Page 22

    Contents 20 Cisco ASA Series Firewall ASDM Configuration Guide Connecting to the CSC SSM 32-8 Determining Service Policy Rule Actions for CSC Scanning 32-9 CSC SSM Setup Wizard 32-10 Activation/License 32-11 IP Configuratio n 32-11 Host/Notification Settings 32-12 Management Access Host/Netwo rks 32-13 Password 32-13 Restoring the Default Password [...]

  • Page 23

    3 Cisco ASA Series Firewall ASDM Configur ation Guide About This Guide This preface introduces Cisco ASA Series F ire wall ASDM Conf ig uration Guid e and includes th e follo wing sections: • Document Objectiv es, page 3 • Related Documentati on, page 3 • Con v entions, page 4 • Obtaining Documentati on and Submitting a Ser vice Request, pa[...]

  • Page 24

    4 Cisco ASA Series Firewall ASDM Configuration Guide Conventions This document uses the f ollo wing con ventions: Note Means reader take note . Ti p Means the following inf ormation will help you sol ve a pr o blem . Caution Means re a d e r b e c a re f u l . In this situation, you might perform an action t hat could result in equipment damage or [...]

  • Page 25

    P AR T 1 Conf iguring Service P olicies[...]

  • Page 26

    [...]

  • Page 27

    CH A P T E R 1-1 Cisco ASA Series Firewall ASDM Configur ation Guide 1 Configuring a Service Policy Service poli cies pro vide a co nsistent an d flexi ble way to con figur e ASA features. F or exampl e, you can use a service policy to create a timeout configuration th at is specif ic to a particular TCP application, as opposed to one that app lies[...]

  • Page 28

    1-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Information About Service Policies Feature Directionality Actions are applied to t raf fic bid irectionally or unidir ectionally depending on the feat ure. For features that are applied bidirectionally , all traffic that enters or exits t he inter face to[...]

  • Page 29

    1-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Information About Service Policies Note When you use a global policy , all features are unidire ctional; features that are normally bidirectional when applied to a single interf ace only apply to the ingress of each interface when applied globally . Becau[...]

  • Page 30

    1-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Information About Service Policies For e xample, if a packet matches a ru le for connection limits, and also matches a rule for an applicatio n inspection, then both actions are applied. If a packet matches a rulefor HTTP inspection, bu t also matches ano[...]

  • Page 31

    1-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Licensing Requirements for Service Policies Incompatibility of Certain Feature Actions Some features are not compatible w i th each other for the same traf fic. Th e follo wing list may not include all incompatibilities; fo r information about compatibili[...]

  • Page 32

    1-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d trans[...]

  • Page 33

    1-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Default Settings • Y ou can only apply o ne global polic y . For e xample, you cannot create a gl obal polic y that includes feature set 1, and a separate glob al polic y that incl udes feature set 2. All f eatures must be included in a single polic y .[...]

  • Page 34

    1-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Task Flows for Configuring Service Policies • IP Options Default Traffic Classes The configuration includes a default traf fic class that th e ASA uses in the defa ult global pol icy call ed Default Inspecti on T raff ic ; it matches th e default inspec[...]

  • Page 35

    1-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Adding a Service Polic y Rule for Throug h Traffic Note When you click the Add b utton, and not the small arr ow on the right of th e Add b utton, you add a through traffic rule by default. If you click the arrow on the Add button, you can choose between [...]

  • Page 36

    1-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Adding a Service Polic y Rule for Through Traffic • Global - ap plies to all interf aces . This option appl ies the service polic y globally to all int erfaces. By default, a global poli cy e x ists that includes a service polic y rule for default appl[...]

  • Page 37

    1-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Adding a Service Polic y Rule for Throug h Traffic – TCP or UDP De stinatio n Port —The class matches a single po rt or a contiguous range o f ports. Ti p For applications that use multiple, no n-contiguous ports, use the Sour ce and Destination IP A[...]

  • Page 38

    1-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Adding a Service Polic y Rule for Through Traffic Specify the address and subnet mask using pref ix/length notation, such as 1 0.1.1.0/24. If you enter an IP address withou t a mask, it is considered to be a host address, e ven if it ends with a 0. Enter[...]

  • Page 39

    1-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Management Traffic Add additional v alues as desired, or remov e them using the Remove b utton. Step 7 Click Next . The Add Service Polic y Rule - Rule Actions dial og box appears. Step 8 Config ure one or more rule actio[...]

  • Page 40

    1-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Adding a Service Policy Rule for Management Traffic Identify the traf fic using one of se veral criteria: – Source and Destination IP Addr ess (uses A CL) —The class matches traf fic specif ied by an extend ed A CL. If the ASA is oper ating in transp[...]

  • Page 41

    1-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Managing the Order of Service Policy Rules Specify the address and subnet mask using pref ix/length notation, such as 1 0.1.1.0/24. If you enter an IP address withou t a mask, it is considered to be a host address, e ven if it ends with a 0. Enter any to[...]

  • Page 42

    1-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Managing the Ord er of Service Policy Ru les • If the packet matches a subsequent rule for a di f ferent feature type, ho wev er, then the ASA also applies the actions for the su bsequent rule. For e xample, if a packet matches a rule for connection li[...]

  • Page 43

    1-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 1 Configuring a Service Policy Feature Histo ry for Service Po licies Feature History for Service Policies Ta b l e 1 - 3 lists the release history for this feature. T able 1 -3 Fe atur e History fo r Service P olicies Feature Name Releases Feature Information Modular Polic y Frame wo[...]

  • Page 44

    1-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configu ring a Service Policy Feature History for Service Policies[...]

  • Page 45

    CH A P T E R 2-1 Cisco ASA Series Firewall ASDM Configur ation Guide 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Frame work lets you conf igure specia l actions for man y application inspections. When you enable an inspection engine in the service po licy , you can also optionally enable actions [...]

  • Page 46

    2-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Guidelines and Limitations policy map is that you can create more comple x match criteria and you can reuse class maps. Ho we ver , you cannot set dif ferent actions for dif ferent matches. Note: Not a [...]

  • Page 47

    2-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map Note There are other default in spection polic y maps such as _default_esmtp_map . For examp le, an ESMTP inspection rule implicitly u ses the policy map “_[...]

  • Page 48

    2-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Where to Go Next Step 4 Follo w the instructions for you r inspection type in the in spection chapter . Where to Go Next T o use an inspection pol icy , see Chapter 1, “Conf iguring a Service Poli cy [...]

  • Page 49

    P AR T 2 Conf iguring Network A ddress T ranslation[...]

  • Page 50

    [...]

  • Page 51

    CH A P T E R 3-1 Cisco ASA Series Firewall ASDM Configur ation Guide 3 Information About NAT (ASA 8.3 and Later) This chapter pro vides an overvi ew of h ow Netw ork Address T ranslation (N A T) works on the ASA. This chapter includes the following sections: • Why Use N A T?, page 3-1 • N A T T erm inology , pa ge 3-2 • N A T T ypes, page 3-3[...]

  • Page 52

    3-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Terminology One of the main functions of N A T is to enable pr iv ate IP networks to conn ect to the I nternet. NA T replaces a priv ate IP address with a public IP addre ss, translating the priv ate addresse s in the inte rnal pri v ate [...]

  • Page 53

    3-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NAT Types • N A T T ypes Overvie w , page 3-3 • Static NA T , page 3-3 • Dynamic N A T , page 3-8 • Dynamic P A T , page 3-10 • Identity N A T , page 3-12 NAT Types Overview Y ou can implement N A T using the follo wing me[...]

  • Page 54

    3-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Figure 3-1 sho ws a typical static NA T sce nar io. The translation is al ways acti ve so both real and remote hosts can initiate co nnections. Figure 3-1 Static NA T Note Y ou can disable bidirect ionality if desired. Information A[...]

  • Page 55

    3-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Note For ap plications that r equire ap plication i nspection for secondary channels (for example, FTP and V oIP), the ASA automatically transl ates the second ary ports. Static NAT with Identi ty Port Translation The follo wing sta[...]

  • Page 56

    3-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Static Interface NAT with Port Translation Y ou can configure static N A T to ma p a real address to an interface address/port combination. For example, if you want to redirect T elnet access for th e ASA outside interf ace to an in[...]

  • Page 57

    3-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types For e xample, you hav e a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traf f ic to the correct web server (see Figure 3-5 ). (See the “Inside Load Balancer wi th Multiple Mapped Addresses (Static N A T[...]

  • Page 58

    3-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Figure 3-6 sho ws a typical few-to-many static N A T scenario. Figur e 3-6 Few -to-Man y Static NA T For a man y-to-fe w or many-to-one config uration, where you ha ve mor e real addresses than mapped addresses, you run out of mappe[...]

  • Page 59

    3-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Information About Dynamic NAT Dynamic N A T translates a group of real addresses to a pool of mapped addr esses that are routable on th e destination netw ork. The mapped pool typicall y includes fe wer addresses than the real group[...]

  • Page 60

    3-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Types Note For the duratio n of the translatio n, a remote host can initiate a connection to th e translated host if an access rule allows it. Because the address is unpr edictabl e, a connectio n to the ho st is unlikely . Nev ertheless[...]

  • Page 61

    3-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-10 sho ws a typical dyna mic P A T sc enario. Only real hosts can create a N A T session, and responding traf fic is allo wed back. The mapped address is the same for each transl ation, b ut the port is dynamically assigne[...]

  • Page 62

    3-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT in Routed a nd Transpar ent Mode Identity NAT Y ou might ha ve a N A T configurat ion in which you need to translat e an IP address to itself. F or example, if you create a broad rule that applies N A T to every netw ork, b ut want to e [...]

  • Page 63

    3-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-12 sh ow s a typical N A T example in routed mode, with a pri vate network o n the inside. Figure 3-12 NA T Exam pl e: Routed Mode 1. When the inside host at 10.1.2.27 sends a pa[...]

  • Page 64

    3-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT in Routed a nd Transpar ent Mode Figure 3-13 NA T Exampl e: T ranspar ent Mode 1. When the inside host at 10.1.1.75 sends a packet to a w eb server , the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.1[...]

  • Page 65

    3-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT and IPv6 NAT and IPv6 Y ou can use N A T to translate between IPv6 netw orks, and also to translate between IPv4 and IPv6 networks (rou ted mode only). W e recommend the followi ng best practices: • N A T66 (IPv6-to-IPv6)—W e recomme[...]

  • Page 66

    3-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) How NAT is Implemen ted • How source and destinati on N A T is implemented. – Network obj ect N A T— Each rule can apply to either the source or desti nation of a pack et. So two rules m ight be used, one for the source IP a ddress, an[...]

  • Page 67

    3-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How N AT is Im plemented T wice N A T also lets you use service o bjects for static N A T with port translation; network ob ject N A T only accepts inline def inition. T o start confi guring twice N A T , see Chapter 5, “Confi guring T w i[...]

  • Page 68

    3-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) How NAT is Implemen ted Figure 3-15 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices. When the host acc esses the server for web services[...]

  • Page 69

    3-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How N AT is Im plemented Figure 3-16 sho ws a remote host con necting to a mapped host. The mapped host has a twice static N A T translation that translates the real address only for traf fic to and from the 209 .165.201.0/27 netw ork. A tra[...]

  • Page 70

    3-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT Rule Order NAT Rule Order Network ob ject N A T rules an d twice NA T r ules are stored in a single tab le that is divided into three sections. Sectio n 1 rules are appl ied first, then section 2, an d finally section 3, unt il a match i[...]

  • Page 71

    3-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Interfaces For section 2 r ules, for example, you ha ve the foll o wing IP addresses defi ned within netw ork objects: 192.168.1.0/24 ( static) 192.168.1.0/ 24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 ( static) 172.16.1.0/24 (dynami[...]

  • Page 72

    3-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) Routing NAT Packets Routing NAT Packets The ASA needs to be the destination for an y packets sent to the mapped address. The ASA also nee ds to determine the egress interface for any packets it rece i ves destined for mapped addresses. This [...]

  • Page 73

    3-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets (8.3(1), 8.3(2), an d 8.4(1)) The defau lt beha vior for identity N A T has proxy ARP d isabled. Y ou cannot conf igure this setting. (8.4(2) and later) The def ault beha vior for iden tity N A T has proxy ARP enabled, ma[...]

  • Page 74

    3-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) Routing NAT Packets Figure 3-1 9 Pro xy ARP and Vir tual T elnet Transparent Mode Routing Requ irements for Remote Networks When you use N A T in transparent mode,some types of traf fic req uire static routes. See the “M A C Address vs. Ro[...]

  • Page 75

    3-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figur e 3-20 Routed Mode Eg r ess In terf ace Se lection NAT for VPN • N A T and Remote Access VPN, page 3-25 • N A T and Site-to-Site VPN, page 3-27 • N A T and VPN Management Access, page 3-29 • T roubleshooting N A T a[...]

  • Page 76

    3-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT for VPN Figure 3-21 Interf ace P A T for Int er net-B ound VPN T raf fic (Intra-Interf ace) Figure 3-22 sho ws a VPN client that wants to access an inside mail server . Because the ASA expects traf fic between the insid e network and any[...]

  • Page 77

    3-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figur e 3-22 Identity NA T for VPN Clients See the follo wing sample NA T configu ration for the abo ve netw ork: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Identify[...]

  • Page 78

    3-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT for VPN Figur e 3-23 Interf ace P A T and Identity NA T for Sit e-to-Sit e VPN Figure 3-24 sho ws a VPN client connected to ASA 1 (Boul der), with a T elnet request for a server (10.2.2.78) accessibl e ov er a site-to-site tunnel bet w e[...]

  • Page 79

    3-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.[...]

  • Page 80

    3-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) NAT for VPN Figure 3-25 sho ws a VPN client T eln etting to th e ASA inside interf ace. When you use a management-access interface, and you configure identity N A T according to the “NA T and Remote Access VPN” or “N A T and Site-to-Si[...]

  • Page 81

    3-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw insid[...]

  • Page 82

    3-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) DNS and NAT Figure 3-26 sho ws a DNS server th at is accessi ble from the outsid e interf ace. A serv er, ftp .cisco.co m, is on the inside interface. Y ou co nfigure the ASA to st atic ally translate the ft p.cisco.com real a ddress (10.1.3[...]

  • Page 83

    3-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT a static rule between the inside and DMZ, then you al so need to enable DNS reply modif ication on this rule. The DNS reply will then be modifi ed two times.In this case, the ASA ag ain translates the address inside the DNS reply[...]

  • Page 84

    3-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) DNS and NAT Figure 3-28 sho ws an FTP server and DNS server on the outside. The ASA has a static translatio n for the outside serv er . In this case, when an in side us er requests the address for ftp.cisco.com from the DNS server , the DNS [...]

  • Page 85

    3-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (200 1:DB8::D1A5:C8E1) you need to conf igure DNS reply modif ication for the stat ic translation. This e xample also includes a static N A T translation f[...]

  • Page 86

    3-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 an d Later) Where to Go Next Figure 3-30 sho ws an FTP server and DNS server on the outside. The ASA has a static translatio n for the outside server . In th is case, wh en an inside user performs a rev e rse DNS lookup for 10.1.2.56, the ASA modifies t[...]

  • Page 87

    CH A P T E R 4-1 Cisco ASA Series Firewall ASDM Configur ation Guide 4 Configuring Network Object NAT (ASA 8.3 and Later) All N A T rules that are configured as a paramete r of a network object are considered to be network object NAT rules. Net work object N A T is a quick an d easy way to configure N A T for a single IP address, a range of address[...]

  • Page 88

    4-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Licensing Requirements for Network Object NAT Network obj ect N A T rules are added to section 2 of the N A T rules table. For more information ab out N A T ordering, see the “NA T Rule Order” section on page 3-20 . Licensing Req[...]

  • Page 89

    4-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Default Settings • When using FTP with NA T46, wh en an IPv4 FTP client connects to an IPv6 FTP server , the client must use either the e xtended passiv e mode (EPSV ) or ext ended port mode (EPR T); P ASV and POR T commands are n[...]

  • Page 90

    4-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT instead. See the “Routing N A T Packet s” section on page 3-2 2 for more information. Configuring Network Object NAT This section descri bes ho w to conf igure network object N A T and includes the [...]

  • Page 91

    4-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT • Round robin, especial ly when combined wi th extended P A T , can cons ume a large amount of memory . B ecause N A T pools are created for ev ery mapped protocol/IP ad dress/port range, round robi[...]

  • Page 92

    4-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add A utomatic T r anslation Rules check box. Step 5 From the T ype drop-down l ist, choose Dynamic . Choose Dynamic e ven if you are confi guring dynamic P A T with a P A T pool. Step [...]

  • Page 93

    4-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT a. Do not enter a value for the T ransl ated Addr . field; lea ve it blank. b. Check the P A T Pool T ranslated Address check box, then click the bro wse button and cho ose an existi ng network ob jec[...]

  • Page 94

    4-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 8 (Optio nal) Cl ick Advanced , and conf igure the followin g options in the Adv anced NA T Settings dialog box. • T ranslate DNS replies for rule—Tra nslates th e IP address in DNS re plies. B[...]

  • Page 95

    4-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT • T o add NA T to an existin g network object, cho ose Conf iguration > Fir ewall > Objects > Network Objects/Group s , and then double- click a network o bject. For more information, see t[...]

  • Page 96

    4-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add A utomatic T r anslation Rules check box. Step 5 From the T ype drop-down list, cho ose Dynamic P A T (Hide) . Note T o configu re dynamic P A T using a P A T pool instead of a sin[...]

  • Page 97

    4-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Note Y ou cannot specify an interface in transparent mode. • Click the bro wse button, and choose an e x isting host address fr om the Bro wse Translated Addr dialog box. • Click the bro wse butt[...]

  • Page 98

    4-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • T o add a ne w network ob ject, choose Conf iguration > Firewall > NA T R ul e s , then click Add > Add Network Object N A T Rule . • T o add NA T to an existin g network object, cho ose[...]

  • Page 99

    4-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Step 4 Check the Add A utomatic T r anslation Rules check box. Step 5 From the T ype drop-down list, cho ose Static . Step 6 In the T ranslate d Addr . fiel d, do one of the follo wing: • T ype an [...]

  • Page 100

    4-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • Click the bro wse button, and create a ne w address from the Bro w se T ranslated Addr dialo g box. T ypically , you configure the same number of mapped addresses as real addresses for a one-to-one[...]

  • Page 101

    4-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Step 9 Click OK , and then A pply . Because static rules are bidirection al (allo wing initiation to and from the real host), the N A T Rules table sho w two ro ws for each static rule, one for each [...]

  • Page 102

    4-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT c. IP Address—An IPv4 or IPv6 address. If you select Range as the object ty pe, the IP Address field changes to al low you to enter a Start Address and an End address. d. Netmask/Pref ix Length—Ent[...]

  • Page 103

    4-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuring Ne twork Object NAT Step 6 In the T ranslate d Addr . fiel d, do one of the follo wing: • T ype the same IP address that you used for t he real address. • Click the bro wse button, and choose a netw ork ob ject with[...]

  • Page 104

    4-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Configuring Per-Session PAT Rules By default, all TCP P A T traffic and all UDP DNS traf fic uses per -session P A T . T o use multi-se ssion P A T for traf fic, you can conf igure per-session P A T ru[...]

  • Page 105

    4-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Monitoring Ne twork Object NAT A permit rule uses per -session P A T ; a deny rule uses multi-session P A T . Step 3 Specify the Source Ad dress either by typing an ad dress or clicking the ... b utton to choose an object. Step 4 S[...]

  • Page 106

    4-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT The Monitoring > Properties > Connection Graphs > Pe rfmon pane lets you vie w the performance information in a graphical format. Y ou can choose up to four types of stat istic[...]

  • Page 107

    4-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Providing Access to an Inside Web Server (Static NAT) The follo wing example performs static N A T for an inside web serv er . The real address is on a pri vate network, so a pu blic [...]

  • Page 108

    4-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 3 Config ure static N A T for the object: Step 4 Configure the real and mapped interfaces by clicking Advanced :[...]

  • Page 109

    4-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 5 Click OK to return to the Edit Net work Object dial og box, clic k OK agai n, and then clic k A pply . NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Sta[...]

  • Page 110

    4-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Figur e 4-2 Dynamic NA T for Inside, Static NA T for Outside W eb Server Step 1 Create a network obj ect for the inside netw ork: Step 2 Defin e the addresses for the inside netwo rk: O[...]

