A Dcerpc Inspection Policy Map for Additional Inspection Control

To specify additional DCERPC inspection parameters, create a DCERPC inspection policy map. You can then apply the inspection policy map when you enable DCERPC inspection according to the Configuring Application Inspection section on page 25-5. To create a DCERPC inspection policy map, perform the following steps Create a DCERPC inspection policy map, enter the following command hostname(config) policy-map type inspect dcerpc policy_map_name hostname(config-pmap) Where the policy_map_name is the...

AAA Performance

The security appliance uses cut-through proxy to significantly improve performance compared to a traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model. The security appliance cut-through proxy challenges a user initially at the application layer and then authenticates against standard AAA servers or the local database. After the security appliance authenticates the user, it shifts the session...

AAA Server and Local Database Support

The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database. This section contains the following topics RADIUS Server Support, page 13-3 TACACS+ Server Support, page 13-4 SDI Server Support, page 13-4 NT Server Support, page 13-5 Kerberos Server Support, page 13-5 LDAP Server Support, page 13-6 SSO Support for WebVPN with HTTP Forms, page 13-9 Local...

About Authorization

Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users. If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization...

Access Control Entry Order

An access list is made up of one or more Access Control Entries. Depending on the access list type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type (for ICMP), or the EtherType. Each ACE that you enter for a given access list name is appended to the end of the access list. The order of ACEs is important. When the security appliance decides whether to forward or drop a packet, the security appliance tests the packet against each ACE...

Access Control Implicit Deny

Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the security appliance except for particular addresses, then you need to deny the particular addresses and then permit all others. For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or ARPs for example, if you allow EtherType 8037, the implicit deny at the...

Access List Logging Overview

By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance generates system message 106023 for each denied packet, in the following form ASA PIX-4-10 6023 Deny protocol src dst interface_name dest_address dest_port type string , code code by access_group acl_id If the security appliance is attacked, the number of system messages for denied packets can be very large. We recommend that you instead enable logging using system message 106100, which provides...

Access List Types

Table 16-1 lists the types of access lists and some common uses for them. Table 16-1 Access List Types and Common Uses Table 16-1 Access List Types and Common Uses Control network access for IP traffic (routed and transparent mode) The security appliance does not allow any traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list. Note To access the security appliance interface for management access, you do not also need...

ActiveX Filtering Overview

ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with ActiveX filtering. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems...

Adding a Network Object Group

To add or change a network object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects the commands you already set remain in place unless you remove them with the no form of the command. Note A network object group supports IPv4 and IPv6 addresses, depending on the type of access list. For more information about IPv6 access...

Adding a Protocol Object Group

To add or change a protocol object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects the commands you already set remain in place unless you remove them with the no form of the command. To add a protocol group, follow these steps To add a protocol group, enter the following command hostname(config) object-group protocol...

Adding a Service Object Group

To add or change a service object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects the commands you already set remain in place unless you remove them with the no form of the command. _Chapter 16 Identifying Traffic with Access Lists H Simplifying Access Lists with Object Grouping To add a service group, follow these...

Adding a Standard Access List

Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic. The following command adds a standard ACE. To add another ACE at the end of the access list, enter another access-list command specifying the same access list name. Apply the access list using the Defining Route Maps section on page 9-7. Chapter 16 Identifying Traffic with Access Lists_ To...

Adding a Static ARP Entry

ARP inspection compares ARP packets with static ARP entries in the ARP table. Although hosts identify a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends an ARP request asking for the MAC address associated with the IP address, and then delivers the packet to the MAC address according to the ARP response. The host or router keeps an ARP...

Adding a Static MAC Address

Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message. When you add...

Adding a Time Range

To add a time range to implement a time-based access list, perform the following steps Step 1 Identify the time-range name by entering the following command Step 2 Specify the time range as either a recurring time range or an absolute time range. Multiple periodic entries are allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated...

