Access List Types

Table 16-1 lists the types of access lists and some common uses for them. Table 16-1 Access List Types and Common Uses Table 16-1 Access List Types and Common Uses Control network access for IP traffic (routed and transparent mode) The security appliance does not allow any traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list. Note To access the security appliance interface for management access, you do not also need...

Adding a Time Range

To add a time range to implement a time-based access list, perform the following steps Step 1 Identify the time-range name by entering the following command Step 2 Specify the time range as either a recurring time range or an absolute time range. Multiple periodic entries are allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated...

Adding an Ether Type ACE

To add an EtherType ACE, enter the following command hostname(config) access-list access_list_name ethertype permit deny ipx bpdu mpls-unicast mpls-multicast any hex_number The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. See RFC 1700, Assigned Numbers, at http www.ietf.org rfc rfc1700.txt for a list of EtherTypes. Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical...

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on...

Allowed MAC Addresses

The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF BPDU multicast address equal to 0100.0CCC.CCCD Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

An 0utside User Visits a Web Server on the Inside Network

Figure 15-10 shows an outside user accessing the inside web server. The following steps describe how data moves through the security appliance (see Figure 15-10) 1. A user on the outside network requests a web page from the inside web server. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters,...

An Inside User Visits a Web Server

Router Firewall Server

Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside The following steps describe how data moves through the security appliance (see Figure 15-2) 1. The user on the inside network requests a web page from www.example.com. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed...

An Inside User Visits a Web Server on the DMZ

Figure 15-4 shows an inside user accessing the DMZ web server. The following steps describe how data moves through the security appliance (see Figure 15-4) 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For...

An Outside User Visits a Web Server on the DMZ

Figure 15-3 shows an outside user accessing the DMZ web server. j Cisco Security Appliance Command Line Configuration Guide The following steps describe how data moves through the security appliance (see Figure 15-3) 1. A user on the outside network requests a web page from the DMZ web server using the global destination address of 209.165.201.3, which is on the outside interface subnet. 2. The security appliance receives the packet and because it is a new session, the security appliance...

Applying AAA for Network Access 191

Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Line Configuration Guide Enabling Secure Authentication of Web Clients 19-5 Authenticating Directly with the Security Appliance 19-6 Enabling Direct Authentication Using HTTP and HTTPS 19-6 Enabling Direct Authentication Using Telnet 19-6 Configuring Authorization for Network Access 19-6 Configuring TACACS+ Authorization 19-7 Configuring RADIUS Authorization 19-8 Configuring a RADIUS Server to Send...

Applying an Access List to an Interface

To apply an extended access list to the inbound or outbound direction of an interface, enter the following command hostname(config) access-group access_list_name in out interface interface_name per-user-override You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the Inbound and Outbound Access List Overview section on page 18-1 for more information about access list directions. The per-user-override keyword allows dynamic access lists...

ASA 5510 and Higher Default Configuration

The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following The management interface, Management 0 0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible...

Authentication with LDAP

During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL...

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun. Note If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections automatically. To shun a connection manually, perform the following steps Step 1 If necessary, view information about the...

Bypassing NAT When NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT (see the When to Use Application Protocol Inspection section on page 25-2 for information about inspection engines that do not support NAT). You can configure...

Caching Server Addresses

After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again. Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a...

Chapter 1Introduction to the Security Appliance

Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3 Sending Traffic to the Content Security and Control Security Services Module 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5...

Chapter 25Configuring Application Layer Protocol Inspection 251

When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-2 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-9 CTIQBE Inspection Overview 25-9 Limitations and Restrictions 25-10 Verifying and Monitoring CTIQBE Inspection 25-10 DCERPC Inspection 25-11 DCERPC Overview 25-11 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12 DNS Inspection 25-13 How DNS Application Inspection Works 25-13 How DNS Rewrite...

Configuring a Class

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value. Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Step 2 To set the resource limits, see the following options To set all...

Configuring a Default Route

A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0 0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route...

