A Dcerpc Inspection Policy Map for Additional Inspection Control

To specify additional DCERPC inspection parameters, create a DCERPC inspection policy map. You can then apply the inspection policy map when you enable DCERPC inspection according to the Configuring Application Inspection section on page 25-5. To create a DCERPC inspection policy map, perform the following steps Create a DCERPC inspection policy map, enter the following command hostname(config) policy-map type inspect dcerpc policy_map_name hostname(config-pmap) Where the policy_map_name is the...

About Authorization

Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users. If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization...

Access Control Entry Order

An access list is made up of one or more Access Control Entries. Depending on the access list type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type (for ICMP), or the EtherType. Each ACE that you enter for a given access list name is appended to the end of the access list. The order of ACEs is important. When the security appliance decides whether to forward or drop a packet, the security appliance tests the packet against each ACE...

Access List Types

Table 16-1 lists the types of access lists and some common uses for them. Table 16-1 Access List Types and Common Uses Table 16-1 Access List Types and Common Uses Control network access for IP traffic (routed and transparent mode) The security appliance does not allow any traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list. Note To access the security appliance interface for management access, you do not also need...

Adding a Standard Access List

Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic. The following command adds a standard ACE. To add another ACE at the end of the access list, enter another access-list command specifying the same access list name. Apply the access list using the Defining Route Maps section on page 9-7. Chapter 16 Identifying Traffic with Access Lists_ To...

Adding a Static MAC Address

Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message. When you add...

Adding a Time Range

To add a time range to implement a time-based access list, perform the following steps Step 1 Identify the time-range name by entering the following command Step 2 Specify the time range as either a recurring time range or an absolute time range. Multiple periodic entries are allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated...

Adding an Ether Type ACE

To add an EtherType ACE, enter the following command hostname(config) access-list access_list_name ethertype permit deny ipx bpdu mpls-unicast mpls-multicast any hex_number The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. See RFC 1700, Assigned Numbers, at http www.ietf.org rfc rfc1700.txt for a list of EtherTypes. Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical...

Adding an Extended ACE

When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number. To add an ACE, enter the following command hostname(config) access-list access_list_name line line_number extended deny permit protocol source_address mask operator port dest_address mask operator port icmp_type inactive Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might want to name...

Adding and Managing Security Contexts

This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections Configuring Resource Management, page 6-1 Configuring a Security Context, page 6-7 Automatically Assigning MAC Addresses to Context Interfaces, page 6-11 Changing Between Contexts and the System Execution Space, page 6-11 Managing Security Contexts, page 6-12 For information about how contexts work and how to enable multiple context mode, see Chapter 3, Enabling...

Adding Remarks to Access Lists

You can include remarks about entries in any access list, including extended, EtherType, and standard access lists. The remarks make the access list easier to understand. To add a remark after the last access-list command you entered, enter the following command hostname(config) access-list access_list_name remark text If you enter the remark before any access-list command, then the remark is the first line in the access list. If you delete an access list using the no access-list...

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on...

Allowed MAC Addresses

The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF BPDU multicast address equal to 0100.0CCC.CCCD Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Allowing Broadcast and Multicast Traffic through the Transparent Firewall

In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple context mode, which does not allow dynamic routing, for example. _ Note Because these special types of traffic are connectionless, you need to apply an extended access list to both interfaces,...

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits You can configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100). You want traffic to flow freely between all same security interfaces without access lists. Note If...

Allowing Communication Between VLAN Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the NAT and Same Security Level Interfaces section on page 17-12 for more information on NAT and same security level interfaces. If you enable same security...

Allowing MPLS

If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP connections are established through the security appliance by configuring both MPLS routers connected to the security appliance to use the IP address on the security appliance interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP....

An 0utside User Visits a Web Server on the Inside Network

Figure 15-10 shows an outside user accessing the inside web server. The following steps describe how data moves through the security appliance (see Figure 15-10) 1. A user on the outside network requests a web page from the inside web server. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters,...

An Inside User Visits a Web Server

Router Firewall Server

Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside The following steps describe how data moves through the security appliance (see Figure 15-2) 1. The user on the inside network requests a web page from www.example.com. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed...

An Inside User Visits a Web Server on the DMZ

Figure 15-4 shows an inside user accessing the DMZ web server. The following steps describe how data moves through the security appliance (see Figure 15-4) 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For...

An Outside User Visits a Web Server on the DMZ

Figure 15-3 shows an outside user accessing the DMZ web server. j Cisco Security Appliance Command Line Configuration Guide The following steps describe how data moves through the security appliance (see Figure 15-3) 1. A user on the outside network requests a web page from the DMZ web server using the global destination address of 209.165.201.3, which is on the outside interface subnet. 2. The security appliance receives the packet and because it is a new session, the security appliance...

Applying AAA for Network Access

This chapter describes how to enable AAA (pronounced triple A) for network access. For information about AAA for management access, see the Configuring AAA for System Administrators section on page 40-5. This chapter contains the following sections Configuring Authentication for Network Access, page 19-1 Configuring Authorization for Network Access, page 19-6 Configuring Accounting for Network Access, page 19-13 Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page...