Adding an Ether Type ACE

To add an EtherType ACE, enter the following command hostname(config) access-list access_list_name ethertype permit deny ipx bpdu mpls-unicast mpls-multicast any hex_number The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. See RFC 1700, Assigned Numbers, at http www.ietf.org rfc rfc1700.txt for a list of EtherTypes. Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical...

Adding an Extended ACE

When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number. To add an ACE, enter the following command hostname(config) access-list access_list_name line line_number extended deny permit protocol source_address mask operator port dest_address mask operator port icmp_type inactive Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might want to name...

Adding an ICMP Type Object Group

To add or change an ICMP type object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects the commands you already set remain in place unless you remove them with the no form of the command. To add an ICMP type group, follow these steps Step 1 To add an ICMP type group, enter the following command hostname(config)...

Adding and Managing Security Contexts

This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections Configuring Resource Management, page 6-1 Configuring a Security Context, page 6-7 Automatically Assigning MAC Addresses to Context Interfaces, page 6-11 Changing Between Contexts and the System Execution Space, page 6-11 Managing Security Contexts, page 6-12 For information about how contexts work and how to enable multiple context mode, see Chapter 3, Enabling...

Adding Remarks to Access Lists

You can include remarks about entries in any access list, including extended, EtherType, and standard access lists. The remarks make the access list easier to understand. To add a remark after the last access-list command you entered, enter the following command hostname(config) access-list access_list_name remark text If you enter the remark before any access-list command, then the remark is the first line in the access list. If you delete an access list using the no access-list...

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on...

Alerting Peers Before Disconnecting

Remote access or LAN-to-LAN sessions can drop for several reasons, such as a security appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off. The security appliance can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up pane. This feature...

Allowed MAC Addresses

The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF BPDU multicast address equal to 0100.0CCC.CCCD Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Allowing Broadcast and Multicast Traffic through the Transparent Firewall

In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple context mode, which does not allow dynamic routing, for example. _ Note Because these special types of traffic are connectionless, you need to apply an extended access list to both interfaces,...

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits You can configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100). You want traffic to flow freely between all same security interfaces without access lists. Note If...

Allowing Communication Between VLAN Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the NAT and Same Security Level Interfaces section on page 17-12 for more information on NAT and same security level interfaces. If you enable same security...

Allowing MPLS

If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP connections are established through the security appliance by configuring both MPLS routers connected to the security appliance to use the IP address on the security appliance interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP....

An 0utside User Visits a Web Server on the Inside Network

Figure 15-10 shows an outside user accessing the inside web server. The following steps describe how data moves through the security appliance (see Figure 15-10) 1. A user on the outside network requests a web page from the inside web server. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters,...

An Inside User Visits a Web Server

Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside The following steps describe how data moves through the security appliance (see Figure 15-2) 1. The user on the inside network requests a web page from www.example.com. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed...

An Inside User Visits a Web Server on the DMZ

Figure 15-4 shows an inside user accessing the DMZ web server. The following steps describe how data moves through the security appliance (see Figure 15-4) 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For...

An Outside User Visits a Web Server on the DMZ

Figure 15-3 shows an outside user accessing the DMZ web server. j Cisco Security Appliance Command Line Configuration Guide The following steps describe how data moves through the security appliance (see Figure 15-3) 1. A user on the outside network requests a web page from the DMZ web server using the global destination address of 209.165.201.3, which is on the outside interface subnet. 2. The security appliance receives the packet and because it is a new session, the security appliance...

Applying AAA for Network Access

This chapter describes how to enable AAA (pronounced triple A) for network access. For information about AAA for management access, see the Configuring AAA for System Administrators section on page 40-5. This chapter contains the following sections Configuring Authentication for Network Access, page 19-1 Configuring Authorization for Network Access, page 19-6 Configuring Accounting for Network Access, page 19-13 Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page...