Configuring a GTP Inspection Policy Map for Additional Inspection Control

If you want to enforce additional parameters on GTP traffic, create and configure a GTP map. If you do not specify a map with the inspect gtp command, the security appliance uses the default GTP map, which is preconfigured with the following default values timeout pdp-context 0 30 00 To create and configure a GTP map, perform the following steps. You can then apply the GTP map when you enable GTP inspection according to the Configuring Application Inspection section on page 25-5. Step 1 Create...

Configuring a Switch Port as a Trunk Port

By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. To create an access port, where an interface is assigned to only one VLAN, see the Configuring Switch Ports as Access Ports section on page 4-9. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI MDIX...

Configuring an HTTP Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can then apply the inspection policy map when you enable HTTP inspection according to the Configuring Application Inspection section on page 25-5. Note When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict...

Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection according to the Configuring Application Inspection section on page 25-5. To create an IM inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of text you can...

Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control

Inspect IPSec Pass Through is disabled by default. When enabled without using a parameter map, the inspection uses the default IPSec Pass Through parameter map, which allows only ESP traffic with unlimited connections and the default idle timeout of 10 minutes for the ESP connection. To pass ESP or AH traffic, IPSec Pass Through parameter map is required. To create an IPSec Pass Through map, perform the following steps Step 1 To create an IPSec Pass Through inspection policy map, enter the...

Configuring and Enabling VLAN Subinterfaces and 8021Q Trunking

This section describes how to configure and enable a VLAN subinterface. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. You must enable the physical interface before any traffic can pass through an enabled subinterface (see the Configuring and Enabling RJ-45 Interfaces section on page 5-1 or the Configuring and Enabling Fiber Interfaces section on page 5-2). For multiple context mode, if you allocate a subinterface to a context, the interfaces...

Configuring Cable Based Active Standby Failover PIX Security Appliance Only

Follow these steps to configure Active Standby failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled Primary plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave...

Configuring Certificate Group Matching

Tunnel groups define user connection terms and permissions. Certificate group matching lets you match a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate. To match users to tunnel groups based on these fields of the certificate, you must first create rules that define a matching criteria, and then associate each rule with the desired tunnel group. To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use the...

Configuring DHCP Relay Services

A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router connected to a different interface. The following restrictions apply to the use of the DHCP relay agent The relay agent cannot be enabled if the DHCP server feature is also enabled. Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router. For multiple context mode, you cannot enable DHCP relay on an interface that is used by...

Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains. Defining a Default Domain Name for Tunneled Packets The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name...

Configuring IPv6 Duplicate Address Detection

During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the...

Configuring IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and keep track of neighboring routers. This section contains the following topics Configuring Neighbor Solicitation Messages, page 12-7 Configuring Router Advertisement Messages, page 12-9 Multicast Listener Discovery Support, page 12-11 Configuring Neighbor Solicitation Messages...

Configuring Isakmp Policies

To configure ISAKMP policies, in global configuration mode, use the crypto isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is as follows crypto isakmp policy priority attribute_name attribute_value integer You must include the priority in each of the ISAKMP commands. The priority number uniquely identifies the policy, and determines the priority of the policy in ISAKMP negotiations. To enable and configure ISAKMP, complete the following steps, using the...

Configuring L2TP over IPSec Connections

To configure the security appliance to accept L2TP over IPSec connections, follow these steps Configuring L2TP over IPSec Connections H Note The security appliance does not establish an L2TP IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click...

Configuring NAT Exemption

NAT exemption exempts addresses from translation and allows both real and remote hosts to originate connections. NAT exemption lets you specify the real and destination addresses when determining the real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list. Use static identity NAT to consider ports in the access list. Figure 17-25 shows a typical NAT...

Configuring Optional Active Active Failover Settings

The following optional Active Active failover settings can be configured when you are initially configuring failover or after you have already established failover. Unless otherwise noted, the commands should be entered on the unit that has failover group 1 in the active state. This section includes the following topics Configuring Failover Group Preemption, page 14-33 Enabling HTTP Replication with Stateful Failover, page 14-33 Disabling and Enabling Interface Monitoring, page 14-33...