  • Page 111

    4-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 3 Enable dynamic N A T for the inside network: Step 4 For the T ranslated Addr f ield, add a new netw ork object for the dyn amic N A T pool to which you wa nt to translate the i[...]

  • Page 112

    4-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT b. Define the N A T pool addresses, and click OK . c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 5 Configure the real [...]

  • Page 113

    4-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 6 Click OK to return to the Edit Net work Ob ject dialog box, click then click OK again to return to the N A T Rules table. Step 7 Create a network object for the outside web ser[...]

  • Page 114

    4-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 11 Click OK to retu rn to the Edit Network Object dialog box, click OK again, and then click A pply . Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) [...]

  • Page 115

    4-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Figur e 4-3 Static NA T with One-to-M an y for an Inside Load Balancer Step 1 Create a network object for the load balancer: Step 2 Defin e the load balancer address: Host Outside Ins[...]

  • Page 116

    4-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 3 Config ure static N A T for the load balancer: Step 4 For the T ranslated Addr field, add a ne w network obj ect for the static N A T group of addresses to which you want to tran[...]

  • Page 117

    4-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 5 Configure the real and mapped interfaces by clicking Advanced : Step[...]

  • Page 118

    4-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) The follo wing static N A T -with-port-translation exampl e provi des a single address for remote users to acce[...]

  • Page 119

    4-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 3 Click Advanced to configure the real and mapped interf aces and port translation for FTP . Step 4 Create a network obj ect for the HTTP server address: Step 5 Define the HTTP s[...]

  • Page 120

    4-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT Step 6 Click Advanced to configure the real and mapped in terfaces and port translatio n for HTTP . Step 7 Create a network object for the SMTP server address: Step 8 Defin e the SMTP s[...]

  • Page 121

    4-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 9 Click Advanced to configure the real and mapped in terfaces and port translatio n for SMTP . Step 10 Click OK to retu rn to the Edit Network Object dialog box, click OK again, [...]

  • Page 122

    4-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209. 165.201.10). The ASA refers to the stat ic rule for the [...]

  • Page 123

    4-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 2 Define the FTP server address, and conf igure static N A T with DNS modificat ion: Step 3 Click Advanced to configure the real and mapp ed interfaces and DNS modif ication. Ste[...]

  • Page 124

    4-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 sho ws an FTP server and DNS server on the outs id e. The ASA has a[...]

  • Page 125

    4-39 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT Step 2 Define the FTP server address, and conf igure static N A T with DNS modificat ion: Step 3 Click Advanced to configure the real and mapp ed interfaces and DNS modif ication. Ste[...]

  • Page 126

    4-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 sho ws an FTP server and DNS server on the outside IPv4[...]

  • Page 127

    4-41 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT b. Define the FTP server address, and conf igure sta t ic N A T with DNS modification and, because this is a one-to-one translation, con figur e the one-to-one method fo r N A T46. c.[...]

  • Page 128

    4-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT d. Click OK to return to the Edit Net work Object dial og box. Step 2 Configure N A T for the DNS server . a. Create a network object for the DNS server address. b. Define the DNS serve[...]

  • Page 129

    4-43 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Configuration Examp les for Network Objec t NAT c. Click Advanced to conf igure the real and mapped interfaces. d. Click OK to return to th e Edit Network Ob ject dialog box. Step 3 Configure an IPv4 P A T pool for tr anslating the[...]

  • Page 130

    4-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object N AT c. Next t o the P A T Pool T ranslated Address fi eld, click the ... b utton to choose the P A T pool you created earlier , and click OK . d. Click Advanced to configure the real and ma[...]

  • Page 131

    4-45 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Feature Hist ory for Netwo rk Object NA T e. Click OK to return to th e Edit Network Ob ject dialog box. Step 5 Click OK , and then click Appl y . Feature History for Network Object NAT Ta b l e 4 - 1 lists each feature change and [...]

  • Page 132

    4-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT P A T pool and round robin address assignment 8.4(2)/8.5(1) Y ou can now specify a po ol of P A T addresses instead of a single address. Y ou can also optionally enable round-robin assignment o[...]

  • Page 133

    4-47 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Feature Hist ory for Netwo rk Object NA T P A T pool and round robin address assignment 8.4(2)/8.5(1) Y ou can now specify a pool of P A T address es instead of a single address. Y ou can also optionally enable round-robin assignme[...]

  • Page 134

    4-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on t[...]

  • Page 135

    4-49 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 4 Configuring Network O bject NAT (ASA 8.3 and Later) Feature Hist ory for Netwo rk Object NA T N A T support for rev erse DNS lookups 9.0(1) N A T now supports tran slation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS insp[...]

  • Page 136

    4-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Con figuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT[...]

  • Page 137

    CH A P T E R 5-1 Cisco ASA Series Firewall ASDM Configur ation Guide 5 Configuring Twice NAT (ASA 8.3 and Later) T wice N A T lets you identify both th e source and destin ation address in a single rule. This chapte r sho ws you how to configure twice NA T a nd includes the following sections: • Information Ab out T wice N A T , page 5-1 • Lice[...]

  • Page 138

    5-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Licensing Require ments for Twice NAT T wice N A T also lets you use serv ice objects for static N A T -with-port-transl ation; network object N A T only accepts inline definition. For detailed in formation about th e differences between twi[...]

  • Page 139

    5-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Guidelines and Limitations IPv6 Guidelines • Supports IPv6. • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 netw orks is not supported. T ranslating between two[...]

  • Page 140

    5-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Default Settings Default Settings • By default, th e rule is added to the end of sectio n 1 of the N A T table. • (Routed mode) The default real and mapped interface is An y , which applies the rule to all interfaces. • (8.3(1), 8.3(2)[...]

  • Page 141

    5-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT • If you enable e xtended P A T for a dynamic P A T rule, then you cann ot also us e an address in the P A T pool as the P A T address in a separate static N A T with port translat ion rule. For example, if the P A T[...]

  • Page 142

    5-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both in terfaces are set to --Any--. In tran sparent fire wall mode, you must set specific interf aces. a. From the Match Criteria: Ori gina[...]

  • Page 143

    5-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT a. For the Match Criteria: Original P acket > Source Address, click the bro wse button and choo se an existing network object o r group or create a n ew ob ject or group from the Bro wse Original Source Address dial[...]

  • Page 144

    5-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 5 Choose Dynamic from the Match Criteria: Translated P ack et > Source N A T T ype drop-down list. This setting only applies to the source addr ess; the destination tran slation is alw ays static. Step 6 Identif[...]

  • Page 145

    5-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Note The object or group cannot contain a subnet. • Dynamic P A T usin g a P A T pool—.To con figure a P A T po ol, check the P A T Pool T ranslated Address check box, then click the bro wse button and ch oose an e[...]

  • Page 146

    5-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT c. For th e Match Criteria: T ranslated Pack et > Destination Ad dress, click the bro wse button and choose an existing network object, gr oup, or interface o r create a ne w object or group fro m the Bro wse T rans[...]

  • Page 147

    5-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 8 (Optional) Conf igure NA T options in the Options area. a. Enable rule — Enables this NA T rule. The rule i s enabled by d efault. b. (For a source-only rule) T ranslate DNS replies that match this rule—Re [...]

  • Page 148

    5-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Configuring Dynamic PAT (Hide) This section descri bes ho w to conf igure twice N A T for dynamic P A T (hide). For dynamic P A T using a P A T pool, see the “Confi guring Dynamic N A T or Dynamic P A T Using a P A T[...]

  • Page 149

    5-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both interfaces are set to --Any--. In transparent fi rew all mode, you must set specific interf aces. a. From the Match Criteria: Ori gin[...]

  • Page 150

    5-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: Original P acket > Source Address, click the bro wse button and choo se an existing network object or gr oup or create a ne w object or group from the Bro wse Original Source Address dialo[...]

  • Page 151

    5-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 5 Choose Dynamic P A T (Hide) from the Match Criteria: T ransl ated Packet > Source N A T T y pe drop-do wn list. This setting only applies to the source address; t he destination translation is al ways static[...]

  • Page 152

    5-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: T ranslated Packet > Source Address, click th e bro wse butto n and choose an existing n etwork ob ject or interface o r create a ne w object from the Bro wse Transl ated Source Address di[...]

  • Page 153

    5-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Y ou can also create a new service object from the Br owse T ranslated Service dialog box and use this object as the mapped destination port. Dynamic P A T does not support additional port tr anslation. Howe ver , bec[...]

  • Page 154

    5-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 9 Click OK . Configuring Static NAT or Static NAT-with-Port-Translation This section describes ho w to configure a static N A T rule using twice N A T . For more infor mation about static N A T , see the “ Stati[...]

  • Page 155

    5-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both interfaces are set to --Any--. In transparent fi rew all mode, you must set specific interf aces. a. From the Match Criteria: Ori gin[...]

  • Page 156

    5-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: Original P acket > Source Address, click the bro wse button and choo se an existing network object or gr oup or create a ne w object or group from the Bro wse Original Source Address dialo[...]

  • Page 157

    5-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 5 Choose Stat ic from the Matc h Criteria : T ransl ated Packet > Source N A T T ype drop-down list. Static is the default setting. This setting only applies to the source address; t he destination translation[...]

  • Page 158

    5-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT For static N A T , the mapping is typically one-to-one, so the real addresses hav e the same quantity as the mapped addresses. Y ou can, howe ver , hav e different quantities if desir ed. For stat ic interface N A T wi[...]

  • Page 159

    5-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 8 (Optional) For NA T46, check t he Use one-to-one address transl ation check box. For N A T46, specify one-to-one to translate the first IPv4 address to the f i rst IPv6 address, the se cond to the second, and s[...]

  • Page 160

    5-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT Step 10 Click OK . Configuring Identity NAT This section descri bes ho w to conf igure an identity N A T rule using twice NA T . For more information about identity N A T , see the “Identity N A T” section on page [...]

  • Page 161

    5-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 2 Set the source and destin ation interf aces. By default in routed mode, both interfaces are set to --Any--. In transparent fi rew all mode, you must set specific interf aces. a. From the Match Criteria: Ori gin[...]

  • Page 162

    5-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT a. For the Match Criteria: Original P acket > Source Address, click the bro wse button and choo se an existing network object or gr oup or create a ne w object or group from the Bro wse Original Source Address dialo[...]

  • Page 163

    5-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuri ng Twice NAT Step 5 Choose Stat ic from the Matc h Criteria : T ransl ated Packet > Source N A T T ype drop-down list. Static is the default setting. This setting only applies to the source address; t he destination translation[...]

  • Page 164

    5-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuring Twice NAT For iden tity N A T for the destination address, simply use the same object or group for both the real and mapped addresses. If you want to tr anslate the destination address, then the static mapping is typicall y one-[...]

  • Page 165

    5-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Monitoring Twice NAT a. Enable rule — Enables this NA T rule. The rule i s enabled by d efault. b. Disable Proxy ARP on e gress interface—Disables proxy ARP for incoming p ackets to the mapp ed IP addresses. See the “Mapped Ad dresses[...]

  • Page 166

    5-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Fields • A vailable Gr aphs—Lists the components you can graph . – Xlate Utilization—Displ ays the ASA N A T utilization. • Graph W indo w T itle—Shows the graph windo w name to which you wan[...]

  • Page 167

    5-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Figure 5-1 T wice NA T with Dif f erent Destination Ad dr esses Step 1 Add a N A T rule for traff i c from the inside network to DMZ network 1: By default, th e N A T rule is added to the end of section [...]

  • Page 168

    5-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 2 Set the source and destin ation interf aces: Step 3 For the Original Source Address, click the bro wse button to add a ne w network object for the i nside network in t he Brow se Original Source A[...]

  • Page 169

    5-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 4 For the Ori ginal Destination Address, click the bro wse b utton to add a ne w network o[...]

  • Page 170

    5-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 6 For the T ranslated Source Address, click the browse b utton to add a new network object for th e P A T address in the Browse T ranslat ed Source Ad dress dialog box. a. Add the ne w network objec[...]

  • Page 171

    5-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Step 8 Click OK to add the rule to th e N A T table. Step 9 Add a N A T rule for traff i c from the inside network to DMZ network 2: By default, th e N A T rule is added to the end of section 1. If you w[...]

  • Page 172

    5-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 10 Set the source and destination interfaces: Step 11 For the Original Source Address, type th e name of the inside network object (myInsid eNetwork) or click the bro wse butt on to choose it. Step [...]

  • Page 173

    5-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 13 Set the NA T T ype to Dynamic P A T (Hide) : Step 14 For the T ranslated Source Ad dres[...]

  • Page 174

    5-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 15 For the T ranslated Destination Address, type the name o f the Original Destin ation Ad[...]

  • Page 175

    5-39 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Different Translation Depending on the De stination Address and Port (Dynamic PAT) Figure 5-2 sho ws the use of source and destination port s. The host on the 10.1.2.0/24 network accesses a single host f[...]

  • Page 176

    5-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 2 Set the source and destin ation interf aces: Step 3 For the Original Source Address, click the bro wse button to add a ne w network object for the i nside network in t he Brow se Original Source A[...]

  • Page 177

    5-41 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 4 For the Ori ginal Destination Address, click the br ow se but ton to add a ne w network [...]

  • Page 178

    5-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 5 For the Original Service, click the brow se button to add a ne w service object for T elnet in the Bro wse Original Service dialog box. a. Add the ne w service object. b. Defin e the protocol and [...]

  • Page 179

    5-43 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Step 7 For the T ranslated Source Address, click the browse b utton to add a new network object for th e P A T address in the Browse T ranslat ed Source Address dialog box. a. Add the ne w network object[...]

  • Page 180

    5-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT Step 9 Click OK to add the rule to th e N A T table. Step 10 Add a NA T rule for traf fic from the in side network to the web serv er: By default, th e N A T rule is added to the end of sect ion 1. If yo[...]

  • Page 181

    5-45 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT Step 11 Set the real and mapped interf aces: Step 12 For the Original Source Address, type th e name of the inside network object (myInsid eNetwork) or click the bro wse butt on to choose it. Step 13 For[...]

  • Page 182

    5-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Configuration Examples for Twice NAT c. Choose the ne w service object by double-clicking it. Cli ck OK to return to the N A T configuration . Step 15 Set the NA T T ype to Dynamic P A T (Hide) : Step 16 For the T ranslated Source Ad dress,[...]

  • Page 183

    5-47 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Configuration Examples for Twice NAT c. Choose the ne w network object by double- clicking it. Cl ick OK to return to t he N A T conf iguration. Step 17 For the T ranslated Destination Address, type the name o f the Original Destin ation Ad[...]

  • Page 184

    5-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platform re lease in which it was impl emented. ASDM is backwards-compati ble with multiple platform releas es, so the specif ic AS[...]

  • Page 185

    5-49 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Feature History for Twice NAT Round robin P A T pool allocation uses the same IP address for existing hosts 8.4(3) When using a P A T pool with round robin allocation, i f a host has an existing con nection, th en subsequent connections fro[...]

  • Page 186

    5-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Feature History for Twice NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.4(3) In rare situations, you mi ght want to use a VPN p eer’ s real IP address on the inside network[...]

  • Page 187

    5-51 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later ) Feature History for Twice NAT N A T support for rev erse DNS lookups 9.0(1) N A T now supports tran slation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for th[...]

  • Page 188

    5-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Config uring Twice NAT (ASA 8.3 an d Later) Feature History for Twice NAT[...]

  • Page 189

    CH A P T E R 6-1 Cisco ASA Series Firewall ASDM Configur ation Guide 6 Configuring NAT (ASA 8.2 and Earlier) This chapter describes Network Address Tr ansl ation, and includes the following sections: • N A T Overvie w , pa ge 6-1 • Config uring N A T Control, page 6-16 • Using Dynamic N A T , page 6-17 • Using Static NA T , page 6- 27 • U[...]

  • Page 190

    6-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w general operations conf iguration guide for more info rmation about security le vels. See the “N A T Control” section on page 6-4 for more i nformation about N A T control. Note In this document, all types of translation are ref[...]

  • Page 191

    6-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT in Transparent Mode Using N A T in transparent mode eliminates the need fo r the upstream or downstream routers to perform N A T for thei r networks. For example, a transparent fire wall ASA is us eful between two VR Fs so you ca[...]

  • Page 192

    6-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Figure 6-2 NA T Exampl e: T ransparent Mode NAT Control N A T control requires that packets tra versing from an inside interf ace to an outside interface match a N A T rule; for an y host on the inside netw ork to access a host on t[...]

  • Page 193

    6-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Interfaces at the same secur ity le vel are not requi red to use N A T to communicate. Howe ver , if you confi gure dynamic N A T or P A T on a same security interf ace, then all traff ic from the interface to a same security interfa[...]

  • Page 194

    6-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w NAT Types This section descri bes the av ailable N A T types, and includes the followi ng topics: • Dynamic N A T , page 6-6 • P A T , page 6-8 • Static NA T , page 6-9 • Static P A T , page 6-9 • Bypassing N A T When NA T[...]

  • Page 195

    6-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figur e 6-6 Remote Host At tempts to Connect t o the Real Addr ess Figure 6-7 sho ws a remote host attempting to initiate a c onnecti on to a mapped address. This address is not currently in the translation table; therefore, the ASA [...]

  • Page 196

    6-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Dynamic N A T has these disadvantages: • If the mapped pool has fe wer addresses than the real group, you co uld run out of addresses if the amount of traf fic is more th an expected . Use P A T if this ev ent occurs often, becaus[...]

  • Page 197

    6-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Static NAT Static N A T creates a f ixed translation of re al addr ess(es) to mapped address(es).W ith dynamic N A T and P A T , each host uses a different address or port for each subsequent translation. Because the mapped address i[...]

  • Page 198

    6-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w For e x ample, if you want to provide a single address for remote user s to access FTP , HTTP , and SMTP , but these are all actually dif ferent servers on the real network, you can specify static P A T statements for each server t[...]

  • Page 199

    6-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview the other hand, lets yo u specify a parti cular interf ace on which to translate the addresses. Ma ke sure that the real addresses for which you use identity NA T are routable on all ne tworks tha t are a v ailable according to your[...]

  • Page 200

    6-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Figure 6-9 P olicy NA T with Diff erent Destination A ddresses Figure 6-10 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices. Wh[...]

  • Page 201

    6-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For pol icy stati c N A T , both translated and remote hosts can originate traf fic. F or traff ic originated on th e translated network, the N A T rule sp ecifies the real addresses and the destination addresses, b ut for traff ic [...]

  • Page 202

    6-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) NAT Overvie w Order of NAT Rules Used to Match Real Addresses The ASA matches real addresses to N A T rules in the follo wing order: 1. N A T exemption—In ord er , until the fir st match. 2. Static N A T and Static P A T (regular and pol icy)?[...]

  • Page 203

    6-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209.165 .201.10). The ASA refers to the static statement fo r the inside server and translates the addres s [...]

  • Page 204

    6-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Configuring NA T Control Figure 6-13 sho ws a web server and DNS server on the outs ide. The ASA has a stat ic translatio n for the outside server . In this ca se, when an inside user requests the address for ft p.cisco.com from the DNS server ,[...]

  • Page 205

    6-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Using Dynamic NAT This section describes ho w to conf igure dynamic N A T , including dynamic N A T and P A T , dynamic policy N A T and P A T , and identity NA T . Policy N A T lets you identify real addresses for address tran[...]

  • Page 206

    6-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic N A T rule, you sp ecify real addresses and then pair them with a global pool of addresses to which the real addresses are mapped when the y exit an other inte[...]

  • Page 207

    6-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-15 ). Figur e 6-15 NA T Rules and Global P ools using the Same I D on Multiple Int erf aces Multiple NAT Rules with Different Global Pools on the Same Interface Y ou can identify different sets of r eal addresses to ha[...]

  • Page 208

    6-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-16 Diff erent NA T IDs Multiple Addresses in the Same Global Pool Y ou can ha ve multipl e addresses in the same globa l pool; t he ASA uses the dynamic N A T ranges of addresses first, in the order the y are in the co[...]

  • Page 209

    6-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figur e 6-1 7 NA T and P A T T ogether Outside NAT If a N A T rule translates addresses from an outside in terface to an inside interf ace, then the rule is an outside N A T rule, and you need to specify that it transl ates inb[...]

  • Page 210

    6-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figur e 6-1 8 Outside NA T and Inside NA T Combined Real Addresses in a NAT Rule Must be Transl ated on All Lower or Sa me Security Interfaces When you create a N A T rule for a group of IP addresses, then you must perfor m N A[...]