Applying AAA for Network Access 191

Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Line Configuration Guide Enabling Secure Authentication of Web Clients 19-5 Authenticating Directly with the Security Appliance 19-6 Enabling Direct Authentication Using HTTP and HTTPS 19-6 Enabling Direct Authentication Using Telnet 19-6 Configuring Authorization for Network Access 19-6 Configuring TACACS+ Authorization 19-7 Configuring RADIUS Authorization 19-8 Configuring a RADIUS Server to Send...

Applying Actions to an Interface Service Policy

To activate the Layer 3 4 policy map, create a service policy that applies it to one or more interfaces or that applies it globally to all interfaces. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface...

Applying an Access List to an Interface

To apply an extended access list to the inbound or outbound direction of an interface, enter the following command hostname(config) access-group access_list_name in out interface interface_name per-user-override You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the Inbound and Outbound Access List Overview section on page 18-1 for more information about access list directions. The per-user-override keyword allows dynamic access lists...

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP normalization is a feature...

Applying Crypto Maps to Interfaces

You must assign a crypto map set to each interface through which IPSec traffic flows. The security appliance supports IPSec on all interfaces. Assigning the crypto map set to an interface instructs the security appliance to evaluate all the traffic against the crypto map set and to use the specified policy during connection or SA negotiation. Assigning a crypto map to an interface also initializes run-time data structures, such as the SA database and the security policy database. Reassigning a...

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

In this example (see Figure 21-3), any HTTP connection destined for Server A (TCP traffic on port 80) that enters the security appliance through the outside interface is classified for HTTP inspection and maximum connection limits. Connections initiated from server A to Host A does not match the access list in the class map, so it is not affected. Any HTTP connection destined for Server B that enters the security appliance through the inside interface is classified for HTTP inspection....

Applying Inspection and QoS Policing to HTTP Traffic

In this example (see Figure 21-1), any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing. See the following commands for this example hostname(config) class-map http_traffic hostname(config-cmap) match port tcp eq 80 hostname(config) policy-map http traffic policy hostname(config-pmap) class http_traffic...

Applying Inspection to HTTP Traffic Globally

In this example (see Figure 21-2), any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface. See the following commands for this example hostname(config) class-map http_traffic hostname(config-cmap) match port tcp eq 80 hostname(config) policy-map http traffic policy hostname(config-pmap) class http_traffic...

Applying Inspection to HTTP Traffic with NAT

In this example, the Host on the inside network has two addresses one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225. Because the policy is applied to the inside interface, where the real address is used, then you must use the real IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped address. Real IP 192.168.1.1 Mapped IP 209.165.200.225 See the following...

Applying NAT

This chapter describes Network Address Translation (NAT). In routed firewall mode, the security appliance can perform NAT between each network. Note In transparent firewall mode, the security appliance does not support NAT. This chapter contains the following sections Configuring NAT Control, page 17-15 Using Dynamic NAT and PAT, page 17-16 Using Static NAT, page 17-25 Using Static PAT, page 17-26 This section describes how NAT works on the security appliance, and includes the following topics...

Applying the Time Range to an ACE

To apply the time range to an ACE, use the following command hostname(config) access-list access_list_name extended deny permit time-range name See the Adding an Extended Access List section on page 16-5 for complete access-list command syntax. Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you disable the ACE using the inactive keyword, use the inactive keyword as the last keyword. The following example binds an access list named Sales to a...

ARP Inspection Overview

By default, all ARP packets are allowed through the security appliance. You can control the flow of ARP packets by enabling ARP inspection. When you enable ARP inspection, the security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through. If there is a mismatch between the MAC address, the IP...

ASA 5505 Default Configuration

The default factory configuration for the ASA 5505 adaptive security appliance configures the following An inside VLAN 1 interface that includes the Ethernet 0 1 through 0 7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. An outside VLAN 2 interface that includes the Ethernet 0 0 switch port. VLAN 2 derives its IP address using DHCP. The default route is also derived from DHCP. All...