Applying AAA for Network Access 191

Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Line Configuration Guide Enabling Secure Authentication of Web Clients 19-5 Authenticating Directly with the Security Appliance 19-6 Enabling Direct Authentication Using HTTP and HTTPS 19-6 Enabling Direct Authentication Using Telnet 19-6 Configuring Authorization for Network Access 19-6 Configuring TACACS+ Authorization 19-7 Configuring RADIUS Authorization 19-8 Configuring a RADIUS Server to Send...

Applying Actions to an Interface Service Policy

To activate the Layer 3 4 policy map, create a service policy that applies it to one or more interfaces or that applies it globally to all interfaces. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface...

Applying an Access List to an Interface

To apply an extended access list to the inbound or outbound direction of an interface, enter the following command hostname(config) access-group access_list_name in out interface interface_name per-user-override You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the Inbound and Outbound Access List Overview section on page 18-1 for more information about access list directions. The per-user-override keyword allows dynamic access lists...

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

In this example (see Figure 21-3), any HTTP connection destined for Server A (TCP traffic on port 80) that enters the security appliance through the outside interface is classified for HTTP inspection and maximum connection limits. Connections initiated from server A to Host A does not match the access list in the class map, so it is not affected. Any HTTP connection destined for Server B that enters the security appliance through the inside interface is classified for HTTP inspection....

Applying Inspection and QoS Policing to HTTP Traffic

In this example (see Figure 21-1), any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing. See the following commands for this example hostname(config) class-map http_traffic hostname(config-cmap) match port tcp eq 80 hostname(config) policy-map http traffic policy hostname(config-pmap) class http_traffic...

Applying Inspection to HTTP Traffic Globally

In this example (see Figure 21-2), any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface. See the following commands for this example hostname(config) class-map http_traffic hostname(config-cmap) match port tcp eq 80 hostname(config) policy-map http traffic policy hostname(config-pmap) class http_traffic...

Applying Inspection to HTTP Traffic with NAT

In this example, the Host on the inside network has two addresses one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225. Because the policy is applied to the inside interface, where the real address is used, then you must use the real IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped address. Real IP 192.168.1.1 Mapped IP 209.165.200.225 See the following...

Applying NAT

This chapter describes Network Address Translation (NAT). In routed firewall mode, the security appliance can perform NAT between each network. Note In transparent firewall mode, the security appliance does not support NAT. This chapter contains the following sections Configuring NAT Control, page 17-15 Using Dynamic NAT and PAT, page 17-16 Using Static NAT, page 17-25 Using Static PAT, page 17-26 This section describes how NAT works on the security appliance, and includes the following topics...

Applying the Time Range to an ACE

To apply the time range to an ACE, use the following command hostname(config) access-list access_list_name extended deny permit time-range name See the Adding an Extended Access List section on page 16-5 for complete access-list command syntax. Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you disable the ACE using the inactive keyword, use the inactive keyword as the last keyword. The following example binds an access list named Sales to a...

ASA 5505 Default Configuration

The default factory configuration for the ASA 5505 adaptive security appliance configures the following An inside VLAN 1 interface that includes the Ethernet 0 1 through 0 7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. An outside VLAN 2 interface that includes the Ethernet 0 0 switch port. VLAN 2 derives its IP address using DHCP. The default route is also derived from DHCP. All...

ASA 5510 and Higher Default Configuration

The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following The management interface, Management 0 0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible...

Authentication Overview

The security appliance lets you configure network access authentication using AAA servers. This section includes the following topics One-Time Authentication, page 19-2 Applications Required to Receive an Authentication Challenge, page 19-2 Security Appliance Authentication Prompts, page 19-2 Static PAT and HTTP, page 19-3 Enabling Network Access Authentication, page 19-3 A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session...

Authentication with LDAP

During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL...

Authorization with LDAP for VPN

When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step. There may be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or...

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun. Note If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections automatically. To shun a connection manually, perform the following steps Step 1 If necessary, view information about the...

Buffering the Content Server Response

When a user issues a request to connect to a content server, the security appliance sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This delays the web server response from the point of view of the web client because the client must reissue the request. By enabling the HTTP response buffer, replies from web content servers are buffered and the responses are...

Bypassing NAT When NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT (see the When to Use Application Protocol Inspection section on page 25-2 for information about inspection engines that do not support NAT). You can configure...

Caching Server Addresses

After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again. Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a...

Cascading Security Contexts

Placing a context directly in front of another context is called cascading contexts the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context. Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared...

Changing Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration when you are in a context, the running configuration consists...

Changing the Admin Context

The system configuration does not include any network interfaces or network settings for itself rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is...

Changing the Security Context URL

You cannot change the security context URL without reloading the configuration from the new URL. The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then...

Chapter 10Configuring Dhcp Ddns and WCCP Services 101

Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Example 1 Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2 Client Updates Both A and PTR RRs DHCP Server Honors Client Update Request FQDN Provided Through Configuration 10-7 Example 3 Client Includes FQDN Option Instructing Server Not to Update Either RR Server Overrides Client and Updates Both RRs. 10-8 Example 4 Client Asks Server To Perform Both Updates Server Configured to Update PTR...