  • Page 211

    6-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2 For a ne w pool, from the Interface drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3 For a n e w pool, in the Pool ID f ield, enter a number b etween 1 and 214748364 7. Do not en[...]

  • Page 212

    6-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT T o conf igure a dynamic N A T , P A T , or identity N A T rule, perform the follo wing steps. Step 1 In the Conf iguration > Fire wall > N A T Rules pane, choose Add > Add Dynamic NA T Rule . The Add Dynamic N A T Rul[...]

  • Page 213

    6-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT TCP initial sequ ence number ra ndomization ca n be disabled i f required. For example: – If another in-line f ire wall is also randomizing the initial seq uence numbers, there is no need for both f ire walls to be perfo rmin[...]

  • Page 214

    6-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2 In the Original area, from the Interf ace drop-down list, choose the interf ace that is connected to the hosts with real addresses that y ou want to translat e. Step 3 Enter the real addresses in the Sour ce field , or c[...]

  • Page 215

    6-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Note Y ou can also set these v alues using a security policy rule. T o set the number of rate interv als maintained for host statisti cs, on the Conf iguration > Firew all > Threat Detection > Scanning Threat Statistic [...]

  • Page 216

    6-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Static NAT Policy N A T lets you identify real addresses for address translatio n by specifying the source and destination addresses. Y ou can also opti onally specify the source and destination ports. Regular N A T can only consider the s[...]

  • Page 217

    6-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Step 1 In the Conf iguration > Fire wall > N A T Rules pane, choose Add > Add Static N A T Rule . The Add Static N A T Rule dialog box ap pears. Step 2 In the Original area, from the Interf ace drop-down list, choose th[...]

  • Page 218

    6-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Static NAT Note Y ou can also set these v alues using a security policy rule. T o set the number of rate interv als maintained for host statisti cs, on the Conf iguration > Firew all > Threat Detection > Scanning Threat Statistic [...]

  • Page 219

    6-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 6-22 sho ws typical static polic y N A T , static polic y P A T , and static polic y identity N A T scenarios. The translation is always acti ve so both transl ated and [...]

  • Page 220

    6-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using Static NAT Step 6 Specify the mapped IP add ress by clicking one o f the follo wing: • Use IP Address Enter the IP address or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet m[...]

  • Page 221

    6-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using NAT Exemption – Y ou use a W AAS device that requires the ASA not to randomize th e sequence numbers of connections. • Maximum TCP Connections —Specif ies the maximum number of TCP connections, b etween 0 and 65,535. If this v alue i[...]

  • Page 222

    6-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Config uring NAT (ASA 8.2 and Earlier) Using NAT Exemptio n Step 3 In the Original area, from the Interf ace drop-down list, choose the interf ace that is connected to the hosts with real addresses that y ou want to e xempt. Step 4 Enter the real addresses in the Sour ce field , or c[...]

  • Page 223

    P AR T 3 Conf iguring Access Contr ol[...]

  • Page 224

    [...]

  • Page 225

    CH A P T E R 7-1 Cisco ASA Series Firewall ASDM Configur ation Guide 7 Configuring Access Rules This chapter describes ho w to control netw ork acce ss through the ASA using access rul es and includes the following sections: • Information Ab out Access Rules, page 7-1 • Licensing Requirements for Access Rules, page 7-7 • Guidelines and Limit [...]

  • Page 226

    7-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Information About Access Rules General Information About Rules This section describes informati on for both access rules and EtherT ype rules, and it includes the follo wing topics: • Implicit Permits, page 7-2 • Information Ab out Interface Access Rules [...]

  • Page 227

    7-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Information About Access Rules Rule Order The order of rules is impo rtant. When the ASA decides whet her to forward or drop a packet , the ASA tests the packet ag ainst each rule in t he order in which the rules are listed. After a match i s found, no more r[...]

  • Page 228

    7-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Information About Access Rules Note “Inbound” and “outbound” refer to the application of an A CL on an interface, eith er to traf fic entering the ASA on an interface or traff i c exiting the ASA on an interf ace. These terms do not refer to the mov e[...]

  • Page 229

    7-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Information About Access Rules Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d tr ansparent f ire wall mod e. IPv6 Guidelines Supports IPv6. Additional Guide[...]

  • Page 230

    7-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Information About Access Rules Ta b l e 7 - 1 lists common traff ic types that you can allow through the transpar ent fire wall. Management Access Rules Y ou can config ure access rules that control management traff ic destined to the ASA . Access control rul[...]

  • Page 231

    7-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Licensing Requiremen ts for Access Ru les Access Rules for Returning Traffic Because EtherT ypes are conne ctionless, you need to a pply the rule to both interf aces if you want traf fic to pass in both direct ions. Allowing MPLS If you allo w MPLS, ensure th[...]

  • Page 232

    7-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Guidelines and Limitations Configuring Access Rules This section includes the following topics: • Adding an Access Rule, page 7- 8 • Adding an EtherT ype Rule (T ransparent Mode Only), page 7-9 • Config uring Management Access Rules, page 7-1 0 • Adva[...]

  • Page 233

    7-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Guidelines and Limitations Step 9 Select the service type. Step 10 (Optional) T o add a time range to your access rule that s pec ifies when traf fic can be allo wed or denied, click More Options to e xpand the list. a. T o the right of the T ime Range drop d[...]

  • Page 234

    7-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Guidelines and Limitations Step 5 In the Action f ield, click one o f the follo wing radio buttons ne xt to the desired action: • Permit —Permits access if th e conditions are matched. • Deny —Denies access if the conditions are matched. Step 6 In th[...]

  • Page 235

    7-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Guidelines and Limitations Step 8 (Optional) Loggi ng is enabled by default. Y ou can disable logging b y unchecking the check box, or you can change the logging le vel from the drop-do wn list. The default logging l ev el is Informational. Step 9 (Optional)[...]

  • Page 236

    7-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Guidelines and Limitations • Alert Interv al—The amount of time (1-3600 s econds) between system log messages (n umber 106101) that identify that the maximum number of den y flows was reach ed. The default is 30 0 seconds. • Per User Override table—S[...]

  • Page 237

    7-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Guidelines and Limitations The Config uration > De vice Management > Adv anced > HTTP Redirect > Edit pane lets you change the HTTP redirect setting of an interf ace or the port from which it redi r ects HTTP connections. Select the interface in [...]

  • Page 238

    7-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Feature History for Access Rules Feature History for Access Rules Ta b l e 7 - 2 lists each feature change and the platform re lease in which it was impl emented. ASDM is backwards-compati ble with multiple platform releas es, so the specif ic ASDM release i[...]

  • Page 239

    7-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 7 Configuring Access Rules Feature History for Access Rules Extended A C Land object enhancement to filter ICMP traf fi c by ICMP code 9.0(1) ICMP traf f ic can now be permitted/denied based on ICMP code. W e introduced or modif ied the followi ng screens: Config uration > Fire wal[...]

  • Page 240

    7-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Con figuring Access Rules Feature History for Access Rules[...]

  • Page 241

    CH A P T E R 8-1 Cisco ASA Series Firewall ASDM Configur ation Guide 8 Configuring AAA Rules for Network Access This chapter describes ho w to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for Sys tem Administrators” secti on on page 45-12 in th e general ope[...]

  • Page 242

    8-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed[...]

  • Page 243

    8-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access One-Time Authentication A user at a gi ven I P address only needs to authenticat e one time for all rules and types, u ntil the authentication sessio n expires. (S ee the Conf iguration > F ire[...]

  • Page 244

    8-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Note If you use HTTP authenticati on, by defaul t the user name and passw ord are sent from the cli ent to the ASA in clear te xt; in addition, the username and password are sent on to the destina[...]

  • Page 245

    8-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access • For T elnet and FTP traf fic, users must log in thro ugh the cut-through proxy server and again to the T elnet and FTP servers. • A user can specify an A ctiv e Directory domain wh ile pr ov[...]

  • Page 246

    8-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Inst ead, the ASA sends an error message to the w eb bro wser , indicating that the user[...]

  • Page 247

    8-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Step 3 In the AAA Server G roup drop-do wn list, choose a se rver group. T o add a AAA server to the server group, click Add Serv er . If you chose LOCAL for the AAA server gro up, you can optiona[...]

  • Page 248

    8-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Step 3 For the Protocol, choose eit her HTTP or HTTPS . Y ou can enable both by repeating this procedure an d creating two sepa rate rul es. Step 4 In the Interface dr op-do wn list, choose the in[...]

  • Page 249

    8-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access This is the only method t hat protects credentials b e tween the client and the ASA, as well as betw een the ASA and the destination ser ver . Y ou can use this method alone, or in conj unction wi[...]

  • Page 250

    8-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access server; you are no t prompted separat ely for the HTTP server username an d password. Assuming th e username and password ar e not the same for the AAA and HTTP servers, th en the HTTP authentica[...]

  • Page 251

    8-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access that requires authentication is allo wed through. If you do not want to allo w HTTP , T elnet, or FTP traff ic through the ASA, b ut want to authenticate other ty pes of traf fic, you can conf ig[...]

  • Page 252

    8-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring Authorization for Network Access After a user authenticates for a giv en connection, the ASA can use authorization to further control traff ic from the user . This section includes the [...]

  • Page 253

    8-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss Step 8 In the Service field, enter an IP service name or num ber for the destination service, or click the ellipsis (...) to choose a service. Step 9 (Optiona l) In the De scriptio n field, enter[...]

  • Page 254

    8-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring a RADIUS Server to Se nd Downloadable Access Control Lists This section describes ho w to configure Cisco Secure A CS or a third-party RADIUS serv er and includes the following topics: [...]

  • Page 255

    8-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss 4. After receipt of a RADIUS authenticati on request that has a username at tribu te that includes the name of a do wnloadable A CL, Cisco Secure A CS authenticates the req uest by checking the M[...]

  • Page 256

    8-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access | permit udp any host 10.0.0.253 | | permit icmp any host 10.0.0.253 | | permit tcp any host 10.0.0.252 | | permit udp any host 10.0.0.252 | | permit icmp any host 10.0.0.252 | | permit ip any any [...]

  • Page 257

    8-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Accounting fo r Network Access The username argument is the name of the user that is being authenticated. The do wnloaded A CL on the ASA cons ists of the following lines. Notice t he order based on the numbers identified on the R[...]

  • Page 258

    8-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Accoun ting for Network Ac cess accounting information by IP address. Accounting i nformation includes session start and stop times, username, the number of bytes that pass through t h e ASA for the session, the service used, and t[...]

  • Page 259

    8-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 8 Configuring AAA Rules for Network Access Using MAC Addresses to Ex empt Traffi c from Authentica tion and Authorization of these users, you can enable AAA to allow only authenti cated and/or auth orized users to connect through the ASA. (The T elnet server enforces authenticatio n, [...]

  • Page 260

    8-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Feature History for AAA Rules Feature History for AAA Rules Ta b l e 8 - 1 lists each feature change and the platform re lease in which it was impl emented. ASDM is backwards-compati ble with multiple platform releas es, so the specif ic ASDM [...]

  • Page 261

    CH A P T E R 9-1 Cisco ASA Series Firewall ASDM Configur ation Guide 9 Configuring Public Servers This section descri bes ho w to conf igure public servers, and includes the follo wing topics: • Information Ab out Public Serv ers, page 9-1 • Licensing Requirements for Public Serv ers, page 9-1 • Guidelines and Limit ations, page 9-1 • Addin[...]

  • Page 262

    9-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Co nfiguring Public Servers Adding a Public Server that Enables Static NAT Firewall Mode Guidelines Supported in routed an d transparent f ire wall mod e. Adding a Public Server that Enables Static NAT T o add a public server that enables static N A T and creates a fix ed translation [...]

  • Page 263

    9-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 9 Configuring Public Serv ers Editing Settings for a Public Server Step 4 In the Pri vate Service f ield, click Browse to display the Browse Service di alog box Step 5 Choose the actual service that is exposed to the outside, and click OK . Optionally , from the Bro wse Service dialog [...]

  • Page 264

    9-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 9 Co nfiguring Public Servers Feature History for Public Servers Feature History for Public Servers Ta b l e 9 - 1 lists each feature change and the platform re lease in which it was impl emented. ASDM is backwards-compati ble with multiple platform releas es, so the specif ic ASDM rele[...]

  • Page 265

    P AR T 4 Conf iguring Applic ation Inspection[...]

  • Page 266

    [...]

  • Page 267

    CH A P T E R 10-1 Cisco ASA Series Firewall ASDM Configur ation Guide 10 Getting Started with Application Layer Protocol Inspection This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channe[...]

  • Page 268

    10-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protoc ol Inspection Figure 1 0-1 How Inspecti on Engines Wor k In Figure 10-1 , operations are numbered in the order th ey occur, and are described as follows: 1. A TCP SYN packet arriv e[...]

  • Page 269

    10-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 10 Getting Started with Application Layer Protocol Inspectio n Guidelines and Limitations When you enable applicat ion inspection for a service that embeds IP addres ses, the ASA t ranslates embedded addresses and up dates any checksum or other fi elds that are af fected by the transl[...]

  • Page 270

    10-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Inspected protocols are subject to adv anced TCP-state tracking, and th e TCP s tate of these connections is not automatically replicated. Wh ile these connections are replicated to the s[...]

  • Page 271

    10-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 10 Getting Started with Application Layer Protocol Inspectio n Default Settings and NAT Limita tions ICMP ERR OR — — — — ILS (LD AP) TCP/389 No extended P A T . No N A T64. —— Instant Messagin g (IM) V aries by client No ext ended P A T . No N A T64. RFC 3860 — IP Option[...]

  • Page 272

    10-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations SIP TCP/5060 UDP/5060 No outside N A T . No N A T on same security interfaces. No ext ended P A T . No per-session P A T . No N A T64. (Clustering ) No static P A T . RFC 2543 — SKINNY [...]

  • Page 273

    10-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 10 Getting Started with Application Layer Protocol Inspectio n Configuring Applicati on Layer Protocol In spection Configuring Application Layer Protocol Inspection This feature uses Security Policy Rules to create a se rvice policy . Service policies provide a consistent and flexible[...]

  • Page 274

    10-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Applicatio n Layer Pro tocol Inspection[...]

  • Page 275

    CH A P T E R 11-1 Cisco ASA Series Firewall ASDM Configur ation Guide 11 Configuring Inspection of Basic Internet Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dy[...]

  • Page 276

    11-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • Config uring DNS Inspection, page 11-1 6 Information About DNS Inspection • General Information A bout DNS, page 11-2 • DNS Inspection A ctions, page 11 -2 General Information About DNS A single connection i[...]

  • Page 277

    11-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map T o match DNS packets with certain ch aracteristics and perform special actions, create a DNS inspection policy map. Y ou can also conf igure a DNS [...]

  • Page 278

    11-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • T o use one of the preset security le vels (Lo w , Medium, or High), drag the Security Le vel knob , then click OK to add the inspection polic y map. Y ou can skip the rest of this procedure. • T o customize e[...]

  • Page 279

    11-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Detailed Steps—Filtering Step 1 Click the Filtering tab. Step 2 Global Settings: Drop pack ets that exceed specified maximum length (global ) —Sets the maximum DNS message length, from 512 to 65535 bytes. Step[...]

  • Page 280

    11-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 2 Enable logging when DNS ID mism atch rate exceeds specif ied rate —Enables logging for excessi ve DNS ID mismatches , where the Mi smatch Ins tance Threshold and T ime Interval f ields specify the maximum n[...]

  • Page 281

    11-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 2 Click Add . The Add DNS Inspect di alog box appear s.[...]

  • Page 282

    11-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 3 Y ou can conf igure DNS inspectio ns using the follo wing methods: • Single Match —Match a single criterion, and id entify the action for the match. • Multiple matches —Match multiple criteria by cr e[...]

  • Page 283

    11-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection • Enforce TSIG: Requires a TSIG resource record to be present. – Do not enforce – Drop pack et – Log – Drop packet an d log Not all combinations are v alid for all matching criteria. F or example, you ca[...]

  • Page 284

    11-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 5 From the Criterion drop-d ow n list, choose one of the follo wing criteria: • Header Flag : Set the follo w ing V alue parameters: – Match Option: Equals or Contains . If you choose Header Flag Name, and[...]

  • Page 285

    11-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Set the follo w ing V alue parameters: – DNS T ype Field Name —Lists the DNS types to select. A —IPv4 address AXFR —Full (zone) transfer CNAME —Canonical name IXFR —Incremental (zone) transfer NS —A[...]

  • Page 286

    11-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Set the follo w ing V alue parameters: – DNS Class Field Name: Internet —Internet i s the only option. – DNS Class Field V alue : Va l u e —Lets you enter a v alue between 0 and 65535. Range —Lets you ent[...]

  • Page 287

    11-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection • Resource Record :[...]

  • Page 288

    11-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Set the follo w ing V alue parameters: – Resource Record: additional —DNS additional resource record answer —DNS answer re source record authority —DNS authority resour ce record • Domain Name :[...]

  • Page 289

    11-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Set the follo w ing V alue parameters: – Regular Expression —Choose an existing regular expression from the drop-down menu, or click Manage to add a ne w one. See the “Creating a Regular Expressi on” sect[...]

  • Page 290

    11-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection map that ha ve the same match, then the order in t h e configu ration determines which match is used, so these buttons are enabled. See the “Guidelines and Limitations” secti on on page 2-2 for more inform atio[...]

  • Page 291

    11-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection load on the ASA. For example, if the DNS serv e r is on the outside interface, you should enable DNS inspection with sn ooping for all UDP DNS traf fic on the outside interf ace. See the “Enabling DNS Snooping?[...]

  • Page 292

    11-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection • An FTP command must be ackno wledged before the ASA allows a ne w command. • The ASA drops connections th at send embedded commands. • The 227 and POR T commands are checked to ensure they do not appear in [...]

  • Page 293

    11-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection Fields • FTP Strict (pre vent web bro wsers from se nding embedded commands in FTP req uests) — Enables strict FTP application inspection, which causes t he ASA to drop the connection when an embe dded comman[...]

  • Page 294

    11-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection • Delete—Deletes an FTP class map. Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion di alog box is accessibl e as follo ws: Confi guration > Global Objects > Class Maps > FTP > Add/Edit[...]

  • Page 295

    11-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection – Regular Expression Class—Lists the def ined regular e xpre ssion classes to match. – Manage—Opens the Manage Re gular Expression Class dialog box, whic h lets you conf igure regul ar expressi on class m[...]

  • Page 296

    11-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection • Delete—Deletes the inspect map selec ted in the FTP Inspect Maps table. • Security Le vel—Select th e security le vel (medium or lo w). – Lo w Mask Banner Disabled Mask Reply Disabled – Medium—D efa[...]

  • Page 297

    11-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection • Description—Enter the descri ption of the FTP map, up t o 200 characters in length. • Security Le vel—Select th e security le vel (medium or lo w). – Lo w Mask Banner Disabled Mask Reply Disabled – [...]

  • Page 298

    11-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Add/Edit FTP Map The Add/Edit FTP Map dialog box is accessible as follows: Confi guration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View > Add/Edit FTP Inspect The Add/Edi[...]

  • Page 299

    11-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection – Manage—Opens the Manage Re gular Expression Class dialog box, whic h lets you conf igure regul ar expressi on class maps. • File T ype Criterion V alues—Specif ies the v a lue details for FTP f ile type[...]

  • Page 300

    11-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection In conjunction with N A T , the FTP application inspection tran slates the I P address within the application payload. This is described in detail in RFC 959 . HTTP Inspection This section describes the HTTP inspe[...]

  • Page 301

    11-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection The Select HTTP Map dialog box lets you select or create a ne w HTTP map. An HTTP map lets you change the configuration v alues used for HTTP ap pl ication in spection. The Select HTTP Map table provides a list [...]

  • Page 302

    11-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection • Edit—Edits an HTTP class map. • Delete—Deletes an H TTP class map. Add/Edit HTTP Match Criterion The Add/Edit HTTP Match Cri terion dialog box is accessible as fo llo ws: Confi guration > Global Objec[...]

  • Page 303

    11-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection cookie, date, expect, e xpires, from, host, if-mat ch, if-modif ied-since, i f-none-match, if-range, if-unmodif ied-since, last-modified, max-forw ards , pragma, proxy-authorization, range, referer , te, trailer[...]