ASA 5510 and Higher Default Configuration

The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following The management interface, Management 0 0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible...

Authenticating Directly with the Security Appliance

If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP, HTTPS, or Telnet. This section includes the following topics Enabling Direct Authentication Using HTTP and HTTPS, page 19-6 Enabling Direct Authentication Using Telnet, page 19-6 Enabling Direct Authentication Using HTTP and HTTPS If you enabled the redirect method of HTTP and HTTPS...

Authentication Overview

The security appliance lets you configure network access authentication using AAA servers. This section includes the following topics One-Time Authentication, page 19-2 Applications Required to Receive an Authentication Challenge, page 19-2 Security Appliance Authentication Prompts, page 19-2 Static PAT and HTTP, page 19-3 Enabling Network Access Authentication, page 19-3 A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session...

Authentication with LDAP

During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL...

Authorization with LDAP for VPN

When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step. There may be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or...

Automatically Assigning MAC Addresses to Context Interfaces

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the How the...

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun. Note If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections automatically. To shun a connection manually, perform the following steps Step 1 If necessary, view information about the...

Buffering the Content Server Response

When a user issues a request to connect to a content server, the security appliance sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This delays the web server response from the point of view of the web client because the client must reissue the request. By enabling the HTTP response buffer, replies from web content servers are buffered and the responses are...

Bypassing NAT

This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control. You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the Bypassing NAT When NAT Control is Enabled section on page 17-9 for more information about these methods. This section includes the following topics Configuring Identity NAT, page 17-29 Configuring Static Identity NAT, page 17-29 Configuring NAT Exemption, page 17-31

Bypassing NAT When NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT (see the When to Use Application Protocol Inspection section on page 25-2 for information about inspection engines that do not support NAT). You can configure...

Caching Server Addresses

After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again. Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a...

Cascading Security Contexts

Placing a context directly in front of another context is called cascading contexts the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context. Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared...

Changing Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration when you are in a context, the running configuration consists...

Changing IPSec SA Lifetimes

You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map. IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA they time out together to require the key to refresh. Each SA has two lifetimes timed and traffic-volume. An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds...

Changing the Admin Context

The system configuration does not include any network interfaces or network settings for itself rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is...

Changing the Security Context URL

You cannot change the security context URL without reloading the configuration from the new URL. The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then...

Chapter 10Configuring Dhcp Ddns and WCCP Services 101

Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Example 1 Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2 Client Updates Both A and PTR RRs DHCP Server Honors Client Update Request FQDN Provided Through Configuration 10-7 Example 3 Client Includes FQDN Option Instructing Server Not to Update Either RR Server Overrides Client and Updates Both RRs. 10-8 Example 4 Client Asks Server To Perform Both Updates Server Configured to Update PTR...

Chapter 11Configuring Multicast Routing 1113

Multicast Routing Overview 11-13 Enabling Multicast Routing 11-14 Disabling IGMP on an Interface 11-15 Configuring Group Membership 11-15 Configuring a Statically Joined Group 11-15 Controlling Access to Multicast Groups 11-15 Limiting the Number of IGMP States on an Interface 11-16 Modifying the Query Interval and Query Timeout 11-16 Changing the Query Response Time 11-17 Changing the IGMP Version 11-17 Configuring Stub Multicast Routing 11-17 Configuring a Static Multicast Route 11-17...

Chapter 13Configuring AAA Servers and the Local Database 131

About Authentication 13-1 About Authorization 13-2 About Accounting 13-2 AAA Server and Local Database Support 13-2 Summary of Support 13-3 RADIUS Server Support 13-3 Authentication Methods 13-4 Attribute Support 13-4 RADIUS Authorization Functions 13-4 TACACS+ Server Support 13-4 SDI Server Support 13-4 SDI Version Support 13-5 Two-step Authentication Process 13-5 SDI Primary and Replica Servers 13-5 NT Server Support 13-5 Kerberos Server Support 13-5 LDAP Server Support 13-6 Authentication...