Configuring Route Calculation Timers

You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations. To configure route calculation timers, perform the following steps Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command hostname(config) router ospf process_id Step 2 To configure the route calculation...

Configuring Route Summarization Between OSPF Areas

Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified...

Configuring User Attributes

This section describes user attributes and how to configure them. It includes the following sections Viewing the Username Configuration, page 30-70 Configuring Attributes for Specific Users, page 30-70 By default, users inherit all user attributes from the assigned group policy. The security appliance also lets you assign individual attributes at the user level, overriding values in the group policy that applies to that user. For example, you can specify a group policy giving all users access...

Configuring VLAN Interfaces

For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface inside and you do not set the security level explicitly, then the adaptive security appliance sets the security level to 100. For information about how many VLANs you can configure, see the Maximum Active VLAN Interfaces for Your License section on page 4-2. If you are...

Configuring VPN Session Limits

You can run as many IPSec and WebVPN sessions as your platform and license for the security appliance supports. To view the licensing information for your security appliance, enter the show version command in global configuration mode. The following example shows the command and the licensing information excerpted from the output of this command Cisco Adaptive Security Appliance Software Version 7.1(0)182 Device Manager Version 5.1(0)128 Licensed features for this platform Maximum Physical...

Configuring VPNSpecific Attributes

Follow the steps in this section to configure attributes that set the values of VPN attributes. These attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the name of the ACL to use for VPN connections, and the tunnel protocol Step 1 Set the VPN access hours. To do this, you associate a group policy with a configured time-range policy, using the vpn-access-hours command in group-policy configuration mode. hostname(config-group-policy) vpn-access-hours...

Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing

You can create a policy map for an interface or globally for all interfaces that assigns QoS actions (and other feature actions) to the traffic in the class map. (See the Chapter 21, Using Modular Policy Framework, for information about other features. This chapter only discusses QoS.) You can configure traffic shaping for all traffic on an interface, and optionally hierarchical priority queueing for a subset of latency-sensitive traffic. See the How QoS Features Interact section on page 24-4...

Creating a Regular Expression

A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic for example, you can match a URL string inside an HTTP packet. Use Ctrl+V to escape all of the special characters in the CLI, such as question mark ( ) or a tab. For example, type d Ctrl+V g to enter d g in the configuration. See the regex command in the...

Creating the Standard Priority Queue for an Interface

If you enable standard priority queueing for traffic on a physical interface, then you need to also create the priority queue on each interface. Each physical interface uses two queues one for priority traffic, and the other for all other traffic. For the other traffic, you can optionally configure policing. Note The standard priority queue is not required for hierarchical priority queueing with traffic shaping see the Priority Queueing Overview section on page 24-3 for more information. To...

Default Class Maps

The configuration includes a default Layer 3 4 class map that the security appliance uses in the default global policy. It is called inspection_default and matches the default inspection traffic class-map inspection_default match default-inspection-traffic Another class map that exists in the default configuration is called class-default, and it matches all traffic This class map appears at the end of all Layer 3 4 policy maps and essentially tells the security appliance to not perform any...

Default Inspection Policy

By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the...

Default LANtoLAN Tunnel Group Configuration

The contents of the default LAN-to-LAN tunnel group are as follows tunnel-group DefaultL2LGroup type ipsec-l2l tunnel-group DefaultL2LGroup general-attributes no accounting-server-group default-group-policy DfltGrpPolicy tunnel-group DefaultL2LGroup ipsec-attributes no pre-shared-key peer-id-validate req no chain no trust-point isakmp keepalive threshold 10 retry 2 LAN-to-LAN tunnel groups have fewer parameters than remote-access tunnel groups, and most of these are the same for both groups....