  • Page 304

    11-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Method—Specif ies to match on a request metho d: bcopy , bdelete, bmov e, bpropf ind, bproppatch, connect, copy , delete, edit, get, getattrib ute, getattrib utenames, getproperties, head, index, lock, mkcol, mk[...]

  • Page 305

    11-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection Regular Expressi on—Lists the def ined regular expression s to match. Manage—Op ens the Man age Regular Expressions di alog box, which lets you co nfigu re regu lar expressions. Greater Than Count—Ent er t[...]

  • Page 306

    11-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection HTTP Inspect Map The HTTP Inspect Map dialog box is accessible as follows: Confi guration > Global Objects > Inspect Maps > HTTP The HTTP pane lets you vie w prev iously conf igur ed HTTP application insp[...]

  • Page 307

    11-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection URI Filtering The URI Filtering dialog box is accessible as follows: Confi guration > Global Objects > Inspect Maps > HTTP > URI Fi ltering The URI Filtering dialog box l ets you conf igure the setti[...]

  • Page 308

    11-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection URI filtering: Not configured Advan ced inspections: Not conf igured – High Protocol violation acti on: Drop connection and log Drop connections fo r unsafe methods: Allo w only GET and HEAD. Drop connections fo[...]

  • Page 309

    11-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection – Add—Opens the Add HTTP Insp ect dialog box to add an HTTP inspection. – Edit—Opens the Edit HTTP Inspect d ialog box to edit an HTTP inspection. – Delete—Deletes an HTTP inspec tion. – Move Up—[...]

  • Page 310

    11-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Predefined—Specif ies the request heade r fiel ds: accept, accept-charset, accept-encoding, accept-language, allow , authorization, cach e-control, connection , content-encoding, content-language, co ntent-lengt[...]

  • Page 311

    11-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection Method—Specif ies to match on a request method: b copy , bdelete, bmov e, bpropf ind, bproppatch, connect, copy , delete, edit, get, getattrib ute, getattrib utenames, getproperties, head, index, lock, mkcol, [...]

  • Page 312

    11-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Regular Expressi on—Lists the def ined regular expression s to match. Manage—Opens the Manage Regu lar Expressions di alog box, which let s you confi gure re gular expressions. Greater Than Count —Enter the [...]

  • Page 313

    11-39 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s ICMP Inspection – H323 T raf fic Class—Specif ies the H TTP traff ic class match. – Manage—Opens the Manage HTTP Class Maps dial og box t o add, edit, or delete HTTP Class Maps. • Action—Drop connectio n, reset, or [...]

  • Page 314

    11-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols Instant Messaging In spection IM Inspection Overview The IM inspect engine lets you apply fine grained co ntrols on the IM appl ication to co ntrol the network usage and stop leakage of confidential data, pr opagation of w orms, [...]

  • Page 315

    11-41 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection • Source IP Address—Select to match the source IP a ddress of the IM message. In the V alue fields, enter the IP address and netmask of the message source. • Destinatio n IP Address—Se lect to matc[...]

  • Page 316

    11-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection • End of Options List (EO OL) or IP Option 0—This opti on, which contains ju st a single zero byte, appears at the end of all opti ons to mark the end of a list of option s. This might not coinci de with[...]

  • Page 317

    11-43 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection • Click the Use the default IP-Options inspection map radio butt on to use the def ault IP Options map. The defaul t map drops packets containing all the inspected IP o ptions, namely End of O ptions Lis[...]

  • Page 318

    11-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map. Use this inspection map to control whether the ASA drops , passes, or clears IP packets containing the [...]

  • Page 319

    11-45 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection – Allo w packets with the No Operation (NOP) optio n The Options field in the IP head er can contain zero, one, or more optio ns, which makes the total length of the f ield v ariable. Howe ver , [...]

  • Page 320

    11-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IPsec Pass Through Inspection Select IPsec-Pass-Thru Map The Select IPsec-Pass-Thru Map di alog box is accessible as follows: Add/Edit Service P olicy Rule Wizard > Rule Actions > Pr otocol Inspection T ab > Select IPsec[...]

  • Page 321

    11-47 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection – Default Le vel—Sets the security le vel back to the def ault le vel of Low . Add/Edit IPsec Pass Thru Policy Map (Security Level) The Add/Edit IPsec Pass Thru Policy Map (Security Le vel) dia[...]

  • Page 322

    11-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection • Parameters—Conf igures ESP and AH parameter settings. – Limit ESP flo ws per client—Limits ESP flo ws per client. Maximum—Specify maximum limi t. – Apply ESP idle timeout—App lies ESP idle timeout.[...]

  • Page 323

    11-49 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection Step 2 Click Add . The Add IPv6 Inspection Map dialog bo x appears. Step 3 Enter a name and descr iption for the inspectio n map. By default, th e Enforcement tab is select ed and t he follo w ing options are se[...]

  • Page 324

    11-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols NetBIOS Inspection Y ou can conf igure IPv6 inspection as part of a ne w se rvice policy rule, or you can edit an e xisting service policy . Step 2 On the Rule Actio ns dialog box, cl ick the Pro tocol Inspections tab . Step 3 Ch[...]

  • Page 325

    11-51 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s PPTP Inspection • Add—Opens the Add Polic y Map dialog box for the inspection. NetBIOS Inspect Map The NetBIOS Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > NetBIO[...]

  • Page 326

    11-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection P A T is only performed for the modified v ersion of GRE [ RFC 2637 ] when negotiated o ver the PPTP TCP control channel. Port Address Translation is no t performed for the unmodi fied version o[...]

  • Page 327

    11-53 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection Other extend ed SMTP commands, such as AT R N , ON EX , VERB , CHUNKING , and priv ate extensions and are not supported. Unsupported c ommands are translat ed into Xs, which are reject ed by th[...]

  • Page 328

    11-54 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection ESMTP Inspect Map The ESMTP Inspect Map dialog box is accessi ble as follo ws: Confi guration > Global Objects > Inspect Maps > ESMTP The ESMTP pane lets you vie w previousl y conf igur[...]

  • Page 329

    11-55 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection – Default Le vel—Sets the security le vel back to the def ault le vel of Low . MIME File Type Filtering The MIME File T ype Filtering di alog box is acces sible as follows: Configuration &g[...]

  • Page 330

    11-56 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection Drop Connections if comman d line length is greater than 512 Drop Connections if comman d recipi ent count is greater than 100 Drop Connections if body line length is greater th an 1000 Drop Con[...]

  • Page 331

    11-57 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection – Action—Sho ws the action if the m atch condition i s met. – Log—Sho ws the log state. – Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP i nspection. – Edit—Opens th[...]

  • Page 332

    11-58 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection • Body Line Length Criterion V alues—Specifies the v alue details for body line length match. – Greater Than Lengt h—Body line length in bytes. – Action—Reset, drop connection, l og.[...]

  • Page 333

    11-59 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection 8bitmime auth binarymime checkpoint dsn ecode etrn others pipelining size vrfy – Add—Adds the sele cted parameter from the A vai lable P arameters table to the Selected Parameters table. ?[...]

  • Page 334

    11-60 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion • MIME Filename Length Criteri on V alues—Specif ies the value detai ls for MIME f ilename length match. – Greater Than Length—MIME f ilename length in bytes. – Action—Reset, Drop Connection, Log . ?[...]

  • Page 335

    11-61 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 11 Configuring Insp ection of Basic Inte rnet Protocol s TFTP Inspec tion The ASA inspects TFTP traff ic a nd dynamically crea tes connections and translations, if necessary , to permit file transfer between a TFTP client and serv er . Specifically , the inspection engine inspects TF[...]

  • Page 336

    11-62 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion[...]

  • Page 337

    CH A P T E R 12-1 Cisco ASA Series Firewall ASDM Configur ation Guide 12 Configuring Inspection for Voice and Video Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on [...]

  • Page 338

    12-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Limitations and Restrictions The follo wing summarizes limitations that appl y when using CTIQBE applicatio n inspection: • CTIQBE application insp ection does not suppor t config urations with the alias comman[...]

  • Page 339

    12-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt appl ications such as Cisc o CallMana ger and V ocalT ec Gatekeeper . H.323 is a suite of protocols def ined by the International T[...]

  • Page 340

    12-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection After inspecting the H. 225 messages, the ASA opens the H.245 channel and then inspects traf fic sent ov er the H.245 channel as well. All H.245 messages p assing through the ASA u ndergo H. 245 application inspe[...]

  • Page 341

    12-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection • Not supported with dynamic N A T or P A T . • Not supported with e xtended P A T . • Not supported with N A T between same-security-le vel i nterfaces. • Not supported with outside N A T . • Not suppo[...]

  • Page 342

    12-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection • Edit—Edits an H.323 cl ass map. • Delete—Deletes an H.323 class map. Add/Edit H.323 Traffic Class Map Confi guration > Global Objects > Class Maps > H.323 > Add/Edit H.323 T raffi c Class Ma[...]

  • Page 343

    12-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection – Regular Expression Class—Lists the def ined regular e xpre ssion classes to match. – Manage—Opens the Manage Re gular Expression Class dialog box, whic h lets you conf igure regul ar expressi on class m[...]

  • Page 344

    12-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Call P arty Number Enable d Call duration Limit 1 :00:00 R TP c onformance enforced Limit payload to audio or vi deo, based on the signal ing exchange: yes – Phone Number Filtering—Opens t he Phone Number Fil[...]

  • Page 345

    12-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Call Party Number Disabled Call duration Limit Disabled R TP conformance not enforc ed – Medium State Checking h225 Enabled State Checking ras Enabled Call Party Number Disabled Call duration Limit Disabled R T[...]

  • Page 346

    12-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Note Y ou can enable call setup be tween H.323 en dpoints when the Gatek eeper is insi de the network. The ASA i ncludes options to open p inholes for calls based on th e Regist rationRequest/Reg istrationConf i[...]

  • Page 347

    12-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Add/Edit HSI Group Conf iguration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced V iew > Add/Edit HSI Group The Add/Edit HSI Grou p dialog box lets you conf igure HSI Grou[...]

  • Page 348

    12-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols MGCP Inspection – Regular Expression Class—Lists the def ine d regular e xpression classes to match. – Manage—Op ens the Manage Regular Expression Class dialog box, which lets you co nfi gure regul ar expressi on class m[...]

  • Page 349

    12-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection Note T o av oid policy f ailure when upgrading from ASA ve rs ion 7.1, all layer 7 and layer 3 policies must ha ve distinct names. For in stance, a pre viously configured po licy map with the same name as a pre v[...]

  • Page 350

    12-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols MGCP Inspection • RestartInProgr ess The first f our commands are sent b y the call agent to th e gate way . The Notify command is sent by the gate way to the call agent. The gate way may also send a Delete Connecti on. The re[...]

  • Page 351

    12-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection Gateways and Call Agents Confi guration > Global Objects > Inspect M aps > MGCP > Gatewa ys and Call Agents The Gate ways and Call Agents di alog box lets you conf igure groups of gate ways and call a[...]

  • Page 352

    12-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols RTSP Inspection – Gateways—Identifies the IP address of the media ga tew ay that is co ntroll ed by the associated call agent. A media gat ew a y is typically a netw ork element that provides con version between the audio si[...]

  • Page 353

    12-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection • Using RealPlayer , page 12-17 • Restrictions and Limitat ions, page 12-18 • Select R TSP Map , page 12-18 • R TSP Inspect Map, page 12-18 • Add/Edit R TSP Policy Map, page 12-19 • R TSP Class Map, p[...]

  • Page 354

    12-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols RTSP Inspection Restrictions and Limitations The follo wing restrictions apply to the RSTP inspection. • The ASA does not support multicast R TSP or R TSP messages ov er UDP . • The ASA does not ha ve the ability to recogniz[...]

  • Page 355

    12-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Add/Edit RTSP Policy Map Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > V iew The Add/Edit R TSP Policy Map pane lets you con fi gur e the parameters and inspections sett[...]

  • Page 356

    12-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection – Criterion—Sho ws the criterion of the R TSP class map. – V alue—Shows the v alue to ma tc h in the R TS P class map. • Description—Sho ws the description of the class map. • Add—Adds a R TSP clas[...]

  • Page 357

    12-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • SIP Inspection Overview , page 12-21 • SIP Instant Messa ging, page 12-22 • Select SIP Map, page 12-22 • SIP Class Map, page 12-23 • Add/Edit SIP T raff ic Class Map, page 12-24 • Add/Edit SIP Match [...]

  • Page 358

    12-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection SIP Instant Messaging Instant Messaging refers to the tran sfer of messages between users in near real-time. SIP supports the Chat feature on W indows X P using W indows Messenger R TC Client version 4.7.0105 onl [...]

  • Page 359

    12-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection The Select SIP Map dialog box lets you select or cr eate a n e w SIP map. A SIP map lets you chan ge the confi guration v alues used for SIP application insp ection. The Select SIP Map table provid es a list of pr[...]

  • Page 360

    12-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection Fields • Name—Sho ws the SIP class map name. • Match Conditions—Sho ws the type, match criterion, and v alue in the class map. – Match T y pe—Shows the match ty pe, which c an be a posi tiv e o r negat[...]

  • Page 361

    12-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Message Path—Match the SIP V ia header . – Request Method—Match the SIP r equest method. – Third-Pa rty Registr ation—Match the request er of a third-party re gistration. – URI Length—Match a URI[...]

  • Page 362

    12-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection • Message Path Criterio n V alues—Specif ies to match a SIP V ia header . Applies the re gular expression match. – Regular Expressi on—Lists the def ined regular expression s to match. – Manage—Opens t[...]

  • Page 363

    12-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP instant m essaging ( IM) extensions: En abled. Non-SIP traf fic on SIP port: Permitted. Hide server ’ s and endpoint’ s IP addresses: Disabled. Mask software version a nd n on-SIP URIs: Disabled. Ensure th[...]

  • Page 364

    12-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection – Lo w—Default . SIP instant messaging (IM) e xtensions: Enabled. Non-SIP traf fic on SIP port: Permitted. Hide server ’ s and endpoint’ s IP addresses: Disabled. Mask software version a nd n on-SIP URIs: [...]

  • Page 365

    12-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • Description—Enter the descri ption of the SI P map, up to 200 characters i n length. • Security Le vel—Sh ows the secur ity le vel setti ngs to conf igure • Filtering—T ab that lets you conf igure th[...]

  • Page 366

    12-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols SIP Inspection – Add—Opens the Add SIP Inspect dialog box to add a SIP insp ection. – Edit—Opens the Edit SIP Insp ect dialog box to edit a SI P inspection. – Delete—Deletes a SIP inspe ction. – Move Up—Moves an [...]

  • Page 367

    12-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Regular Expression Class—Lists the def ined regular e xpre ssion classes to match. – Manage—Opens the Manage Re gular Expression Class dialog box, whic h lets you conf igure regul ar expressi on class ma[...]

  • Page 368

    12-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection • URI Length Criterion V alues—Specifies to match a URI in the SIP headers greater than specif ied length. – URI type—Specif ies to match either SIP URI or TEL URI. – Greater Than Lengt h—Len[...]

  • Page 369

    12-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Normal traf fi c between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without an y special confi guration. The ASA al so supports DHCP option s 150 and 66, w hich it [...]

  • Page 370

    12-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Select SCCP (Skinny) Map Add/Edit Service P olicy Rule Wizard > Rule Actions > Pr otocol Inspection T ab > Select SCCP Map The Select SCCP (Ski nny) Map d ialog box lets you select or create a n[...]

  • Page 371

    12-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Minimum pref ix length: 4 Media timeout: 00 :05:00 Signaling timeout: 0 1:00:00. R TP conformance: Not enforc ed. – Medium Regist ration: Not enfor ced. Maximum message ID: 0x141. Minimum pref ix lengt[...]

  • Page 372

    12-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection • Delete—Deletes a message ID filter . • Move Up—Moves an entry up in the list. • Move Down—Mo ves an entry do wn in the list. Add/Edit SCCP (Skinny) Policy Map (Security Level) Confi guratio[...]

  • Page 373

    12-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Limit payload to audio or vi deo, based on the signal ing exchange: Y es. – Message ID Filtering—Open s the Messaging ID Filtering di alog box for co nfigu ring message ID filters. – Default Le vel[...]

  • Page 374

    12-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection – Edit—Opens the Edit Message ID Filterin g dialog box to edit a message ID f ilter . – Delete—Deletes a message ID filter . – Move Up—Moves an entry up in the list. – Move Down—Mo ves an[...]

  • Page 375

    CH A P T E R 13-1 Cisco ASA Series Firewall ASDM Configur ation Guide 13 Configuring Inspection of Database and Directory Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary channe[...]

  • Page 376

    13-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configurin g Inspection of Databa se and Directory Pr otocols SQL*Net Inspection During connection negotiati on time, a BIND PDU is sent from the client to the server . Once a successful BIND RESPONSE from the server is receiv ed, othe r operational messages may be e xchanged (such [...]

  • Page 377

    13-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 13 Configuring Inspection of Database and Dir ectory Protocols Sun RPC Inspection SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t, Refuse, Resend, and Marker) will not be scanned for addresses to N A T nor will inspection open dynamic connections for an y embedded ports in the pa[...]

  • Page 378

    13-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection The Config uration > Fire wall > Adv anced > SUNRPC Server pane sho ws which SunRPC services can tra verse the ASA an d their specif ic timeout, on a per server basis. Fields • Interface—Di[...]

  • Page 379

    CH A P T E R 14-1 Cisco ASA Series Firewall ASDM Configur ation Guide 14 Configuring Inspection for Management Application Protocols This chapter descri bes how to configure application lay er protocol i nspection. Inspe ction engines are required for services that embed IP addressing information in the user data packet or that open secondary chann[...]

  • Page 380

    14-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols DCERPC Inspection This typically in volv es a client queryi ng a serv er called the Endpo int Mapper l istening on a we ll kno wn port number for the dynamical ly allocated network i nformati on of a re quired service. The[...]

  • Page 381

    14-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols DCERPC Inspection DCERPC inspect maps inspect for nati ve TCP commu nication between the EPM and client on well kno wn TCP port 135. Map an d lookup operations of th e EPM are supported for clients. Client and server can[...]

  • Page 382

    14-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols GTP Inspection Endpoint mapp er service: not enfo rced Endpoint mapper service lo okup: enabled Endpoint mapper service look up timeout: 00:05: 00 – Medium—D efault. Pinhole timeout: 00:01:00 Endpoint mapp er service: [...]

  • Page 383

    14-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols GTP Inspection GTP Inspection Overview GPRS pro vides uninterrupted connecti vity for mobile subscribers between GSM networks and corporate networks or the Internet. The GGSN is the in terfa ce between the GPRS wireless [...]

  • Page 384

    14-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols GTP Inspection The Select GTP Map dialog box lets you select or create a new GTP map. A GTP map lets you change the conf iguration v alues used for GTP applicatio n inspection. The Sel ect GTP Map table pro vides a list of[...]

  • Page 385

    14-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols GTP Inspection • Default Lev el—Sets t he security level back to the d efault. IMSI Prefix Filtering Configuration > Globa l Objects > Inspect Maps > G TP > IMSI P ref ix Fi ltering The IMSI Prefix tab le[...]

  • Page 386

    14-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols GTP Inspection Add/Edit GTP Policy Map (Details) Confi guration > Global Objects > Inspect Map s > GTP > GTP Inspect Map > Advanced V i ew The Add/Edit GTP Poli cy Map pane lets you conf igure the security l[...]

  • Page 387

    14-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols GTP Inspection Signaling—Lets you change the def ault for the maxi mum period of inacti vity before a GTP signaling is r emoved. The default is 30 m inutes. Timeout is in the fo rmat hh : mm : ss , where hh specifies t[...]

  • Page 388

    14-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection – Message Length—Match on the message l ength – V ersion—Match on the version. • Access Point Name Criterion V alues—Specifies an access point name to be matched. By defaul t, all[...]

  • Page 389

    14-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols RADIUS Accounting Inspection • Select RADIUS A ccounting Map , page 14-11 • Add RADIUS Accounting Pol icy Map, p age 14-11 • RADIUS Inspect Map, pa ge 14-12 • RADIUS Inspect Map Host, p age 14-12 • RADIUS Insp[...]