Chapter 14Configuring Failover 141

Failover System Requirements 14-2 Hardware Requirements 14-2 Software Requirements 14-2 License Requirements 14-2 The Failover and Stateful Failover Links 14-3 Failover Link 14-3 Stateful Failover Link 14-5 Active Active and Active Standby Failover 14-6 Active Standby Failover 14-6 Active Active Failover 14-9 Determining Which Type of Failover to Use 14-14 Regular and Stateful Failover 14-15 Regular Failover 14-15 Stateful Failover 14-15 Failover Health Monitoring 14-16 Unit Health Monitoring...

Chapter 15Firewall Mode Overview 151

Routed Mode Overview 15-1 IP Routing Support 15-1 Network Address Translation 15-2 How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3 An Inside User Visits a Web Server 15-3 An Outside User Visits a Web Server on the DMZ 15-4 An Inside User Visits a Web Server on the DMZ 15-6 An Outside User Attempts to Access an Inside Host 15-7 A DMZ User Attempts to Access an Inside Host 15-8 Transparent Mode Overview 15-8 Transparent Firewall Network 15-9 Allowing Layer 3 Traffic...

Chapter 16Identifying Traffic with Access Lists 161

Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Adding an Extended Access List 16-5 Extended Access List Overview 16-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6 Adding an Extended ACE 16-6 Adding an EtherType Access List 16-8 EtherType Access List Overview 16-8 Supported EtherTypes 16-8 Implicit Permit of IP and ARPs Only 16-9 Implicit...

Chapter 17Applying NAT 171

Introduction to NAT 17-2 NAT Control 17-3 NAT Types 17-5 Dynamic NAT 17-5 PAT 17-7 Static NAT 17-7 Static PAT 17-8 Bypassing NAT When NAT Control is Enabled 17-9 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-12 Order of NAT Commands Used to Match Real Addresses 17-13 Mapped Address Guidelines 17-13 DNS and NAT 17-14 Configuring NAT Control 17-15 Using Dynamic NAT and PAT 17-16 Dynamic NAT and PAT Implementation 17-16 Configuring Dynamic NAT or PAT 17-22 Using Static NAT 17-25 Using...

Chapter 1Introduction to the Security Appliance

Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3 Sending Traffic to the Content Security and Control Security Services Module 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5...

Chapter 20Applying Filtering Services 201

Filtering Overview 20-1 Filtering ActiveX Objects 20-2 ActiveX Filtering Overview 20-2 Enabling ActiveX Filtering 20-2 Filtering Java Applets 20-3 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Enabling Filtering of Long HTTP URLs 20-7 Truncating Long HTTP URLs 20-7 Exempting Traffic from...

Chapter 21Using Modular Policy Framework 211

Modular Policy Framework Overview 21-1 Modular Policy Framework Features 21-1 Modular Policy Framework Configuration Overview 21-2 Default Global Policy 21-3 Identifying Traffic (Layer 3 4 Class Map) 21-4 Default Class Maps 21-4 Creating a Layer 3 4 Class Map for Through Traffic 21-5 Creating a Layer 3 4 Class Map for Management Traffic 21-7 Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7 Inspection Policy Map Overview 21-8 Defining Actions in an Inspection...

Chapter 23Preventing Network Attacks 231

Configuring TCP Normalization 23-1 TCP Normalization Overview 23-1 Enabling the TCP Normalizer 23-2 Configuring Connection Limits and Timeouts 23-6 Connection Limit Overview 23-7 TCP Intercept Overview 23-7 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7 Dead Connection Detection (DCD) Overview 23-7 TCP Sequence Randomization Overview 23-8 Enabling Connection Limits and Timeouts 23-8 Preventing IP Spoofing 23-10 Configuring the Fragment Size 23-11 Blocking...