Default Layer 34 Policy

The configuration includes a default Layer 3 4 policy map that the security appliance uses in the default global policy. It is called global_policy and performs inspection on the default inspection traffic. You can only apply one global policy, so if you want to alter the global policy, you need to either reconfigure the default policy or disable it and apply a new one. The default policy map configuration includes the following commands The maximum number of policy maps is 64. To create a...

Defining Actions in an Inspection Policy

When you enable an inspection engine in the Layer 3 4 policy map, you can also optionally enable actions as defined in an inspection policy map. To create an inspection policy map, perform the following steps Step 1 To create the HTTP inspection policy map, enter the following command hostname(config) policy-map type inspect application policy_map_name hostname(config-pmap) See the Configuring Application Inspection section on page 25-5 for a list of applications that support inspection policy...

Determining What Traffic to Scan

The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic. It supports these protocols only when the destination port of the packet requesting the connection is the well known port for the protocol, that is, CSC SSM can scan only the following connections FTP connections opened to TCP port 21. HTTP connections opened to TCP port 80. POP3 connections opened to TCP port 110. SMTP connections opened to TCP port 25. You can choose to scan traffic for all of these protocols or any combination of them....

Diverting Traffic to the Aip Ssm

You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM. Before configuring the adaptive security appliance to do so, read Chapter 21, Using Modular Policy Framework, which introduces MPF concepts and common commands. To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following steps Step 1 Create an access list that matches all traffic hostname(config) access-list acl-name permit ip any any Step 2 Create a...

Diverting Traffic to the Csc Ssm

You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM. Before configuring the adaptive security appliance to do so, read Chapter 21, Using Modular Policy Framework, which introduces MPF concepts and common commands. To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following steps Step 1 Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the access-list extended...

Dynamic NAT

Static Port Servers Http Ftp

Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not...

Dynamic NAT and PAT Implementation

Skype For Business 2019 Infrastructure

Figure 17-13 nat and global ID Matching See the following commands for this example hostname(config) nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config) global (outside) 1 209.165.201.3-209.165.201.10 You can enter a nat command for each interface using the same NAT ID they all use the same global command when traffic exits a given interface. For example, you can configure nat commands for Inside and DMZ interfaces, both on NAT ID 1. Then you configure a global command on the Outside...

Enabling ActiveX Filtering

This section describes how to remove ActiveX objects in HTTP traffic passing through the security appliance. To remove ActiveX objects, enter the following command in global configuration mode hostname(config) filter activexport -port local_ip local_maskforeign_ip foreign_mask To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port 80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range of...

Enabling and Configuring RIP

You can only enable one RIP routing process on the security appliance. After you enable the RIP routing process, you must define the interfaces that will participate in that routing process using the network command. By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates. To enable and configure the RIP routing process, perform the following steps Step 1 Start the RIP routing process by entering the following command in global...

Enabling IPSec over TCP

IPSec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the ISAKMP and IPSec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default. _ Note This feature does not work with proxy-based firewalls. IPSec over TCP works with remote access...

Example 3 Client Includes FQDN Option Instructing Server Not to Update Either RR Server Overrides Client and Updates

The following example configures the DHCP client to include the FQDN option instructing the DHCP server not to update either the A or PTR updates. The example also configures the server to override the client request. As a result, the client backs off without performing any updates. To configure this scenario, perform the following steps Step 1 To configure the update method named ddns-2 to request that it make both A and PTR RR updates, enter the following commands hostname(config) ddns update...

Failover Configuration Limitations

You cannot configure failover with the following type of IP addresses IP addresses obtained through DHCP IP addresses obtained through PPPoE Additionally, the following restrictions apply Stateful Failover is not supported on the ASA 5505 adaptive security appliance. Active Active failover is not supported on the ASA 5505 adaptive security appliance. You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive security appliance. VPN failover is not supported in...

Filtering Java Applets

This section describes how to apply filtering to remove Java applets from HTTP traffic passing through the firewall. Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command. The filter java command filters out Java applets that return to the security appliance from an outbound connection. The user still receives the HTML page, but the web page source for the applet is...