  • Page 390

    14-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection Fields • Name—Enter the name of the pr e viously conf igured RADIUS accounting map. • Description— Enter the descrip tion of the R ADIUS ac counting map, up to 100 characters in lengt[...]

  • Page 391

    14-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols RSH Inspection Fields • Name—Sho ws the name of the pre viously configured RADIUS accounting map. • Description—Enter the descri ption of the RADIUS acco unting map, up to 200 characters in length. • Host Para[...]

  • Page 392

    14-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols SNMP Inspection • “Select SNMP Map” section on page 14-14 • “SNMP Inspect Map” section on page 14-14 SNMP Inspection Overview SNMP application inspection lets you restrict SNMP traff ic to a specif ic version [...]

  • Page 393

    14-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 14 Configuring Inspection for Ma nagement Application Pr otocols XDMCP Inspection The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection. Fields • SNMP Map Name—Defines th e name of the application i nspection map. • SNMP ver[...]

  • Page 394

    14-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspecti on for Management Application Protocols XDMCP Inspection[...]

  • Page 395

    P AR T 5 Conf iguring Unif ied Communications[...]

  • Page 396

    [...]

  • Page 397

    CH A P T E R 15-1 Cisco ASA Series Firewall ASDM Configur ation Guide 15 Information About Cisco Unified Communications Proxy Features This chapter descri bes how to configure the ad apti ve securi ty appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information Ab out the Adapti ve Secu[...]

  • Page 398

    15-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information Abou t Ci sco Unified Communica tions Proxy Features Information About the A daptive Security Appliance in Cisco Unified Communications TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encr yption ofte n leaves network s[...]

  • Page 399

    15-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 15 Inform ation About Cisco Unified Co mmunications Proxy Features TLS Proxy Ap plications in Cisco Unified Communications The ASA prov ides perimeter security by en crypting signalin g connections between enterpri ses and pre venting u nathorized calls. An ASA running the Cisco In te[...]

  • Page 400

    15-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobi lity solution , the TLS clien t is a Cisco UM A client and the TLS server is a Cisco UMA server . The ASA is between a Cisco U M A cl[...]

  • Page 401

    15-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 15 Inform ation About Cisco Unified Co mmunications Proxy Features Licensing for Cisc o Unified Communications Proxy Features ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 1[...]

  • Page 402

    15-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features T able 15-2 sho ws the default and maximum TLS session detai ls by platform. The follo wing table shows the Unif ied Communications Proxy license detai ls by pl[...]

  • Page 403

    CH A P T E R 16-1 Cisco ASA Series Firewall ASDM Configur ation Guide 16 Using the Cisco Unified Communication Wizard This chapter descri bes how to configure the ad apti ve securi ty appliance for Cisco Unif ied Communications Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Unif ied Communication W [...]

  • Page 404

    16-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Information about the Cis co Unified Communication Wizard The wizard simplif ies the configuration of the Unif ied Communications proxi es in the follo wing ways: • Y ou enter all required data in the wizard steps. Y o u are not requir [...]

  • Page 405

    16-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Licensing Requirements for the Unified Communication W izard Using the ASA as a sec ure presence federation pr oxy , bu sinesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Ci sco or Microsoft Presence [...]

  • Page 406

    16-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in [...]

  • Page 407

    16-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard Note Any conf iguration created by the wizard should be maintained thro ugh the wizard to ensure pr oper synchronization. F or example, if you create a ph one proxy [...]

  • Page 408

    16-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by u sing the Unified Communication Wizard Step 2 Specify each entity in th e network (al l Cisco UCM and TFTP serv ers) that the IP phones must trust. Click Add to add the servers. See Confi guring Serv ers f[...]

  • Page 409

    16-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard statements, you must delete them manually by using the appropriate area of AS DM or rerun the Unified Communications wizard without making any changes and apply the [...]

  • Page 410

    16-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by u sing the Unified Communication Wizard Selecting the Use interface IP radio button conf igures the server to use the IP address of the public interface. Y ou select the public i nterface in st ep 4 of the [...]

  • Page 411

    16-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard See also the Cisco Unif ied Communications Manage r Security Guide f or in formation on Using t he Certif icate Authority Proxy Functi on (CAPF) to instal l a locall[...]

  • Page 412

    16-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by u sing the Unified Communication Wizard • PC Port • V oic e VLAN access • Gratuitous ARP • Span to PC Port Step 3 T o configure address translation for IP phones, check the Enable addre ss translat[...]

  • Page 413

    16-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the pri vate IP addr ess, enter the IP address on which pr i vate media traf fic terminates. The IP address must be within the same su[...]

  • Page 414

    16-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring the Topology for the Cisco Mobility Advantage Proxy When config uring the Mobility Adv antage Proxy , you specify settings to defi ne the pri vate a[...]

  • Page 415

    16-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to co nfigu re the Cisco Mobilit y Adv antage proxy , the wizard only supports installing self-sig ned certificates. Step 2 Export t[...]

  • Page 416

    16-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Pr esence Federation Pr oxy by using the Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Note The Unified Commu nication W izard is supported for the ASA v [...]

  • Page 417

    16-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the Presence Federation Proxy by using the Unified Communication W izard Step 3 In the FQDN f ield, enter the domain name for the Unif ied Presence server . This domain name is included in the certif icate signing request t[...]

  • Page 418

    16-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard For th e TLS handshake, t he two en tities, namely the local entity and a remote en tity , could v alidate the peer certificate via a certif icate chain to trusted th ird[...]

  • Page 419

    16-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard T o config ure the Cisco Intercompan y Media Engine Proxy by using ASDM, choose Wi zards > Unif ied Communication Wi zard from the menu. The Unified Communication W i[...]

  • Page 420

    16-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Step 2 Click Next . Basic Deployment In a basic deplo yment, the Cisco Intercompany Media Engine Proxy sits i n-line with the Internet f irewall such that all Internet tr[...]

  • Page 421

    16-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Step 1 T o configure the Cisco Int ercompany Media Engine Proxy as part of a basic de ployment, select the interface that connects to the local Cisco Unified Communicati[...]

  • Page 422

    16-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Y ou must incl ude an entry fo r each Cisco U CM in the clust er with Cisco Inte rcompany Media [...]

  • Page 423

    16-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard gen erates a self-signed certif icate for the AS[...]

  • Page 424

    16-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Configuring the Remote-Side Certificat es for the Cisco Intercompany Media Engine Proxy Establishing a trust relation ship cross enterprises or across administrati ve dom[...]

  • Page 425

    16-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: • Exporting an Identit y Certif icate, page 16-23 • Installing[...]

  • Page 426

    16-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Presence Federation server , and the Cisco Unifie d Communications Manager servers, respectiv ely , on the ASA. See the documentatio n for each of these products for informat[...]

  • Page 427

    16-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard • Remote Presence Federati on serv ers for the Cisco Presence Federation Proxy • The remote ASAf or the Cisco In tercom pany Media Engine Prox y Before generating the C[...]

  • Page 428

    16-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Submit the CSR to the cert ificat e authority (CA), for e xample, by pasting the CSR text into the CSR enrollment page on th e CA website. When the CA returns the signed iden[...]

  • Page 429

    16-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 16 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard T ypically , a certificate aut hority returns two certif icates: your signed identi ty certif icate and the certif icate authority’ s certifi cate (ref erred to as the ro[...]

  • Page 430

    16-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard[...]

  • Page 431

    CH A P T E R 17-1 Cisco ASA Series Firewall ASDM Configur ation Guide 17 Configuring the Cisco Phone Proxy This chapter describes ho w to configu re the ASA for Cisco Phone Pr oxy feature. This chapte r includes the follo wing sections: • Information Abou t the Cisco Phone Proxy , pa ge 17-1 • Licensing Requ irements for the Pho ne Proxy , page[...]

  • Page 432

    17-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figure 1 7 -1 Phon e Pro xy Secure Deployment The phone proxy supports a Cisc o UCM cluste r in mixed mode or n onsecure mode . Regardless of the cluster mode , the remote phones th at are capable of encrypti[...]

  • Page 433

    17-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng. W ith LSC prov isioning you create a pass word for each remote[...]

  • Page 434

    17-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unif ied IP Phone 7941G-G E • Cisco Unif ied IP Phone 7940 (SCCP p rotocol support only) • Cisco Unif ied W ireless IP Phone 7921 • Cisco Unif ied W ireless IP Phone 7925 Note T o support C[...]

  • Page 435

    17-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5525-X Base Lic[...]

  • Page 436

    17-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more information about licensing, see Chapter 5, “Managing Feature Licenses. ” in the general operations conf iguration guide. Prerequisites for the Phone Proxy This section contains the following topics: ?[...]

  • Page 437

    17-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy • For IP pho nes behind a router or gate way , you must also meet this prerequisite. On the router or gatew ay , add routes to the m edi a termination address on the ASA inte rface that the IP phones communicate[...]

  • Page 438

    17-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy If N A T is conf igured for the TFTP server or Cisco UCMs, the translated “globa l” address must be used in the ACLs. T able 17-1 lists the ports that are required to be conf igured on the exi sting fire wall: [...]

  • Page 439

    17-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Prerequisites for IP Phones on Multiple Interfaces When IP phones reside on mult iple interfaces, t he phone proxy conf iguration must hav e the correct IP address set for the Cisco UCM in the CTL file. See the fo[...]

  • Page 440

    17-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy • The phone must be conf igured to use only the SCCP protocol because the SIP protocol does n ot support encryption on these IP phones. • If LSC pro visioning is done via the phone pro xy , you must add an A C[...]

  • Page 441

    17-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Rate Limiting Conf iguration Example The follo wing example describes ho w you configure rate limiti ng for TFTP requests by us ing the police command and the Modular Pol icy Frame work. Begin by determining the [...]

  • Page 442

    17-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng. W ith LSC prov isioning you create a pass word for each remote[...]

  • Page 443

    17-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Phone Proxy Guidelines a nd Limitations format: SEP<mac_address>.cnf.xml. If the de vice name does not follo w this format (SEP<mac_address>), CIPC cannot retrie ve its confi guration f ile from Cisco UMC via the phone proxy and CIPC w[...]

  • Page 444

    17-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy • If you decide to conf igure a media-termination ad dress on interfaces (rather than using a global interface), you must conf igure a media-termination ad dress on at le ast two interfaces (the inside and an outside[...]

  • Page 445

    17-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Creating the CTL File Create a Certificate T rust List (CTL) file that is re quired by the Phone Pro xy . Specify the certif icates needed by creating a new CTL file or by specifying the path of an ex iting CTL fi le t[...]

  • Page 446

    17-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Because the Phone Proxy generates the CTL f ile, it ne eds to create the Syste m Administrator Security T oken (SAST) ke y to sign the CTL file it self. This ke y ca n be genera ted on the AS A. A SAST is created as a [...]

  • Page 447

    17-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Step 6 (Optional) In the Domain Name fi eld, specify the domain na me of the trustpoint used to create the DNS field for the trustpoint. This is appended to the Co mmon Name field of the Subject DN to create the DNS Na[...]

  • Page 448

    17-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 4 Specify the mini mum and maximum v alues for the R TP port range for the media t ermination instance. The minimum port and the maxi mum port can be a v alue from 1024 to 65535. Step 5 Click A pply to sa ve the m[...]

  • Page 449

    17-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y • T o create a new CTL f ile for the Phone Proxy , click the li nk Generate Certif icate T rust List File. The Create a Certificate T rust List (CTL) File pane opens. See “Creating the CTL File” section on page 1[...]

  • Page 450

    17-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy The IP address you enter shou ld be the global IP address ba sed on where the IP phone and HTTP proxy server is located. Y ou can enter a hostname in the IP Address field when that hostname can be resolved to an IP add[...]

  • Page 451

    17-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Note If N A T is config ured for the TFTP server , the NA T configurati on must be conf igured prior to specif ying the TFTP server while creating the Phone Proxy instance. Step 4 In the TFTP Server IP Address f iel d,[...]

  • Page 452

    17-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Confi guring the Cisco Phone Proxy Feature History for the Phone Proxy Step 4 Click Sav e Settings. Port forwar ding is configured. Feature History for the Phone Proxy T able 17-3 lists the release h ist ory for this feature . T able 1 7 -2 P ort F orwar ding V alues to Add to Rout[...]

  • Page 453

    CH A P T E R 18-1 Cisco ASA Series Firewall ASDM Configur ation Guide 18 Configuring the T LS Proxy for Encrypted Voice Inspection This chapter describes ho w to configure the ASA for the TLS Proxy for Encrypted V oice Inspection feature. This chapter includ es the follo wing sections: • Information about the TLS Proxy for Encrypted V oice Inspec[...]

  • Page 454

    18-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection Figur e 18-1 TLS Pro x y Flow Decryption and Inspection of Unified Communications Encrypted Signaling W ith encrypted v oice inspection, the security applia nc[...]

  • Page 455

    18-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Pro xy for Encrypted Voice Inspection proxy , the CTL file must contain the certificate that the security appliance cr eates for the Cisco UCMs. T o proxy calls on behalf of the Cisco IP Phone, the s[...]

  • Page 456

    18-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Licensing for the TLS Proxy • Cisco Unif ied Wireless I P Phone 7925 • Cisco IP Communicator (C IPC) for softphones Licensing for the TLS Proxy The TLS proxy for encr ypted v oice inspection feature supp orted by the AS[...]

  • Page 457

    18-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy T able 18-1 sho ws the default and maximu m TLS session details by platform. For more information about licensing, see Chapter 5, “Managing Feature Licenses, ” in the general operations conf ig[...]

  • Page 458

    18-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Prerequisites for the TLS Proxy for E ncrypted Voice Inspec tion Prerequisites for the TLS Proxy for Encrypted Voice Inspection Before conf iguring TLS proxy , the follo wing prerequisites are required: • Y ou must set cl[...]

  • Page 459

    18-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider • Client Details—Lists the name an d IP address of the client. – Interface Name—Lists the def ined interface name. – IP Address—Lists the defined interface IP address. • Certif icate Name—Lists th[...]

  • Page 460

    18-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider Configure TLS Proxy Pane Note This feature is not supported f or the Adapti ve Secu rity Appliance v ersion 8.1.2. Y ou can conf igure the TLS Proxy from the Confi guration > Fire wall > Unif ied Communic[...]

  • Page 461

    18-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Adding a TLS Proxy Instance Note This feature is not supported f or the Adapti ve Secu rity Appliance v ersion 8.1.2. Use the Add TLS Proxy Inst ance W iza rd to add a TLS Proxy to enable inspection of SSL encryp[...]

  • Page 462

    18-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider When the Phone Proxy is operating in a mi xed-mod e CUCM cluster , you must import the CUCM certificate by clicking Add in the Manage Identify Cert ificates dialog box. See the “Conf iguring Identity Certif [...]

  • Page 463

    18-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider This wizard is a vailable from the Conf iguration > Firew all > Unif ied Communications > TLS Proxy pane. Step 1 Complete the f irst two steps of th e Add TLS Proxy Instance W izard. See Adding a TLS Pr[...]

  • Page 464

    18-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider T o create a ne w key p air , click New . The Add Key Pair dialog box opens. See th e “Configuring Identity Certif icates Authenti cation” s ection on pa ge 40-24 in the general operation s conf iguration [...]

  • Page 465

    18-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider For informatio n on the Cisco CTL Client, see “Conf iguring the Cisco CTL Client” in Cisco Unified Cal lManag er Security Guide . http://www .cisco.com/en/US/docs/v oice_ip _comm/cucm/securi ty/5_0_4/secuaut[...]

  • Page 466

    18-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n CTL Provider The Manage CA Certif icates dialog box opens. See th e “Guidelines and Limit ations” section on page 40-10 i n the gene ral operat ions configuration guide. Clic k Add to open the Install Certi ficate dial[...]

  • Page 467

    18-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Note When you are config uring the TLS Proxy for the Ph one Proxy and it is using t he mixed security mode for the CUCM cluster , you must conf igure the LDC Issuer . The LDC Issuer lists the local certifi cate [...]

  • Page 468

    18-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n TLS Proxy TLS Proxy This feature is supported o nly for ASA ve rsio ns 8.0.x prior to 8.0.4 and for v ersion 8.1. Note This feature is not supp orted for the Adapt iv e Security Appliance ver sions prior to 8.0.4 an d for [...]

  • Page 469

    18-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Pro xy for Encrypted Voice Inspection Certificate Authority Serv er—Specifies the certif icate authority serv er . Certificate—Specif ies a certificate. Manage—Conf igures the local certifi [...]

  • Page 470

    18-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Config uring the TLS Proxy for En crypted Voice Inspectio n Feature History for the TLS Proxy for Encrypted Voice In spection[...]

  • Page 471

    CH A P T E R 19-1 Cisco ASA Series Firewall ASDM Configur ation Guide 19 Configuring Cisco Mobility Advantage This chapter de scribes how to configure the ASA for Ci sco Unified Communic ations Mobi lity Advantage Proxy features. This chapte r includes the follo wing sections: • Information ab out the Cisco Mobility Adv antage Proxy Feature, page[...]

  • Page 472

    19-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figure 1 9-1 MMP Stack The TCP/TLS default por t is 5443. There are no embedded N A T or secondary connections. Cisco UMA client and server communications can be proxied via TLS, w hi[...]

  • Page 473

    19-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 19 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figur e 19-2 The TLS proxy for the Cisco Mobilit y Adv antage solu tion does not supp ort client authentication because the Cisco UM A c lient cannot present a certificate. Secur it[...]

  • Page 474

    19-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figur e 19-3 Cisco UMC/Cisco UMA Arc hitectur e – Scenario 2: Secur ity Appliance as Mobility Adv antage Pr o xy Only Mobility Advantage Pr oxy Using NAT/PAT In both scenarios ( Fig[...]

  • Page 475

    19-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 19 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figure 19-4 sh ow s ho w you can impo rt the Cisco U MA server certif icate onto the ASA. When the Cisco UMA serv er has already enr olled with a third-pa rty CA, you can import the[...]

  • Page 476

    19-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Licensing for the Cisco M obility Advantage Proxy Feature Figure 1 9-5 How the Secur i ty Appliance Repres ents Cisco UMA – Certificat e Impersonation A trusted relationship betw ee n the ASA and the Cisco UMA se rver can be established wi th[...]

  • Page 477

    19-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 19 Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage T o conf igure for the ASA to perform TLS pro xy and MMP inspection as sho wn in Figure 19-2 and Figure 19-3 , perfor m the follo wing tasks. It is a[...]

  • Page 478

    19-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 19 Configur ing Cisco Mobility Advantag e Feature History for Cisco Mobility Advantage[...]

  • Page 479

    CH A P T E R 20-1 Cisco ASA Series Firewall ASDM Configur ation Guide 20 Configuring Cisco Unified Presence This chapter descri bes how to configure the adapti v e s ecurity appliance for Cisco Unified Presence. This chapter includ es the follo wing sections: • Information Abo ut Cisco Unified Presenc e, page 20-1 • Licensing for Cisco Unified [...]

  • Page 480

    20-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Information About Cisco Unified Presence Figur e 20-1 T ypical Cisco Unified Pr esence/LCS Federation Scenar io In the abov e architecture, the ASA functions as a fire wall, N A T , and TLS proxy , which is the recommended architecture. Howe ver ,[...]

  • Page 481

    20-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For an other Cisco UP with the address 10.0 .0.3, you must use a d if ferent set of P A T ports, such as 4506[...]

  • Page 482

    20-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Information About Cisco Unified Presence http://www .cisco.com/en/ US/products/ps6837/ produc ts_inst allation_and_co nfi guration_guid es_list.ht ml Trust Relationship in the Presence Federation W ithin an enterprise, setting up a trus t relation[...]

  • Page 483

    20-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e Security Certificate Exchange Between C isco UP and the Security Appliance Y ou need to generate the ke ypai r for the certif icate (such as cup_proxy_k ey ) used by the ASA, and confi gure a trustpoint[...]

  • Page 484

    20-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Information About Cisco Unified Presence For furt her information about config uring Cisco Un ified Presence Federation for XMPP Federation, see the Integr ation Gu ide for Configurin g Cisco Un ified Pr es ence Release 8.0 for Inte r do main F ed[...]

  • Page 485

    20-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Licensing for Cisco Unifie d Presence nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<priva[...]

  • Page 486

    20-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation For more information about licensing, see Chapter 5, “Managing Feature Licenses, ” in the general operations conf iguration guide. Configuring Cisco Unified Presence Proxy for SIP Fe[...]