Chapter 24Configuring QoS 241

Supported QoS Features 24-2 What is a Token Bucket 24-2 Policing Overview 24-3 Priority Queueing Overview 24-3 Traffic Shaping Overview 24-4 How QoS Features Interact 24-4 DSCP and DiffServ Preservation 24-5 Creating the Standard Priority Queue for an Interface 24-5 Identifying Traffic for QoS Using Class Maps 24-6 Creating a QoS Class Map 24-6 QoS Class Map Examples 24-7 Creating a Policy for Standard Priority Queueing and or Policing 24-8 Creating a Policy for Traffic Shaping and Hierarchical...

Chapter 25Configuring Application Layer Protocol Inspection 251

When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-2 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-9 CTIQBE Inspection Overview 25-9 Limitations and Restrictions 25-10 Verifying and Monitoring CTIQBE Inspection 25-10 DCERPC Inspection 25-11 DCERPC Overview 25-11 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12 DNS Inspection 25-13 How DNS Application Inspection Works 25-13 How DNS Rewrite...

Chapter 27Configuring IPSec and Isakmp 271

Tunneling Overview 27-1 IPSec Overview 27-2 Configuring ISAKMP 27-2 ISAKMP Overview 27-2 Configuring ISAKMP Policies 27-5 Enabling ISAKMP on the Outside Interface 27-6 Disabling ISAKMP in Aggressive Mode 27-6 Determining an ID Method for ISAKMP Peers 27-6 Enabling IPSec over NAT-T 27-7 Using NAT-T 27-7 Enabling IPSec over TCP 27-8 Waiting for Active Sessions to Terminate Before Rebooting 27-9 Alerting Peers Before Disconnecting 27-9 Configuring Certificate Group Matching 27-9 Creating a...

Setting General IPSec VPN Parameters 291

Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Using Client Update to Ensure Acceptable Client Revision Levels 29-3 Understanding Load Balancing 29-5 Implementing Load Balancing 29-6 Prerequisites 29-6 Eligible Platforms 29-7 Eligible Clients 29-7 VPN Load-Balancing Cluster Configurations 29-7 Some Typical Mixed Cluster...

Chapter 2Getting Started

Getting Started with Your Platform Model 2-1 Factory Default Configurations 2-1 Restoring the Factory Default Configuration 2-2 ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration 2-3 PIX 515 515E Default Configuration 2-4 Accessing the Command-Line Interface 2-4 Setting Transparent or Routed Firewall Mode 2-5 Working with the Configuration 2-6 Saving Configuration Changes 2-6 Saving Configuration Changes in Single Context Mode 2-7 Saving Configuration Changes in...

Chapter 30Configuring Tunnel Groups Group Policies and Users 301

Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Default IPSec Remote Access Tunnel Group Configuration 30-5 Configuring IPSec Tunnel-Group General Attributes 30-6 Configuring IPSec Remote-Access Tunnel Groups 30-6 Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6 Configuring...

Chapter 33Configuring Network Admission Control 331

Uses, Requirements, and Limitations 33-1 Configuring Basic Settings 33-1 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Enabling and Disabling Clientless Authentication 33-5 Changing the Login Credentials Used for Clientless Authentication 33-6 Configuring NAC Session Attributes 33-7 Setting the...

Chapter 34Configuring Easy VPN Services on the ASA 5505 341

Specifying the Client Server Role of the Cisco ASA 5505 34-1 Specifying the Primary and Secondary Servers 34-2 Specifying the Mode 34-3 NEM with Multiple Interfaces 34-3 Configuring Automatic Xauth Authentication 34-4 Configuring IPSec Over TCP 34-4 Comparing Tunneling Options 34-5 Specifying the Tunnel Group or Trustpoint 34-6 Specifying the Tunnel Group 34-6 Specifying the Trustpoint 34-7 Configuring Split Tunneling 34-7 Configuring Device Pass-Through 34-8 Configuring Remote Management 34-8...