Getting Additional Information

Additional information on various topics can be found at www.microsoft.com How to Configure an L2TP IPSec Connection Using Pre-Shared Keys Authentication How to Install a Certificate for Use with IP Security (IPSec) elp sag_VPN_us26.htm How to use a Windows 2000 Machine Certificate for L2TP over IPSec VPN Connections How to Create a Custom MMC Console and Enabling Audit Policy for Your Computer

Group Policies

This section describes group policies and how to configure them. It includes the following sections Default Group Policy, page 30-31 Configuring Group Policies, page 30-33 A group policy is a set of user-oriented attribute value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS server. The tunnel group uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of...

How Data Moves Through the Transparent Firewall

Figure 15-8 shows a typical transparent firewall implementation with an inside network that contains a public web server. The security appliance has an access list so that the inside users can access Internet resources. Another access list lets the outside users access only the web server on the inside network. Figure 15-8 Typical Transparent Firewall Data Path Figure 15-8 Typical Transparent Firewall Data Path This section describes how data moves through the security appliance, and includes...

How DNS Rewrite Works

When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages originating from any interface. If a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the A-record is not translated. As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or nat commands. For details about the...

How H323 Works

The H.323 collection of protocols collectively may use up to two TCP connection and four to six UDP connections. FastConnect uses only one TCP connection, and RAS uses a single UDP connection for registration, admissions, and status. An H.323 client may initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. In...

Inbound and Outbound Access List Overview

Inbound And Outbound Access List

By default, all traffic from a higher-security interface to a lower-security interface is allowed. Access lists let you either allow traffic from lower-security interfaces, or restrict traffic from higher-security interfaces. The security appliance supports two types of access lists Inbound Inbound access lists apply to traffic as it enters an interface. Outbound Outbound access lists apply to traffic as it exits an interface. Note Inbound and outbound refer to the application of an access list...

Inspection Policy Map Overview

See the Configuring Application Inspection section on page 25-5 for a list of applications that support inspection policy maps. An inspection policy map consists of one or more of the following elements. The exact options available for an inspection policy map depends on the application. Traffic matching command You can define a traffic matching command directly in the inspection policy map to match application traffic to criteria specific to the application, such as a URL string, for which you...

Introduction to NAT

Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network. NAT is comprised of two steps the process in which a real address is translated into a mapped address, and then the process to undo translation for returning traffic. The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control...

Invalid Classifier Criteria

The following configurations are not used for packet classification NAT exemption The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface. Routing table If a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that...

IP Addresses Used for Access Lists When You Use NAT

When you use NAT, the IP addresses you specify for an access list depend on the interface to which the access list is attached you need to use addresses that are valid on the network connected to the interface. This guideline applies for both inbound and outbound access lists the direction does not determine the address used, only the interface does. For example, you want to apply an access list to the inbound direction of the inside interface. You configure the security appliance to perform...

Pv6enabled Commands

The following security appliance commands can accept and display IPv6 addresses Failover does not support IPv6. The ipv6 address command does not support setting standby addresses for failover configurations. The failover interface ip command does not support using IPv6 addresses on the failover and Stateful Failover interfaces. When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using standard IPv6 notation, for example ping fe80 2e0 b6ff feoi 3b7a. The...

L2TP Overview

Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol which allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP protocol is based on the client server model. The function is divided between the L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a network gateway such as a router, while the LAC can be a dial-up Network Access...

Layer 34 Policy Map Overview

This section describes how Layer 3 4 policy maps work, and includes the following topics Policy Map Guidelines, page 21-16 Supported Feature Types, page 21-16 Hierarchical Policy Maps, page 21-16 Feature Directionality, page 21-17 Feature Matching Guidelines within a Policy Map, page 21-17 Feature Matching Guidelines for multiple Policy Maps, page 21-18 Order in Which Multiple Feature Actions are Applied, page 21-18 See the following guidelines for using policy maps You can only assign one...