  • Page 487

    20-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 20 Config uring Cisco Un ified Presence Feature History for Cisco Unified Presence • T ask Flow for Configuring Cisco Un ified Presen ce Federation Proxy for SIP Federation, page 20-9 Task Flow for Configuring Cisco Unifi ed Presence Federation Proxy for SIP Federation T o configure[...]

  • Page 488

    20-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco U nified Presence Feature History fo r Cisco Unified Presence[...]

  • Page 489

    CH A P T E R 21-1 Cisco ASA Series Firewall ASDM Configur ation Guide 21 Configuring Cisco Inte rcompany Media Engine Proxy This chapter descri bes how to configure the AS A for Cisco Intercompan y Media Engine Prox y . This chapter includ es the follo wing sections: • Information About Cisco Intercom pany Media Engi ne Proxy , page 21-1 • Lice[...]

  • Page 490

    21-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy • W orks with existi ng phone numbers: Cisco Intercompan y Media Engine works with the phone numbers an enterprise cu rrently has and does not require an enterp rise to l[...]

  • Page 491

    21-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy On successful verif i cation, the terminating side creates a tick et that grants permission to the call originator to mak e a Cisco IM E call to a specif ic number . See Tick[...]

  • Page 492

    21-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Figure 21 -2 Tick et V eri fication Process with Cisco Intercompan y Medi a Engine As illustr ated in Figure 21-2 . Enterprise B makes a P STN call to enterprise A. That ca[...]

  • Page 493

    21-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy Call Fallback to the PSTN Cisco Intercompany Media Engine pro vides features that manage the QoS on th e Internet, such as the ability to monitor Qo S of the R TP traf fic in[...]

  • Page 494

    21-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy • Cisco Intercompany Media Engin e (UC-IME) Boot strap server—Provides a certif icate required admission onto th e public peer -to-peer netw ork for Cisco Int ercompany[...]

  • Page 495

    21-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy Figur e 21 -4 Basic Deployment Scenar io Off Path Deployment In an of f path deployment, inbound and outbound Cisco Intercompany Media Engine calls pass t hrough an adapti ve[...]

  • Page 496

    21-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Licensing for Cisc o Intercompany Media En gine Figure 21 -5 Off P ath Deployment of the Adaptive Secur ity Ap pliance Licensing for Cisco Intercompany Media Engine The Cisco Intercompany Med ia Engine feature supp orted by the AS[...]

  • Page 497

    21-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Guidelines and Limitations For more information about licensing, see Chapter 5, “Managing Feature Licenses, ” in the general operations conf iguration guide. Guidelines and Limitations Context Mode Guidelines Supported in singl[...]

  • Page 498

    21-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Guidelines and Limitations • Having Cisco UCMs on more th an one of the A S A interfaces is not suppor ted with the Cisco Intercompany Medi a Engine Proxy . Having the Cisc o UCMs on one trusted interf ace is especially necessa[...]

  • Page 499

    21-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Configuring Cisco Intercompany Media Engine Proxy This section contains the following topics: • T ask Flo w for Confi guring Cisco Int ercompany Med ia Engine, page 21-11 • C[...]

  • Page 500

    21-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Or Configure P A T for the UCM server . See Config uring P A T for the Cisco UCM Server , page 21-14 . Step 2 Create A CLs for Cisco Intercompany Media Engine Proxy . See Creati[...]

  • Page 501

    21-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Figure 21 -7 Example for Config ur ing NA T for a Deployment T o configure auto N A T rules for the Cisc o UCM server , perform the following steps: Loc a l Ci s co UCM s Loc a l[...]

  • Page 502

    21-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy What to Do Next Create the A CLs for the Cisco Intercompany Medi a Engine Proxy . See Creating A CLs for Cisco Intercompany Media Engine Proxy , page 21-16 . Configuring PAT for[...]

  • Page 503

    21-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Confi gures a network object for the outside IP ad[...]

  • Page 504

    21-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Creating ACLs for Cisco Intercompany Media Engine Proxy T o conf igure A CLs for the Cisco Intercompany Me dia Engine Proxy to reach the Cisco UCM serv er, perform the follo win[...]

  • Page 505

    21-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the media termination inst ance on the ASA fo r the Cisco Intercompany Media Engi ne Proxy . See Creating the Media T ermination Instance, page 21-17 . Cre[...]

  • Page 506

    21-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy What To Do Next Once you hav e created the media termination instance, create the Cisco Intercompany Med ia Engine Proxy . See Creating the Cisco Intercompany Media Engine Pro x[...]

  • Page 507

    21-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note Y ou cannot change an y of the conf iguration settings for the Cisco Intercompan y Media Engine Proxy described in this pr ocedure when the p r oxy is enabled for SIP inspec[...]

  • Page 508

    21-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Step 4 hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket ep och and password[...]

  • Page 509

    21-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certif icate with a local CA trusted by the local entity . Creating Trustpoint[...]

  • Page 510

    21-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy connections between the local Cis co UCM and the local ASA. The instruct ions in that task descri be ho w to create tr ustpoint s between the local Cisc o UCM and t he local A S[...]

  • Page 511

    21-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engi ne. See the “Creating the TLS Proxy” section on page 21 -24 . Step 4 hostname(config-ca-trustpoint)[...]

  • Page 512

    21-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Creating the TLS Proxy Because either enterprise, n amely the local or remote Cisco UCM serv ers, can initiate the TLS handshake (unlik e IP T elephony or Ci sco Mobility Adv an[...]

  • Page 513

    21-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Once you hav e cr eated the TLS prox y , enable it for SIP inspecti on. Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Enable the TLS proxy[...]

  • Page 514

    21-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inboun d Cisco Intercompany Media[...]

  • Page 515

    21-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Once you ha ve enabled the TLS proxy for SIP i nspection, if necessary , configure TLS with in the enterprise. See (Optional) Configuri ng TLS within the Local En[...]

  • Page 516

    21-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Commands Purpose Step 1 hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enr[...]

  • Page 517

    21-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Once you ha ve co nfigu red the TLS within the enterprise, if n ecessary , configure of f path signaling for an off path deployment. See (Optional) Conf iguring O[...]

  • Page 518

    21-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy (Optional) Configuring Off Path Signaling Perform this task onl y when you are con figur ing the Cisco Intercompany Med ia Engine Proxy as part o f an of f path deployment. Y ou[...]

  • Page 519

    21-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy This section contains the follo wing sections: • Config uring the Cisco UC-IMC Pr oxy by using th e UC-IME Proxy P ane, page 21-31 • Config uring the Cisco UC-IMC Pr oxy by u[...]

  • Page 520

    21-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Step 2 Check the Enable Cisco UC-IME prox y check box to enable the feature. Step 3 In the Unif ied CM Server s area, enter an IP addres s or hostname for the Cisco Unified Comm[...]

  • Page 521

    21-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note In an of f path deployment any existin g ASA that you ha ve deployed in your en vironment are not capable of transmitting Cisco Intercompan y Medi a Engine traf f ic. Of f-p[...]

  • Page 522

    21-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Step 4 Specify the public netw ork settings. Step 5 Specify the media termin ation address settings of Cisco UCM. Step 6 Configure the local-side certif icate management, namely[...]

  • Page 523

    21-35 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy SIP Trunk URI: 81a985c9-f3a1-55a0-3b19-9654@UCM-30;maddr=192.168.10.30 Codec-name: G722 Payload type: 9 Note If calls are not going t hrough the Cisco Intercompan y Media Engine,[...]

  • Page 524

    21-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Pr oxy Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_avg_PDV_usec : 109 Total_ITE_count : 0 Total_sec_count : 403 Concealed_sec_count : 0 Severely_concealed_sec_count : 0 Max[...]

  • Page 525

    21-37 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 21 Configuring Cisco Intercompany Media Engin e Proxy Feature History for Cisco In tercompany Media Eng ine Proxy Feature History for Cisco Intercompany Media Engine Proxy T able 21-1 lists the release h ist ory for this feature . T able 21 -1 Featur e History for Cisco Phone Pro xy [...]

  • Page 526

    21-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configurin g Ci sco Intercompan y Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy[...]

  • Page 527

    P AR T 6 Conf iguring Connection Set tings and QoS[...]

  • Page 528

    [...]

  • Page 529

    CH A P T E R 22-1 Cisco ASA Series Firewall ASDM Configur ation Guide 22 Configuring Connection Settings This chapter describe s how to configure connection settings for connections th at go through the A SA, or for manage ment connec tions, that go to the ASA. Co nnection sett ings include: • Maximum connection s (TCP and UDP connect ions, embry[...]

  • Page 530

    22-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Information Abou t Connection Settings TCP Intercept and Limiti ng Embryonic Connections Limiting the number of embryonic connections pro tects you from a DoS att ack. The ASA uses the per -client limits and the embryon ic connection limi t to trigge[...]

  • Page 531

    22-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Information About Connec tion Settings TCP Sequence Randomization Each TCP connection has tw o ISNs: one generated by the client and one generated by the server . The ASA randomizes the ISN of the TCP S YN passing in both the inbound and outb ound d[...]

  • Page 532

    22-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Licensing Requirement s for Connection Settings fast path (an established con nection), or the co ntrol plane path (advanced inspection). See the “Stateful Inspection Ov ervie w” section on page 1-22 in the general operations conf iguration guide[...]

  • Page 533

    22-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d transparent mode. Failover Guidelines Failo ver is supported. TCP State [...]

  • Page 534

    22-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings Configuring Connection Settings This section includes the following topics: • Customizing the TCP Normalizer with a TCP Map, page 22-6 • Config uring Connection Setting s, page 22-8 • Config uring Global T imeou[...]

  • Page 535

    22-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings If they ar e not put in order and passed on within th e timeou t period, then the y are dropped. The default is 4 seconds. Y ou cannot change the timeout for any traf fic if the Queue Limit is set to 0; you need to s[...]

  • Page 536

    22-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings • Clear Selective Ack—Sets whether the select i ve-ack TCP option is allowed or cleared. • Clear TCP T imestamp—Sets whether the TCP timestamp option is allo wed or cleared. • Clear W indow Scale—Sets whet[...]

  • Page 537

    22-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings • Send reset to TCP endpoints be fore timeou t—Specif ies that the ASA should sen d a TCP reset message to the endpoints of t he connection before freein g the connection slot. • Embryonic Connecti on T imeout?[...]

  • Page 538

    22-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings • UDP—Modif ies the idle time until a UDP prot ocol connection closes. This durati on must be at least 1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout. • ICMP—Modif ies the idle time after [...]

  • Page 539

    22-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 22 Configuring Connection Se ttings Feature History for Connection Setting s Note When Authentication Absolute = 0, HTTPS au thentication may not wo rk. If a bro wser initiat es multiple TCP connections to lo ad a web page af ter HTTPS authentication, t he first con nection is permit[...]

  • Page 540

    22-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Conne ction Settings Feature History for Connection Settings Conf igurable timeout for P A T xlate 8.4(3) When a P A T xlate times out (by default afte r 30 seconds), and the ASA reuses the port for a new translation, some upstream routers might reject the new connectio[...]

  • Page 541

    CH A P T E R 23-1 Cisco ASA Series Firewall ASDM Configur ation Guide 23 Configuring QoS Hav e you ev er participated in a long -distance phon e call that i n volved a satelli te connection? The con versation might be interrupted with brief, bu t per ceptible, gaps at odd intervals. Those gaps are the time, called the latency , between the arriv al[...]

  • Page 542

    23-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the foll ow ing QoS features: • Policing—T o prev ent indi vidual flows fr om hogging the netw ork bandwidth, you can limit the maximum bandwidth used per flo w . See the “Information About Policing?[...]

  • Page 543

    23-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Information About QoS For traf fic shapin g, a token b ucket permits b urstiness b ut bounds it. It guarantees that the burstiness i s bounded so that the flo w will nev er send faster than the token b ucket capacity , divided by th e time interv al, plus the establ[...]

  • Page 544

    23-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping T raff ic shaping is used to match de vice and link spee ds, thereb y controlling pack et loss, v ariable delay , and link saturation , which can cause jitter and delay . Note T raf f ic shaping is only suppor t[...]

  • Page 545

    23-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Licensing Requirements for Qo S Y ou cannot conf igure traff ic shaping and standard priority queuing for the same interf ace; only hierarchical prio rity queuing is allo wed. For e xample, if you confi gure standard priori ty queuing fo r the global p olicy , and t[...]

  • Page 546

    23-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority q ueuing is not support ed on the Management 0/0 interface. • (ASASM) Only policing is suppo rted. Additional Guidelines and Limitations • QoS is applied unidirect ionally; only traf fic that enters (o [...]

  • Page 547

    23-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Configuri ng QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue T o determine the priority queue and TX ri ng limits, use the wo rksheets belo w . T able 23-1 sho ws how to calculate the prio rity queue size. Because queues are not of infinit[...]

  • Page 548

    23-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Configuring QoS Configuring the Standard Priority Queue for an Interface If you enable standard pr iority queuing for t raff ic on a physical interface, then you need to also create the priori ty queue on each interface. Each physical interf ace us es two queues: one[...]

  • Page 549

    23-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Configuri ng QoS This option sets the maximum number of lo w-latency or normal priorit y packets allo wed into the Ethernet transmit dri ver before the dri ver pushes back to the queues on the interf ace to let them buf fer packets until the congestion clears. The u[...]

  • Page 550

    23-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Configuring QoS Step 4 Click Finis h . The service polic y rule is added to the rule table. Step 5 T o conf igure policing, conf igure a service policy rule for t he same interface in the Con figur ation > Fire wall > Service Polic y Rules pane according to Ch[...]

  • Page 551

    23-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Monitorin g QoS • For traf fic shaping, you can only use the class-default class map, whi ch is automatically created by the ASA, and which matches all traf fic. • Y ou cannot conf igure traff ic shaping and standard priority queuing for the same interf ace; on[...]

  • Page 552

    23-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Monitoring QoS • V iewing QoS Standard Priority Queue St atistics, page 23-13 Viewing QoS Police Statistics T o view the QoS statistics for traf fic policing, use t he show service-policy command with the police keyword: ciscoasa# show service-policy police The fo[...]

  • Page 553

    23-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 23 Configuring QoS Monitorin g QoS Viewing QoS Shaping Statistics T o view statistics for service policies impl ementing the shape command, use the show service-polic y command with the shape ke yword: ciscoasa# show service-policy shape The follo wing is sample output for the show s[...]

  • Page 554

    23-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Feature History for QoS Priority-Queue Statistics interface test Queue Type = BE Packets Dropped = 0 Packets Transmit = 0 Packets Enqueued = 0 Current Q Length = 0 Max Q Length = 0 Queue Type = LLQ Packets Dropped = 0 Packets Transmit = 0 Packets Enqueued = 0 Curren[...]

  • Page 555

    CH A P T E R 24-1 Cisco ASA Series Firewall ASDM Configur ation Guide 24 Troubleshooting Connec tions and Resources This chapter describes ho w to troubleshoot the ASA and includes the follo wing sections: • T esting Y our Confi guration, page 24 -1 • Monitoring Performance, page 24-8 • Monitoring System Resources, page 24-9 • Monitoring Co[...]

  • Page 556

    24-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration The diagram should also include any directly connected routers and a host on the other side of the router from which you wil l ping the ASA. (See Figure 24-1 .) Figure 24-1 Networ k Diagram with Int erf aces , Ro[...]

  • Page 557

    24-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Figure 24-3 Ping Failur e Becau se of IP Addr e ssing Problems Step 3 Ping each ASA interf ace from a remote host. F or transparent mode, ping the management IP address. This test checks whether th e directly co[...]

  • Page 558

    24-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Administrators can use the ASDM Pin g interacti ve diagnostic tool in these w ays: • Loopback testing of tw o interfaces—A ping may b e initiated from one interf ace to another on the same ASA, as an external[...]

  • Page 559

    24-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration • V erify that de vices in the intermediate communicat ions path, such as switches or routers, are correctly deli vering other types of netw ork traf f ic. • Make sure that traf fic o f other types from “k[...]

  • Page 560

    24-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Determining Packet R outing with Traceroute The T raceroute tool helps you to determine the r oute that pa ckets will take to their destination. The tool prints the result of each pr obe sent. Every line of outpu[...]

  • Page 561

    24-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Tracing Packets with Packet Tracer The packet tracer tool provides pack et tracing for p acket snif fing and netw ork fault isolation, as we ll as detailed informat ion about the pa ckets and ho w they are proce[...]

  • Page 562

    24-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Perfor mance • FQDN • Security T ag • Security Name Step 8 Based on the option you select ed from the Destinati on d rop-do wn list, enter the corresponding t ext for the item you want to trace; for e xampl e, enter the so[...]

  • Page 563

    24-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring System Resource s Step 7 (Optiona l) Click Export to displa y the Export G raph Data dialog box. The selected performan ce statistics to export are already checked. Step 8 (Optiona l) Click Export again to display the Sa ve dial[...]

  • Page 564

    24-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring System Reso urces Step 9 (Optiona l) Click Save to sa ve the memory block statistics t o a text f ile (.txt) on your lo cal dri ve for future reference. Step 10 (Optio nal) Cli ck Print to displa y the Print Gr aph dialog bo x.[...]

  • Page 565

    24-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring Con nections Step 2 Select one or more entries from the A vailable Graphs list, then click Add to move them to the Selected Graphs list. T o remov e an entry fro m the Selected Graphs list, click Remov e . The av ailable option[...]

  • Page 566

    24-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Per-Pro cess CPU Usage • Idle time since the last pack et was sent or recei ved • Amount of sent and recei ved traf fic on the connection Monitoring Per-Process CPU Usage Y ou can monitor the processes that run on the CPU. [...]

  • Page 567

    P AR T 7 Conf iguring Adv anced Netw ork Pr otection[...]

  • Page 568

    [...]

  • Page 569

    CH A P T E R 25-1 Cisco ASA Series Firewall ASDM Configur ation Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud W eb Security pro vides web security and web f iltering services through the Software-as-a-Service (SaaS ) mode l. Enterpr ises with the A SA in thei r network c an use Cloud W eb Security services without having to [...]

  • Page 570

    25-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapte r includes the follo wing sections: • Information Abo ut Cisco Cl oud W eb Security , page 25 -2 • Licensing Requ irements for C isco Cloud W eb Secu rity , page 25-6 • Pre[...]

  • Page 571

    25-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security The ASA supports the follo wing methods of determining the identi ty of a user , or of providing a def ault identity: • AAA rules—When the ASA perf orms user authen t ication using a AA[...]

  • Page 572

    25-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more inf ormation, see the Cloud W eb Security documentation: http://www .cisco.com/en/ US/products/ps11720 /produ cts_in stallation_and_conf iguration_guides_list.h tml . ScanCenter Pol[...]

  • Page 573

    25-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security – AAA usernames, when u sing RADIUS or T A CACS+, are sent in the follo wing format: LOCAL username – AAA username s, when using LD AP , ar e sent in the f ollowing format: domain-nam [...]

  • Page 574

    25-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Licensing Require ments for Cisco Cloud Web Se curity Bypassing Scanning with Whitelists If you use AAA rules o r IDFW , you can configur e th e ASA so that web traff ic from spe cific users or groups that otherwise match the serv ic[...]

  • Page 575

    25-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud W eb Security On the Cloud W eb Security side, you must purchase a Cisco Cloud W eb Security license and identi fy the number of users that the ASA handles. Then log into ScanCenter , and generate your authent[...]

  • Page 576

    25-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Clo ud W eb Security proxy serv ers goes do wn, output from the show scansafe server command sho w s both servers up for approximately 15-25 minutes. This cond ition may occur because the[...]

  • Page 577

    25-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Step 1 Choose Conf iguration > Device Management > Cloud W eb Security . Step 2 In the Primary Server area, enter the follo w ing: • IP Address/Domain Name—Enter the IPv4[...]

  • Page 578

    25-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security (Multiple Context Mode) Allowing Cloud Web Security Per Security Context In multiple cont ext mode, you mu st allo w Cloud W eb Security per context. See th e “Conf iguring a Security Context?[...]

  • Page 579

    25-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security When you create a new traf fic class of this type, you can only specify one access control entry (A CE) initially . After you finish adding th e rule, you can add additional A CEs by adding a ne[...]