Chapter 37Configuring WebVPN 371

Observing WebVPN Security Precautions 37-2 Understanding Features Not Supported for WebVPN 37-2 Using SSL to Access the Central Site 37-3 Using HT4TPS for WebVPN Sessions 37-3 Configuring WebVPN and ASDM on the Same Interface 37-3 Setting WebVPN HTTP HTTPS Proxy 37-4 Configuring SSL TLS Encryption Protocols 37-4 Authenticating with Digital Certificates 37-5 Enabling Cookies on Browsers for WebVPN 37-5 Managing Passwords 37-5 Using Single Sign-on with WebVPN 37-6 Configuring SSO with HTTP Basic...

Chapter 39Configuring Certificates 391

About Public Key Cryptography 39-1 Certificate Scalability 39-2 About Key Pairs 39-2 About Trustpoints 39-3 About Revocation Checking 39-3 About CRLs 39-3 About OCSP 39-4 Supported CA Servers 39-5 Certificate Configuration 39-5 Preparing for Certificates 39-5 Configuring Key Pairs 39-6 Generating Key Pairs 39-6 Removing Key Pairs 39-7 Configuring Trustpoints 39-7 Obtaining Certificates 39-9 Obtaining Certificates with SCEP 39-9 Obtaining Certificates Manually 39-11 Configuring CRLs for a...

Chapter 3Enabling Multiple Context Mode

Common Uses for Security Contexts 3-1 Unsupported Features 3-2 Context Configuration Files 3-2 Context Configurations 3-2 System Configuration 3-2 Admin Context Configuration 3-2 How the Security Appliance Classifies Packets 3-3 Valid Classifier Criteria 3-3 Invalid Classifier Criteria 3-4 Classification Examples 3-5 Cascading Security Contexts 3-8 Management Access to Security Contexts 3-9 System Administrator Access 3-9 Context Administrator Access 3-10 Enabling or Disabling Multiple Context...

Chapter 40Managing System Access 401

Allowing Telnet Access 40-1 Allowing SSH Access 40-2 Using an SSH Client 40-3 Allowing HTTPS Access for ASDM 40-3 Configuring ASDM and WebVPN on the Same Interface 40-4 Configuring AAA for System Administrators 40-5 Configuring Authentication for CLI Access 40-5 Configuring Authentication To Access Privileged EXEC Mode 40-6 Configuring Authentication for the Enable Command 40-6 Authenticating Users Using the Login Command 40-6 Configuring Command Authorization 40-7 Command Authorization...

Chapter 41Managing Software Licenses and Configurations 411

Obtaining an Activation Key 41-1 Entering a New Activation Key 41-2 Viewing Files in Flash Memory 41-2 Downloading Software or Configuration Files to Flash Memory 41-3 Downloading a File to a Specific Location 41-3 Downloading a File to the Startup or Running Configuration 41-4 Configuring the Application Image and ASDM Image to Boot 41-5 Configuring the File to Boot as the Startup Configuration 41-5 Performing Zero Downtime Upgrades for Failover Pairs 41-6 Upgrading an Active Standby Failover...

Chapter 42Monitoring the Security Appliance 421

SNMP Overview 42-1 Enabling SNMP 42-3 Configuring and Managing Logs 42-5 Logging Overview 42-5 Logging in Multiple Context Mode 42-5 Enabling and Disabling Logging 42-6 Enabling Logging to All Configured Output Destinations 42-6 Disabling Logging to All Configured Output Destinations 42-6 Viewing the Log Configuration 42-6 Configuring Log Output Destinations 42-7 Sending System Log Messages to a Syslog Server 42-7 Sending System Log Messages to the Console Port 42-8 Sending System Log Messages...