License Requirements

On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license, or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO or FO_AA licenses cannot be used together as a failover pair. _ Note The FO license does not support Active Active failover. The FO and FO_AA licenses are intended to be used solely...

Mapped Address Guidelines

Data Classification Model

When you translate the real address to a mapped address, you can use the following mapped addresses Addresses on the same network as the mapped interface. If you use addresses on the same network as the mapped interface (through which traffic exits the security appliance), the security appliance uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing, because the security appliance does not have to be...

MGCP Inspection Overview

MGCP is a master slave protocol used to control media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external (global) addresses....

Modifying the Query Interval and Query Timeout

The security appliance sends query messages to discover which multicast groups have members on the networks attached to the interfaces. Members respond with IGMP report messages indicating that they want to receive multicast packets for specific groups. Query messages are addressed to the all-systems multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1. These messages are sent periodically to refresh the membership information stored on the security appliance. If...

Modular Policy Framework Configuration Overview

Pop Word Homeopatia

Configuring Modular Policy Framework consists of the following tasks 1. Identify the traffic on which you want to perform Modular Policy Framework actions by creating Layer 3 4 class maps. For example, you might want to perform actions on all traffic that passes through the security appliance or you might only want to perform certain actions on traffic from 10.1.1.0 24 to any destination address See the Identifying Traffic (Layer 3 4 Class Map) section on page 21-4. If one of the actions you...

Monitoring Security Contexts

This section describes how to view and monitor context information, and includes the following topics Viewing Context Information, page 6-15 Viewing Resource Allocation, page 6-16 Viewing Resource Usage, page 6-19 Monitoring SYN Attacks in Contexts, page 6-20 From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL. From the system execution space, view all contexts by entering the following command hostname show...

Network Address Translation

NAT substitutes the local address on a packet with a global address that is routable on the destination network. By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command). _ Note NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a security...

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS...

Part 2Reference

Supported Platforms and Feature Licenses A-1 Security Services Module Support A-9 VPN Specifications A-10 Cisco VPN Client Support A-11 Cisco Secure Desktop Support A-11 Site-to-Site VPN Compatibility A-11 Cryptographic Standards A-12 Example 1 Multiple Mode Firewall With Outside Access B-1 Example 1 System Configuration B-2 Example 1 Admin Context Configuration B-4 Example 1 Customer A Context Configuration B-4 Example 1 Customer B Context Configuration B-4 Example 1 Customer C Context...

Passing Traffic Not Allowed in Routed Mode

In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic). The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS...

Permitting Intra Interface Traffic

The security appliance includes a feature that lets a VPN client send IPSec-protected traffic to another VPN user by allowing such traffic in and out of the same interface. Also called hairpinning, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (security appliance). In another application, this feature can redirect incoming VPN traffic back out through the same interface as unencrypted traffic. This would be useful, for example, to a VPN client that does not...

Preventing IP Spoofing

This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the security appliance only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the security appliance to also look at...

QoS Class Map Examples

For example, in the following sequence, the class-map command classifies all non-tunneled TCP traffic, using an access list named tcp_traffic hostname(config) access-list tcp_traffic permit tcp any any hostname(config) class-map tcp_traffic hostname(config-cmap) match access-list tcp_traffic In the following example, other, more specific match criteria are used for classifying traffic for specific, security-related tunnel groups. These specific match criteria stipulate that a match on...

Saving Configuration Changes

This section describes how to save your configuration, and includes the following topics Saving Configuration Changes in Single Context Mode, page 2-7 Saving Configuration Changes in Multiple Context Mode, page 2-7 Saving Configuration Changes in Single Context Mode To save the running configuration to the startup configuration, enter the following command The copy running-config startup-config command is equivalent to the write memory command. Saving Configuration Changes in Multiple Context...

Security Level Overview

Cisco Security Appliance Command Line Configuration Guide j - SQL*Net inspection engine If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. Filtering HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. NAT control When you enable NAT control, you...