  • Page 580

    25-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 4 On the Protoc ol Inspection tab, check th e Cloud W eb Security check box. Step 5 Click Conf igure to set the traf fic action (f ail open or fail close) and add the inspection polic y map.[...]

  • Page 581

    25-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security d. In the Name f ield, specify a name for the inspection policy map, up to 40 characters in length. e. (Optional) Enter a description. f. (Optiona l) On the Parameters tab, spe cify a D efa ult [...]

  • Page 582

    25-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security – Click Add to choose the insp ection class map you created i n the “(Optional) Conf iguring Whitelisted T raffic” section on page 25-23 . The Add Cloud W eb Security Match Criterion dialog[...]

  • Page 583

    25-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security c. On the T raff ic Classification Criteri a dialog box, choose Add Rule to Existing T raffic Class , and choose the name you created in Step 3 . Click Next . d. In the T raffic Match - Source a[...]

  • Page 584

    25-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security e. On the Rule Actions di alog box, do not make an y changes; click Finish . Fo r this traf fic class, you can hav e only one set of rule actions e ven if you add multiple A CEs, so the pre vious[...]

  • Page 585

    25-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 10 Click Apply . Examples The follo wing example e xempts all IPv4 H TTP and HTTPS traf fic going to t he 10.6.6.0/24 (test_netw ork), and sends all ot her HTTPS and HTTPS traf fic to Cloud[...]

  • Page 586

    25-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 2 Add a ne w traff ic class calle d “scansafe-http, ” and specify an A CL for traf fic match ing: Step 3 Choose Match , and specify any4 for the Source and Destination. Specify tcp/http [...]

  • Page 587

    25-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 4 Check Cloud W eb Security and click Conf igure . Step 5 Accept the default F ail Close action, and click Add .[...]

  • Page 588

    25-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 6 Name the inspection polic y map “http-map, ” set the Default User to Bould er and the defau lt group to Cisco. Choose HTTP . Step 7 Click OK , OK , and then Finish . The rule is added [...]

  • Page 589

    25-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 9 Click Add rule to existing traff ic class , and choose scansafe-http . Step 10 Choose Do not match , set any4 as the Source, and 10.6.6.0/24 as the Dest ination. Set the Serv ice to tcp/h[...]

  • Page 590

    25-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 11 Click Finish . Step 12 Reorder the rules so the Do not match rule is abo ve the Match rule.[...]

  • Page 591

    25-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security User traff ic is compared to thes e rule s in order; if this Match rule is f irst in the list, then all traff ic, including traf fic to test_networ k, will match only t hat rule and the Do not m[...]

  • Page 592

    25-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1 Choose Conf iguration > Fir ewall > Objects > Class Maps > Cloud W eb Security . Step 2 Click Add to create a ne w class map. The Add Cloud W eb Security T raf f[...]

  • Page 593

    25-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 11 Click OK to add the class map. Step 12 Click Apply . Step 13 Use the whitelist in the Cloud W eb Security policy accordi ng to the “Conf iguring a Service Polic y to Send T raff ic to [...]

  • Page 594

    25-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Monitoring Cloud Web Security Repeat for addit ional groups. Step 6 After you add the groups you want to monitor , click Apply . Configuring the Cloud Web Security Policy After you conf igure the ASA service policy rules, l aun ch t[...]

  • Page 595

    25-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security T able 25-1 lists each feature change and the platform release in which it was imp lemented. ASDM is backwards-compati ble with multiple platform relea[...]

  • Page 596

    25-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Feature History for Cisco Cloud Web Security[...]

  • Page 597

    CH A P T E R 26-1 Cisco ASA Series Firewall ASDM Configur ation Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unkno wing host. Malware that attempts netw ork activ ity such as sending priv ate data (passwords, cred it card numbers, ke y strokes, or prop rietary data) can be detected by the Botn[...]

  • Page 598

    26-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter • Botnet T raff ic Filter Databases, p age 26-2 • How the Botnet T raff ic Filter W orks, page 26-5 Botnet Traffic Filter Address Types Addresses monitored by the Botn et T raff ic Filter include:[...]

  • Page 599

    26-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 3. In some cas es, the IP addr ess itse lf is suppli ed in the dynamic da taba se, and the Botnet T raff ic Filter logs or drops an y traf fic to th at IP address without ha ving to inspect DNS reques[...]

  • Page 600

    26-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter When you add a domain name to the static datab ase, the ASA waits 1 minut e, and then sends a DNS request for that domain name an d adds th e domain name/IP address pairing to the DNS host cac he . (T[...]

  • Page 601

    26-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 sho ws how the Botnet T raf fic Fil ter works with the dynamic database plus DN S inspection with Botnet T raffic Filter snooping. Figur e 26-1 How the [...]

  • Page 602

    26-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements fo r the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The follo wing table sho ws the licensing requirements for this feature: Prerequisites for the Botnet Traffic Filter T o use the dynamic d[...]

  • Page 603

    26-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: • T ask Flow for Configuring the Botnet Traf fic Filter, page 26-7 • Config uring the Dynamic Database, page 26 -8 • E[...]

  • Page 604

    26-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the do wnloaded dynamic database by the ASA. In multiple conte x t mode, the system do wnloads the database [...]

  • Page 605

    26-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter section on page 26 -13 . What to Do Next See the “ Adding Entries to the Static Database” secti on on page 26-9 . Adding Entries to the Static Database The static database lets you augment the dynamic d[...]

  • Page 606

    26-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter • Y ou must first conf igure DNS inspection for traf fic that you wa nt to snoop using th e Botnet T raff ic Filter . See the “DNS Inspection ” section on page 11-1 and Ch apter 1, “Con figuri ng a[...]

  • Page 607

    26-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter When an address matches, the ASA sends a syslog message. The only additional action current ly av ailable is to drop the con nection. Prerequisites In multiple conte xt mode, perform this procedure in the [...]

  • Page 608

    26-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Note W e highly recommend using the default set ting unless you ha ve strong reasons for changing the setting. • V alue—Specify the threat le vel you want to drop: – V ery Low – Low – Moderate ?[...]

  • Page 609

    26-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter For e x ample, you receiv e the following syslog message: ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.[...]

  • Page 610

    26-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Detailed Steps Step 1 Go to the Search Dynamic Database area: • In Single mode or within a conte xt, choose the Configuration > Fir ewall > Botnet T raffic Filter > Botnet Database Update pane. ?[...]

  • Page 611

    26-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Botnet Traffic Filter Monitor Panes T o monitor the Botnet T raff ic Filter, see the foll owing panes: Command Purpose Home > Fire wall Dashboard Sho ws the T op Botnet T raff ic Filter Hits, w hich sho [...]

  • Page 612

    26-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Next Where to Go Next • T o configure the syslog serv er , see Chapter 41, “Configuring Log ging, ” in the general operations config uration guide. • T o block connections with an access rule , see Chapter 7, “Conf iguring[...]

  • Page 613

    CH A P T E R 27-1 Cisco ASA Series Firewall ASDM Configur ation Guide 27 Configuring Threat Detection This chapter descri bes how to configure threat detection statistics and sc anning threat det ection and includes th e following sections: • Information About Threat Detection, page 27-1 • Licensing Requ irements for Threat D etection, page 27-[...]

  • Page 614

    27-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detect ion statistics includ e acti vity that mi ght be re lated t o an atta ck, such as a DoS attack. This section includes the following topics: [...]

  • Page 615

    27-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics Guidelines and Limitations This section includes the guid elines and limitations for th is feature: Security Context Guidelines Supported in single mode only . Multiple mode is not supported. Firewall M[...]

  • Page 616

    27-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics This section describes ho w to conf igure basic threat detection statistics, includin g enabling or disabling it and changing the defau lt limits. Detailed Step[...]

  • Page 617

    27-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection Statistics T able 27-2 lists each feature change and the platform release in which it was imp lemented. ASDM is backwards-compati ble with multiple platform re[...]

  • Page 618

    27-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are a vailable in multiple mode. Firewall Mode Guidelines Supported in routed an d transparent f ire wall mod e. Types of Traffic Monitored Only[...]

  • Page 619

    27-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics • Burst Threshold Rate —Sets the threshold for sysl og message generation, between 25 and 2147483647. The def ault is 400 per second. When the burst rate is exceeded, syslog message 733104 is genera[...]

  • Page 620

    27-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Feature History for Advanced Threat Detection Statistics T able 27-3 lists each feature change and the platform release in which it was imp lemented. ASDM is backwards-compati ble with multiple platform releas es, [...]

  • Page 621

    27-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection • Feature History for Scan ning Threat Detection, page 27-11 Information About Scanning Threat Detection A typical scanning attack consists of a host that test s the accessibility of e very IP address in a subne[...]

  • Page 622

    27-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Default Settings T able 27-4 lists the d efault rate limits f or scanning threat detection. The burst rate is calculated as the av erage rate every N secon ds, where N is the b urst rate interval. The burst rate i[...]

  • Page 623

    27-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection T able 27-5 lists each feature change and the platform release in which it was imp lemented. ASDM is backwards-compati ble with multiple platform releas es, so the sp[...]

  • Page 624

    27-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection[...]

  • Page 625

    CH A P T E R 28-1 Cisco ASA Series Firewall ASDM Configur ation Guide 28 Using Protection Tools This chapter describes some o f the many too ls av ailable to protect your netw ork and includes the follo wing sections: • Pre venting IP Spoof ing, page 28-1 • Config uring the Fragment Size, page 28-2 • Config uring TCP Options, page 28-3 • Co[...]

  • Page 626

    28-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring the Fr agment Size • Anti-Spoof ing Enabled—Shows whet her an interface has Unicast RPF enabled, Y es or No. • Enable—Enables Unicast RPF for the selected interface. • Disable—Disables Unicast RPF for the selected interface. Configuring[...]

  • Page 627

    28-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring TCP Options • T imeout— Display o nly . Displays the number of seconds to wait for an entire fragmented packet to arri ve. Th e timer starts after the f irst fragment of a packet arri ves. If all fragments of the pack et do not arri ve by the [...]

  • Page 628

    28-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring TCP Options alters the pac ket to reques t 1200 bytes. Se e the “Controlling Fragment ation with the Maximum T ransmission Unit and TCP Maximum Segment Size” section on page 11-8 for mor e informatio n. – Force Minimu m Segment Size for TCP ?[...]

  • Page 629

    28-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature p rovides basic IPS support for the ASA t hat does not ha ve an AIP SSM. It support s a basic list of signatures, and you can conf igure the ASA to perf[...]

  • Page 630

    28-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Fields • Policy Name—Sets th e IP audit polic y name. Y ou cannot edit the name after you ad d it. • Policy T ype—Sets the polic y type. Y ou cannot edit the polic y type after you add it. – Attack—Sets th[...]

  • Page 631

    28-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1002 400002 IP options-T imestamp Informational T riggers on receipt of an IP datagram where the IP option list for th e datagram includes option 4 (T imestamp). 1003 400003 IP options-Security Informational Trig ger[...]

  • Page 632

    28-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2002 400012 ICMP Source Quench Informational T riggers when an IP datagram is recei ved with the prot ocol field of the IP header set to 1 (ICMP) and the type f ield in the ICMP header set to 4 (Source Quench). 2003 4[...]

  • Page 633

    28-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2150 400023 Fragmented ICMP T raff ic Attack T rigg ers w hen a IP datagram is receiv ed with the protocol f ield of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an [...]

  • Page 634

    28-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6051 400035 DNS Zone T ransfer Informational T riggers on normal DNS zone transfer s, in which the source port is 53. 6052 400036 DNS Zone Transfer fr om High Port Informational T riggers on an illegitimat e DNS zone[...]

  • Page 635

    28-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6180 400049 rexd (remote e xecutio n daemon) Attempt Informational T riggers when a ca ll to the rexd program i s made. The remote ex ecution daemon is the server responsible f or remote program ex ecution. This may[...]

  • Page 636

    28-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support[...]

  • Page 637

    CH A P T E R 29-1 Cisco ASA Series Firewall ASDM Configur ation Guide 29 Configuring Filtering Services This chapter describe s how to use f iltering servic es to provide greater control over traf fic passing through the ASA and includes the follo wing sections: • Information Abou t W eb Traf fic Filtering, page 29-1 • Conf iguring Filteri ng R[...]

  • Page 638

    29-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Filtering URLs and FTP Requests with an External Server This section describes ho w to filter U RLs and FTP requests with an e xternal serv er and includes the follo wing topics: • Information [...]

  • Page 639

    29-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Licensing Requirements for URL Filtering The follo wing table shows the licensing requirement s for URL filt ering: Guidelines and Limitations for URL Filtering This section includes the guid el[...]

  • Page 640

    29-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server • Enter the number of seconds after which the requ est to the URL fi ltering server ti mes out. The default is 3 0 seconds. • In the Protocol area, to specify which TCP vers ion to use to com[...]

  • Page 641

    29-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server • Buff ering the Content Serv er Response, page 29-5 • Caching Server A ddresses, page 29-5 • Filtering HTTP URL s, page 29-6 Buffering the Content Server Response When you issue a request[...]

  • Page 642

    29-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Step 5 Click OK to close this dialog bo x. Filtering HTTP URLs This section descri bes ho w to conf igure HTTP f iltering with an e xternal filtering serv er and includes the follo wing topics: ?[...]

  • Page 643

    29-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server – Enter a ho stname. – Enter an IP address and optional netw ork mask. Y ou can express the netmask in CIDR or dotted decimal nota tion. For example, you can enter 10.1.1.0/24 or 10.1.1.0/25[...]

  • Page 644

    29-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server – Enter an IP address and optional netw ork mask. Y ou can express the netmask in CIDR or dotted decimal nota tion. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0 . – Click [...]

  • Page 645

    29-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server >—Greater than. For e xample, >tcp/2000. - —Range. For e xample, tcp/2000-3000. – Enter a well-k no wn service n ame, such as HT TP or FTP . – Click the ellipses to display the Bro[...]

  • Page 646

    29-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server – Enter a well-k no wn service n ame, such as HT TP or FTP . – Click the ellipses to display the Bro wse Serv ice dialog box. Choose a service from the drop-do wn list. • Check the Allow o[...]

  • Page 647

    29-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server • Click OK to close this dialo g box. • Click Appl y to sa ve your changes. Step 8 T o modify a filtering rule, sele ct it and click Edit to display the Edit Fil ter Rule dialog box for the[...]

  • Page 648

    29-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Step 12 T o delete a selected filter rule, click Dele te . Defining Queries T o define qu eries, perform the follo wing steps: Step 1 Enter the IP address or host nam e of the source. Choo se is[...]

  • Page 649

    P AR T 8 Conf iguring Modules[...]

  • Page 650

    [...]

  • Page 651

    CH A P T E R 30-1 Cisco ASA Series Firewall ASDM Configur ation Guide 30 Configuring the ASA CX Module This chapter descri bes how to configure the ASA CX modul e that runs on the A SA. • Information Ab out the ASA CX Module, page 30-1 • Licensing Requirements for the ASA CX Module, page 30-6 • Guidelines and Limit ations, page 30-6 • Defau[...]

  • Page 652

    30-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application fro m the ASA. Th e ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly . An[...]

  • Page 653

    30-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module Monitor-Only Mode For demonstr ation purposes, you can conf igure a service policy or a tr af fi c-forwarding int erface in monitor -only mode. For guideli nes and limitations fo r monitor -only mode, see the “Gui[...]

  • Page 654

    30-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module Figur e 30-3 ASA CX T raf fic-Fo rwar ding Information About ASA CX Management • Initial Conf iguration, page 30-4 • Policy Co nf iguration and Management, page 30 -5 Initial Configuration For ini tial conf igura[...]

  • Page 655

    30-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module or ASDM). Howe ver , physical characteristics (suc h as enabling the interface) are configured on the ASA. Y ou can remove the ASA interface conf iguratio n (specifical ly the interface name) to dedicate this inter [...]

  • Page 656

    30-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Licensing Requirements for th e ASA CX Module • Do not configure ASA inspection on HTTP traf fic. • Do not conf igure Cloud W eb Security (ScanSafe) inspection. If you conf igure both the ASA CX action and Cloud W eb Security inspection for the sam[...]

  • Page 657

    30-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Guidelines and Limitations Firewall Mode Guidelines Supported in rout ed and transparent f irewal l mode. T raff ic-forwarding interfaces ar e only supported in transparent mode. Failover Guidelines Does not support failo ver directly; when the ASA fa[...]

  • Page 658

    30-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with A SA Features” section on pa ge 30-5 . • Y ou cannot change the softw are type installed on th e hardware module; if you purchase an ASA CX module, you cannot [...]

  • Page 659

    30-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 (ASA 5585-X) Con figur e the ASA CX module manage ment IP address for initial SSH access. See the “(ASA 5585-X) Changing the ASA CX Managemen t IP Address” section on p age 30-14 . Step 4 On the ASA CX module, [...]

  • Page 660

    30-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule If you have an inside router If you ha ve an inside router , you can route betwee n the management network, wh ich can include both the ASA Mana gement 0/0 a nd ASA CX Ma nagement 1/0 interfaces, and the ASA inside netwo[...]

  • Page 661

    30-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a softwa re module, and the ASA CX management interface shares the Management 0/0 interf ace with the ASA. If you have an inside route[...]

  • Page 662

    30-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule CX IP address for that interface. Because the AS A CX module is essentially a separate device from the ASA, you can conf igure the ASA CX management address to be on the same network as the insi de interface. Note Y ou m[...]

  • Page 663

    30-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module The boot softw are lets you set basic ASA CX netw ork conf iguration, partition the SSD, and do wnload the larger system softw are from a server of your choice to the SSD. Step 2 Download the ASA CX system softw are from[...]

  • Page 664

    30-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.1.1.pkg Username: buffy Password: angelforever Verifying Downloading Extracting Package Detail Description: Requires reboot: Cisco ASA CX Sy[...]

  • Page 665

    30-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 Click Send. Single Context Mode Step 1 In ASDM, choose Wizards > Startup Wi zard . Step 2 Click Next to adv ance through the initial screens until you r each the ASA CX Basic Conf iguration screen. Step 3 Enter[...]

  • Page 666

    30-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Step 5 Click Finish to skip the r emaining screens, or click Next to advance through the remain ing screens and complete the wizard. Configuring Basic ASA CX Settings at the ASA CX CLI Y ou must conf igure basic network [...]

  • Page 667

    30-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 4 After you complete the f inal prompt, you are presented with a sum mary of the settings. Look o ver the summary to v erify that the v alues are correct , and enter Y to apply your changed co nf iguration. Enter N [...]

  • Page 668

    30-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule • Launch PRSM from ASDM by choosing Home > ASA CX Status , and clicking the Connect to the ASA CX application link. What to Do Next • (Optional) Configure the authen tication proxy port. See the “(Opt ional) Con[...]

  • Page 669

    30-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 2 Enter a port greater than 1024. The def ault is 885. Step 3 Click Apply . Redirecting Traffic to the ASA CX Module Y ou can redirect traff ic to the ASA CX module by crea ting a service polic y that identi fies sp[...]

  • Page 670

    30-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Detailed Steps Step 1 Choose Conf iguration > Firewall > Ser vice P olicy Rules . Step 2 Choose Add > Add Ser vice P olicy Rule . The Add Service Policy Rule W i zard - Service Policy dialog box appears. Step 3 [...]

  • Page 671

    30-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 8 Check the Enable ASA CX f or this traffic fl ow check box. Step 9 In the If ASA CX Card Fails area, click one of the follo wing: • Permit traff ic —Sets the ASA to allow all t raf fic t hrough, uninspected, if[...]

  • Page 672

    30-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section conf igures traf fic-forw arding interf aces, where all traff ic is forwarded directly to the ASA CX module. This method is for demonstration p u[...]

  • Page 673

    30-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Examples The follo wing example makes Gi gabitEtherne t 0/5 a traf fic-forwardin g interface: Managing the ASA CX Module This section includes procedures that help yo u manage the module . • Resetting the Password, page [...]

  • Page 674

    30-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module T o reset the module passw ord to the def ault of Admin1 23, perform the follo wing steps. Guidelines In multiple cont ext mode, perform t his procedure in the system e xecution space. Detailed Steps Step 1 From the ASDM me[...]

  • Page 675

    30-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off without losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically[...]

  • Page 676

    30-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image T o uninstall a software module image and associat ed confi guration, perform th e follo wing steps. Guidelines In multiple cont ext mode, perform t his p[...]