Chapter 43Troubleshooting the Security Appliance 431

Enabling ICMP Debug Messages and System Messages 43-1 Pinging Security Appliance Interfaces 43-2 Pinging Through the Security Appliance 43-4 Disabling the Test Configuration 43-5 Traceroute 43-6 Packet Tracer 43-6 Reloading the Security Appliance 43-6 Performing Password Recovery 43-6 Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7 Password Recovery for the PIX 500 Series Security Appliance 43-8 Disabling Password Recovery 43-9 Resetting the Password on the...

Chapter 9Configuring IP Routing

How Routing Behaves Within the ASA Security Appliance 9-1 Egress Interface Selection Process 9-1 Next Hop Selection Process 9-2 Configuring Static and Default Routes 9-2 Configuring a Static Route 9-3 Configuring a Default Route 9-4 Configuring Static Route Tracking 9-5 Defining Route Maps 9-7 Configuring OSPF 9-8 OSPF Overview 9-9 Enabling OSPF 9-9 Redistributing Routes Into OSPF 9-10 Configuring OSPF Interface Parameters 9-11 Configuring OSPF Area Parameters 9-13 Configuring OSPF NSSA 9-14...

Checking SSM Status

To check the status of an SSM, use the show module command. The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status field indicates the operational status of the SSM. An SSM operating normally has a status of Up in the output of the show module command. While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads Recover. For more information about possible statuses, see the entry for the show...

Classes and Class Members Overview

The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can use up those...

Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands. To clear all the configuration for a specified command, enter the following command hostname(config) clear configure configurationcommand level2configurationcommand This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand. For example, to clear the configuration for all...

Clearing Crypto Map Configurations

The clear configure crypto command includes arguments that let you remove elements of the crypto configuration, including IPSec, crypto maps, dynamic crypto maps, CA trustpoints, all certificates, certificate map configurations, and ISAKMP. Be aware that if you enter the clear configure crypto command without arguments, you remove the entire crypto configuration, including all certificates. For more information, see the clear configure crypto command in the Cisco Security Appliance Command...

Clearing Security Associations

Certain configuration changes take effect only during the negotiation of subsequent SAs. If you want the new settings to take effect immediately, clear the existing SAs to reestablish them with the changed configuration. If the security appliance is actively processing IPSec traffic, clear only the portion of the SA database that the configuration changes affect. Reserve clearing the full SA database for large-scale changes, or when the security appliance is processing a small amount of IPSec...

Configuring a Class

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value. Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Step 2 To set the resource limits, see the following options To set all...

Configuring a Default Route

A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0 0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route...

Configuring a GTP Inspection Policy Map for Additional Inspection Control

If you want to enforce additional parameters on GTP traffic, create and configure a GTP map. If you do not specify a map with the inspect gtp command, the security appliance uses the default GTP map, which is preconfigured with the following default values timeout pdp-context 0 30 00 To create and configure a GTP map, perform the following steps. You can then apply the GTP map when you enable GTP inspection according to the Configuring Application Inspection section on page 25-5. Step 1 Create...

Configuring a Multicast Boundary

Address scoping defines domain boundaries so that domains with RPs that have the same IP address do not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the boundaries between the domain and the Internet. You can set up an administratively scoped boundary on an interface for multicast group addresses using the multicast boundary command. IANA has designated the multicast address range 239.0.0.0 to 239.255.255.255 as the administratively scoped...

Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create a NETBIOS inspection policy map. You can then apply the inspection policy map when you enable NETBIOS inspection according to the Configuring Application Inspection section on page 25-5. To create a NETBIOS inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of...

Configuring a Radius Inspection Policy Map for Additional Inspection Control

In order to use this feature, the radius-accounting-map will need to be specified in the policy-map and then applied to the service-policy to specify that this traffic is for to-the-box inspection. The following example shows the complete set of commands in context to properly configure this feature Step 1 Configure the class map and the port class-map type management c1 match port udp eq 1813 Step 2 Create the policy map, and configure the parameters for RADIUS accounting inspection using the...