SQLNet Inspection

SQL*Net inspection is enabled by default. The SQL*Net protocol consists of different packet types that the security appliance handles to make the data stream appear consistent to the Oracle applications on either side of the security appliance. The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the class-map command to apply SQL*Net inspection to a range...

SSO Support for WebVPN with HTTP Forms

The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only once to access multiple protected services and Web servers. The WebVPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN server sends an SSO authentication request, including username and password, to the authenticating...

Static NAT

Static Port Servers Http Ftp

Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there is an access list that allows it). The main difference between dynamic NAT and a...

Summary of Support

Table 13-1 summarizes the support for each AAA service by each AAA server type, including the local database. For more information about support for a specific AAA server type, refer to the topics following the table. 1. HTTP Form protocol supports single sign-on authentication for WebVPN users only. 2. SDI is not supported for HTTP administrative access. 1. HTTP Form protocol supports single sign-on authentication for WebVPN users only. 2. SDI is not supported for HTTP administrative access....

Supporting the Nokia VPN Client

Milik Memy

The security appliance supports connections from Nokia VPN Clients on Nokia 92xx Communicator series phones using the Challenge Response for Authenticated Cryptographic Keys (CRACK) protocol. CRACK is ideal for mobile IPSec-enabled clients that use legacy authentication techniques instead of digital certificates. It provides mutual authentication when the client uses a legacy based secret-key authentication technique such as RADIUS and the gateway uses public-key authentication. The Nokia...

TCP Normalization Overview

The TCP normalizer includes non-configurable actions and configurable actions. Typically, non-configurable actions that drop or clear connections apply to packets that are always bad. Configurable actions (as detailed in Enabling the TCP Normalizer section on page 23-2) might need to be customized depending on your network needs. See the following guidelines for TCP normalization The normalizer does not protect from SYN floods. The security appliance includes SYN flood protection in other ways....

Transferring an Image onto an SSM

For an intelligent SSM, such as AIP SSM or CSC SSM, you can transfer application images from a TFTP server to the SSM. This process supports upgrade images and maintenance images. _ Note If you are upgrading the application on the SSM, the SSM application may support backup of its configuration. If you do not back up the configuration of the SSM application, it is lost when you transfer an image onto the SSM. For more information about how your SSM supports backups, see the documentation for...

Tunnel Group Switching

Tunnel Group Switching enables the security appliance to associate different users that are establishing L2TP over IPSec connections with different tunnel groups. Since each tunnel group has its own AAA server group and IP address pools, users can be authenticated through methods specific to their tunnel group. With this feature, instead of sending just a username, the user sends a username and a group name in the format username group_name, where represents a delimiter that you can configure,...

Understanding IPSec Tunnels

IPSec tunnels are sets of SAs that the security appliance establishes between peers. The SAs define the protocols and algorithms to apply to sensitive data, and also specify the keying material the peers use. IPSec SAs control the actual transmission of user traffic. SAs are unidirectional, but are generally established in pairs (inbound and outbound). The peers negotiate the settings to use for each SA. Each SA consists of the following Chapter 27 Configuring IPSec and ISAKMP A transform set...

Using Active Directory to Enforce Minimum Password Length

To enforce a minimum length for passwords, specify the password-management command in tunnel-group general-attributes configuration mode on the security appliance and do the following steps under Active Directory Step 1 Select Start > Programs > Administrative Tools > Domain Security Policy. Step 2 Select Windows Settings > Security Settings > Account Policies > Password Policy. Step 3 Double-click Minimum Password Length. This opens the Security Policy Setting dialog box. Step 4...

Using Active Directory to Enforce Password Complexity

Complexity Password Active Directory

To enforce complex passwords for example, to require that a password contain upper- and lowercase letters, numbers, and special characters specify the password-management command in tunnel-group general-attributes configuration mode on the security appliance and do the following steps under Active Directory Step 1 Select Start > Programs > Administrative Tools > Domain Security Policy. Select Windows Settings > Security Settings > Account Policies > Password Policy. Step 2...