  • Page 677

    30-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module Use T ools > Command Line Interface to use moni toring commands. • Showing Module Status, pa ge 30-28 • Sho wing Module St atistics, page 30- 28 • Monitoring Modu le Co[...]

  • Page 678

    30-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module Showing Module Status See the “ ASA CX Stat us T ab” sectio n on page 4-30 in the general operations confi guration guide. Showing Module Statistics T o sho w module statistics, enter the follo wing command: Examples T[...]

  • Page 679

    30-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Examples The follo wing is sample output from the show asp table classify domain cxsc command: ciscoasa# show asp table classify domain cxsc Input Table in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false hits=1548[...]

  • Page 680

    30-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module in id=0x7ffedb4ada00, priority=50, domain=cxsc, deny=false hits=0, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, [...]

  • Page 681

    30-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module ciscoasa# show asp drop Frame drop: CXSC Module received packet with bad TLV's (cxsc-bad-tlv-received) 2 CXSC Module requested drop (cxsc-request) 1 CXSC card is down (cxsc-fail-close) 1 CXSC config removed for flow [...]

  • Page 682

    30-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Troublesho oting the ASA CX Module Capturing Module Traffic T o configure and vie w packet captures for the AS A CX module, enter one of the following commands: Note Captured packets c ontain an additio nal AFBP heade r that your PCAP viewer might not[...]

  • Page 683

    30-33 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module ciscoasa# show running-config cxsc cxsc auth-proxy port 2000 2. Check the authentica tion proxy rules: ciscoasa# show asp table classify domain cxsc-auth-proxy Input Table in id=0x7ffed86cc470, priority=121, doma[...]

  • Page 684

    30-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module Monitor -only mode for demonstration purposes ASA 9.1(2) ASA CX 9.1(2) For de monstration purposes o nly , you can enable monitor -only mode for the service policy , which forwards a copy of traf fic to the ASA CX[...]

  • Page 685

    CH A P T E R 31-1 Cisco ASA Series Firewall ASDM Configur ation Guide 31 Configuring the ASA IPS Module This chapter describes h ow to config ure the ASA IPS modul e. The ASA IPS modul e might be a hardw are module or a so ftware module, d epending on your ASA model. F or a list of supported ASA I PS modules per ASA model, see the Cisco ASA Compati[...]

  • Page 686

    31-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application fro m the ASA. The ASA IPS module might in clude an external management interf ace so you can connect to the ASA I PS module [...]

  • Page 687

    31-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS M odule Operating Modes Y ou can send traf f ic to the ASA IPS module usin g one of the follo wing modes: • Inline mode—This mode places the ASA IPS module directly in the traff ic flow (see Figure 31-1 ). No traff ic[...]

  • Page 688

    31-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module Figur e 31 -3 Secur ity Contexts and V irt ual Sensors Figure 31-4 sho ws a single mode ASA paired with multiple vi rtual sensors (in inlin e mode); each def ined traf fic flo w goes to a dif ferent sensor . Figur [...]

  • Page 689

    31-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirement s for the ASA IPS module See the follo wing information abo ut the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X —The IPS management interf ace is a separate external Gig abit Ethernet interf ace.[...]

  • Page 690

    31-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Default Settings http://www .cisco.com/en/US/docs/securi t y/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple conte xt mode, so multiple conte xt features, such as virtual sensors, are not supported on th e AIP SSC. • The A[...]

  • Page 691

    31-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section descri bes ho w to conf igure the ASA IPS module and includes the follo wing topics: • T ask Flow for the ASA IPS Module, page 31-7 • Connecting the ASA IPS Management Inte[...]

  • Page 692

    31-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to pro viding management access to the IPS module, the IPS management int erface needs access to an HTTP proxy server or a DNS server and the Internet so it can do [...]

  • Page 693

    31-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside netw ork, then you canno t also hav e a separate managemen t network, whic h would require an inside r outer to route between the netw orks. In this case, [...]

  • Page 694

    31-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside netw ork, then you cannot also ha ve a separate mana gement network. In this case, you can manage the ASA from the inside interface instead of the Managem[...]

  • Page 695

    31-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA (May Be Required) T o access the IPS module CLI from the ASA, you can session from the ASA. F or software modules, you can either session to the mo dule (using T elnet) or create a [...]

  • Page 696

    31-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module (ASA 5512-X through ASA 5555-X) Booting the Software Module Y our ASA typically ships with IPS mod ule software present on Disk0. If the mod ule is not running, or if you are adding the IPS mod ule to an existing A SA, [...]

  • Page 697

    31-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Confi guring Basic Network Settings In single conte xt mode, you can use the Startup W izard in ASDM to conf igure basic IPS network confi guration. These settings are sav ed to the IPS conf igurat[...]

  • Page 698

    31-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps—Multiple Mode Using the CLI (ASA 5505) Configuri ng Basic Network Settings An ASA IPS module on the ASA 5 505 does not ha ve an y external interfaces. Y ou can configure a VLAN to allo w access to an in[...]

  • Page 699

    31-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module b. Enter the IPS management IP address. Make sure thi s address is on the same subnet as t he ASA VLAN IP address. For example, if you assigned 10.1.1.1 to the VLAN for the ASA, then assign another address on that netwo[...]

  • Page 700

    31-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Step 3 Enter the IP address, username and passw ord that you set in the “Conf iguring Basic IPS Module Net work Settings” section on page 31-12 , as well as the port. The d efault IP add ress and port i s 192.168.1.[...]

  • Page 701

    31-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module What to Do Next • For the ASA in mult iple contex t mode, see the “ Assigning V irtual Sensors to a Security Conte xt (ASA 5510 and High er)” section on page 3 1-17 . • For the ASA in sing le context mod e, see [...]

  • Page 702

    31-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not specify a senso r name when you config ure IPS within the conte xt configuration, th e context uses this default sen sor . Y ou can only conf igure one default sensor per context. If y ou do not specify a [...]

  • Page 703

    31-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Step 3 Complete the Service Polic y dialog box as desired. See the ASDM online help for more information about these screens. Step 4 Click Next . The Add Service Polic y Rule W izard - Traf fi c Classif ication Criteria di[...]

  • Page 704

    31-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module This section includes proc edures that help you recover or trou bleshoot the module and includes the follo wing topics: • Installing and Boot ing an Image on the Module, page 31-20 • Shutting Do wn the Module, page 31[...]

  • Page 705

    31-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Detailed Steps Command Purpose Step 1 For a hardware module (for example, the ASA 5585-X): hw-module module 1 recover configure For a softw are module (for example, the ASA 5545-X): sw-module module ips recover configure i[...]

  • Page 706

    31-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off without losing confi guration data. Note : If you reload the ASA, th e module is n ot automa tically shu t down, s[...]

  • Page 707

    31-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Resetting the Password Y ou can reset the module password to the default . For the user cisco , the default passw ord is cisco . After resetting the password, yo u should change it to a u nique v alue using the mo dule app[...]

  • Page 708

    31-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI . Detailed Steps Monitoring the ASA IPS module See the “Intrusion Pre vention T ab” section on pa[...]

  • Page 709

    31-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module Feature History for the ASA IPS module T able 31-2 lists each feature change and the platform release in which it was imp lemented. ASDM is backwards-compati ble with multiple platform releas es, so the specif i[...]

  • Page 710

    31-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configurin g the ASA IPS Module Feature History for the ASA IPS module[...]

  • Page 711

    CH A P T E R 32-1 Cisco ASA Series Firewall ASDM Configur ation Guide 32 Configuring the ASA CSC Module This chapter descri bes how to configure the Conten t Security and Control (CSC) appl ication that is installed in a CSC SSM in the ASA. This chapte r includes the follo wing sections: • Information About the CSC SSM, page 32-1 • Licensing Re[...]

  • Page 712

    32-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Figur e 32-1 Flo w of Scanned T raffic with the CS C SSM Y ou use ASDM for system setup and mo nitoring of th e CSC SSM. For adv anced co nfiguration of cont ent security policies in the CS C SSM software, you ac cess the[...]

  • Page 713

    32-3 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Information Ab out the CSC SSM Figur e 32-2 CSC SSM Deplo yment with a Management Netw ork Determining What Traffic to Scan The CSC SSM can scan FTP , HTTP/HTTPS, POP3, and SMTP traf fic only wh en the destination port of the packet requestin g the co[...]

  • Page 714

    32-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Based on the conf iguration shown in F igure 32-3 , conf igure the ASA to di vert to th e CSC SSM only requests from clients o n the inside netw ork for HTTP , FTP , and POP3 connections to the outside network, and incomi[...]

  • Page 715

    32-5 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside- policy , outside-class matches SMTP tr af fic from an y outside source to the DMZ network. This setting protects the SMTP serv er and inside us ers who do wnload e-mail from th e SMTP serv er on t[...]

  • Page 716

    32-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Guidelines and Limitations – Domain name and hostname for t he CSC SSM. – An e-mail address and an SMTP server IP addr ess and port numb er for e-mail notif ications. – E-mail address(es) for product l icense rene wal notifications. – IP addre[...]

  • Page 717

    32-7 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section descri bes ho w to conf igure the CSC SSM and includes the following topics: • Before Conf iguring the CSC SSM, page 32-7 • Connecting to the CSC SSM, page 32-8 • Determin ing Service [...]

  • Page 718

    32-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, v e rify the clock settings, including t ime zone. Choose Conf iguration > Pr operties > De vice Administration > Clock . • If you are using NTP , verify the NTP conf igurat[...]

  • Page 719

    32-9 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM T o connect to the CSC SSM, perform the follo wing steps: Step 1 In the ASDM main application windo w , click the Content Security tab . Step 2 In the Connecting to CSC dial og box, click one of th e follo wing radio b uttons: [...]

  • Page 720

    32-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard Step 4 Click the Cr eate a new traff i c class option, type a name for the traff ic class in the adjacent field, check the Any traff ic check box, and then click Next . The Rule Actions screen appears. Step 5 Click the CSC Scan t[...]

  • Page 721

    32-11 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Activation/License The Acti v ation/License pane lets you re view or re ne w acti v a tion code s for the CSC SSM Ba sic License and the Plus License. Y ou can use A SDM to conf igure CSC licenses on ly once each fo r the two li [...]

  • Page 722

    32-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard Step 3 Set parameters of the DNS servers for the network th at includ es the managemen t IP address of th e CSC SSM. • Enter the IP address of the primary DNS server . • (Optional) Enter the IP address of th e secondary DNS s[...]

  • Page 723

    32-13 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard What to Do Next See the “Management Acce ss Host/Networks” section on page 32-13 . Management Access Host/Networks The Manageme nt Access Host/N etworks pane lets y ou specify the h osts and networks for wh ich management acc[...]

  • Page 724

    32-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard Ti p Whenever the connection to the CSC SSM is drop ped, you can reestablish it. T o do so, click the Connection to De vice icon on the status ba r to display the Connection to De vice dialog box, and then click Reconnect . ASDM [...]

  • Page 725

    32-15 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Step 4 After you ha ve reset the passw ord, you should change it to a unique v alue. What to Do Next See the “Password” section on page 32-13 . Wizard Setup The W izard Setup screen lets you start the CSC Se tup W i zard. T o[...]

  • Page 726

    32-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard IP Configuration T o display the IP conf iguration settings that you ha ve ent ered for the CSC SSM, perform the follo wing steps: Choose Conf iguration > T rend Micro Content Security > CSC Setup > IP C[...]

  • Page 727

    32-17 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard Management Access Configuration T o display the subn et and host setti ngs that you ha ve entered to grant access t o the CSC SSM, perform the following steps: Step 1 Choose Conf iguration > T rend Micr o Cont[...]

  • Page 728

    32-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module CSC SSM Setup Wizard The traf fic selection for CSC scanning con figur ation settings t hat you ha ve entered for the CSC SSM appear , including the follo wing: • The interface to the CSC SSM that you hav e chosen from the drop-do wn list. • The [...]

  • Page 729

    32-19 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard Summary T o revi ew the settings that you ha ve made with the CSC Setup W izard, perform the follo wing steps: Step 1 Choose Conf iguration > T rend Micro Content Security > CSC Setup > Summary . The CSC[...]

  • Page 730

    32-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Using the CSC SSM GUI What to Do Next See the “Using the CSC SSM GUI” section on page 32 -20 . Using the CSC SSM GUI This section descri bes ho w to conf igure features using the CSC SSM GUI, and includes the fol lo wing topics: • W eb, page 32[...]

  • Page 731

    32-21 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI Step 6 Click Conf igure W eb Reputation to open a screen fo r configuring the W e b Reputat ion service on the CSC SSM. What to Do Next See the “Mail” section on page 32-21 . Mail The Mail pane lets you se e whether or not e[...]

  • Page 732

    32-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Using the CSC SSM GUI Step 7 The Global Appro ved List area is di splay-only and sho ws whether or not the SMTP global approv ed list feature is enabled on the CSC SSM. Click Conf igure Global A pproved List to open a screen for confi guring SMTP glo[...]

  • Page 733

    32-23 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI The File Scanning area is display-o nly and sho ws whether or not FTP file scanning i s enabled on the CSC SSM. Step 2 Click Confi gure File S canning to open a windo w for conf iguring FTP file scanning setti ngs on the CSC SSM[...]

  • Page 734

    32-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitor ing the CSC SSM” se ction on pa ge 32-24 . Monitoring the CSC SSM ASDM lets you monitor the CSC SSM stat isti cs as well as CSC SSM-related features. Note If you ha ve no t completed the CSC[...]

  • Page 735

    32-25 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM Step 4 T o remove the selected statistics type from the Selected Graphs list, click Remove . The b utton name changes to Delete if the item you a re removing was added from ano ther pane, a nd is not be ing returned to the A va[...]

  • Page 736

    32-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Monitoring the CSC SSM • The subject of e-mails that include a threat, or the names of FTP f iles that incl ude a threat, or block ed or fi ltered URLs. • The recipient of e- mails that include a threat, or the IP ad dress or hostname of a threat[...]

  • Page 737

    32-27 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module What to Do Next See the “CSC CPU” section on page 32-27 . Resource Graphs The ASA lets you monitor CSC SSM status, incl uding CPU resources and memory usage. This section includes th e following topic s: • CSC CPU[...]

  • Page 738

    32-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module • Resetting the Password, page 3 2-29 • Reloading or Resetting the Modu le, page 32-30 • Shutting Do wn the Module, page 32-30 Note This section cov ers all ASA module types; follo w the steps appropriate for your[...]

  • Page 739

    32-29 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Resetting the Password Y ou can reset the module password to the default. The def ault password is cisco. After resetting the password, you sho uld change it to a unique v alue using the module application. Resetting th[...]

  • Page 740

    32-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI . Detailed Steps Shutting Down the Module If you restart the ASA, the module is not automati ca lly [...]

  • Page 741

    32-31 Cisco ASA Series Firewall ASDM Configur ation Guide Chapter 32 Configuring the ASA CSC Module Additional References Additional References For additi onal information r elated to implemen ting the CSC SSM, see the fo llo wing documents: Feature History for the CSC SSM T able 32-2 lists each feature change and the platform release in which it w[...]

  • Page 742

    32-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configurin g the ASA CSC Module Feature History for the CSC SSM CSC syslog format 8.3(1) CSC syslog format is consis tent with the AS A syslog format. Syslog message explanations ha ve been added to the Cisco Content Securit y and Contr ol SSM Administrator Guide . The source and d[...]

  • Page 743

    IN-1 Cisco ASA Series Firewall ASDM Configuration Guide INDEX A AAA accounting 8-17 authentication network access 8-2 proxy limit 8-11 authorization downloadable access lists 8-13 network access 8-12 performance 8-1 web clients 8-8 access lists downloadable 8-14 global access rules 7-2 implicit deny 7-3 inbound 7-3 outbound 7-3 overview 7-1 phone p[...]

  • Page 744

    Index IN-2 Cisco ASA Series Firewall ASDM Configuration Guide attacks DNS HINFO reques t 28-10 DNS request for all records 28-10 DNS zone transfer 28-10 DNS zone transfer from high port 28-10 fragmented ICMP traffic 28-9 IP fragment 28-7 IP impossib le packet 28-7 large ICMP traffic 28-9 ping of death 28-9 proxied RPC request 28-10 statd buffer ove[...]

  • Page 745

    Index IN-3 Cisco ASA Series Firewall ASDM Configuration Guide C call agents MGCP application insp ection 12-15, 12-16 CDUP command , denied request 11-24 certificate Cisco Unified Mobi lity 19-4 Cisco Unifi ed Presence 20-4 Cisco IP Communicator 17-10 Cisco IP Phones, application inspection 12-32 Cisco UMA. See Cisco Unified Mo bility. Cisco Unifie[...]

  • Page 746

    Index IN-4 Cisco ASA Series Firewall ASDM Configuration Guide password confi guratrion 32-17 specifying traffic for CSC Scanning 32-18 summary 32-19 traffic se lection for CSC Scan 32-17 CSC software updates monitoring 32-26 CSC SSM about 32-1 loading an image 30-26, 31-20, 31-22, 32-28 what to scan 32-3 CSC SSM feature hi story 32-31 CSC SSM GUI c[...]

  • Page 747

    Index IN-5 Cisco ASA Series Firewall ASDM Configuration Guide E EIGRP 7-6 EtherType access list compatibilty wi th extended access lists 7-2 implicit deny 7-3 F failover guidelines 32-6 Fibre Channel interfaces default settings 7-7 filtering rules 29-6 servers supported 29-2 URLs 29-1, 29-2 fragmented ICMP traffic at tack 28-9 Fragment panel 28-2 f[...]

  • Page 748

    Index IN-6 Cisco ASA Series Firewall ASDM Configuration Guide signatures 28-6 IP fragment attack 28-7 IP fragment database, displaying 28-2 IP fragment database, editing 28-3 IP impossib le packet att ack 28-7 IP overlapping fra gments attack 28-8 IP phone phone prox y provisioning 17-11 IP phones addressing requiremen ts for phone proxy 17-9 suppo[...]

  • Page 749

    Index IN-7 Cisco ASA Series Firewall ASDM Configuration Guide default polic y 1-7 feature directionality 1-3 features 1-1 flows 1-5 matching multiple policy maps 1-5 See also class map See also policy map MPLS LDP 7-7 router-id 7-7 TDP 7-7 multi-session PAT 4-19 N NAT about 3-1, 6-1 about (8.2 and earlier) 6-1 bidirection al initiation 3-2 bypassin[...]

  • Page 750

    Index IN-8 Cisco ASA Series Firewall ASDM Configuration Guide about (8.2 and earlier) 6-9 configuring (8.2 and earl ier) 6-27 network object NAT 4-12 twice NAT 5-18 static PAT about (8.2 and earlier) 6-9 static with port translation about 3-4 terminol ogy 3-2 transparent mode 3-13 transparent mode (8.2 and earlier) 6-3 twice extended PAT 5-4 flat r[...]

  • Page 751

    Index IN-9 Cisco ASA Series Firewall ASDM Configuration Guide policy map inspection 2-3 Layer 3/4 about 1-1 feature directionality 1-3 flows 1-5 policy NAT, about (8.2 and e arlier) 6-11 ports phone prox y 17-7 port translation about 3-4 prerequi sites for us e CSC SSM 32-5 presence_proxy_remotecert 16-15 priority qu eueing hierarchical policy wi t[...]

  • Page 752

    Index IN-10 Cisco ASA Series Firewall ASDM Configuration Guide maximum and minimum 28-4 shun duration 27-10 signatures attack and informational 28-6 SIP inspection about 12-21 configuring 12-20 instant messaging 12-22 SITE command, denied request 11-24 SMTP inspection 11-52 SNMP application inspection viewing 14-14 specifying traffic for CSC scanni[...]

  • Page 753

    Index IN-11 Cisco ASA Series Firewall ASDM Configuration Guide TCP Intercept 22-5 TCP normalization 22-5 unsupported features 22-5 TCP SYN+FIN flags attack 28-9 testing confi guration 24-1 threat detection basic drop types 27-2 enabling 27-4 overview 27-2 rate intervals 27-2 statistics, viewing 27-4 system pe rformance 27-2 scanning enabling 27-10 [...]

  • Page 754

    Index IN-12 Cisco ASA Series Firewall ASDM Configuration Guide virtual HTTP 8-3 virtual sensors 31-17 VoIP proxy servers 12-21 VPN client NAT rules 3-20 W web clients, secure authentication 8-8 Websense fi ltering serv er 29-3[...]