Chapter 11Configuring Multicast Routing 1113

Multicast Routing Overview 11-13 Enabling Multicast Routing 11-14 Disabling IGMP on an Interface 11-15 Configuring Group Membership 11-15 Configuring a Statically Joined Group 11-15 Controlling Access to Multicast Groups 11-15 Limiting the Number of IGMP States on an Interface 11-16 Modifying the Query Interval and Query Timeout 11-16 Changing the Query Response Time 11-17 Changing the IGMP Version 11-17 Configuring Stub Multicast Routing 11-17 Configuring a Static Multicast Route 11-17...

Chapter 13Configuring AAA Servers and the Local Database 131

About Authentication 13-1 About Authorization 13-2 About Accounting 13-2 AAA Server and Local Database Support 13-2 Summary of Support 13-3 RADIUS Server Support 13-3 Authentication Methods 13-4 Attribute Support 13-4 RADIUS Authorization Functions 13-4 TACACS+ Server Support 13-4 SDI Server Support 13-4 SDI Version Support 13-5 Two-step Authentication Process 13-5 SDI Primary and Replica Servers 13-5 NT Server Support 13-5 Kerberos Server Support 13-5 LDAP Server Support 13-6 Authentication...

Chapter 15Firewall Mode Overview 151

Routed Mode Overview 15-1 IP Routing Support 15-1 Network Address Translation 15-2 How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3 An Inside User Visits a Web Server 15-3 An Outside User Visits a Web Server on the DMZ 15-4 An Inside User Visits a Web Server on the DMZ 15-6 An Outside User Attempts to Access an Inside Host 15-7 A DMZ User Attempts to Access an Inside Host 15-8 Transparent Mode Overview 15-8 Transparent Firewall Network 15-9 Allowing Layer 3 Traffic...

Chapter 16Identifying Traffic with Access Lists 161

Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Adding an Extended Access List 16-5 Extended Access List Overview 16-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6 Adding an Extended ACE 16-6 Adding an EtherType Access List 16-8 EtherType Access List Overview 16-8 Supported EtherTypes 16-8 Implicit Permit of IP and ARPs Only 16-9 Implicit...

Chapter 1Introduction to the Security Appliance

Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3 Sending Traffic to the Content Security and Control Security Services Module 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5...

Chapter 20Applying Filtering Services 201

Filtering Overview 20-1 Filtering ActiveX Objects 20-2 ActiveX Filtering Overview 20-2 Enabling ActiveX Filtering 20-2 Filtering Java Applets 20-3 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Enabling Filtering of Long HTTP URLs 20-7 Truncating Long HTTP URLs 20-7 Exempting Traffic from...

Chapter 23Preventing Network Attacks 231

Configuring TCP Normalization 23-1 TCP Normalization Overview 23-1 Enabling the TCP Normalizer 23-2 Configuring Connection Limits and Timeouts 23-6 Connection Limit Overview 23-7 TCP Intercept Overview 23-7 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7 Dead Connection Detection (DCD) Overview 23-7 TCP Sequence Randomization Overview 23-8 Enabling Connection Limits and Timeouts 23-8 Preventing IP Spoofing 23-10 Configuring the Fragment Size 23-11 Blocking...

Chapter 24Configuring QoS 241

Supported QoS Features 24-2 What is a Token Bucket 24-2 Policing Overview 24-3 Priority Queueing Overview 24-3 Traffic Shaping Overview 24-4 How QoS Features Interact 24-4 DSCP and DiffServ Preservation 24-5 Creating the Standard Priority Queue for an Interface 24-5 Identifying Traffic for QoS Using Class Maps 24-6 Creating a QoS Class Map 24-6 QoS Class Map Examples 24-7 Creating a Policy for Standard Priority Queueing and or Policing 24-8 Creating a Policy for Traffic Shaping and Hierarchical...

Chapter 25Configuring Application Layer Protocol Inspection 251

When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-2 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-9 CTIQBE Inspection Overview 25-9 Limitations and Restrictions 25-10 Verifying and Monitoring CTIQBE Inspection 25-10 DCERPC Inspection 25-11 DCERPC Overview 25-11 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12 DNS Inspection 25-13 How DNS Application Inspection Works 25-13 How DNS Rewrite...

Setting General IPSec VPN Parameters 291

Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Using Client Update to Ensure Acceptable Client Revision Levels 29-3 Understanding Load Balancing 29-5 Implementing Load Balancing 29-6 Prerequisites 29-6 Eligible Platforms 29-7 Eligible Clients 29-7 VPN Load-Balancing Cluster Configurations 29-7 Some Typical Mixed Cluster...

Chapter 30Configuring Tunnel Groups Group Policies and Users 301

Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Default IPSec Remote Access Tunnel Group Configuration 30-5 Configuring IPSec Tunnel-Group General Attributes 30-6 Configuring IPSec Remote-Access Tunnel Groups 30-6 Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6 Configuring...

Chapter 37Configuring WebVPN 371

Observing WebVPN Security Precautions 37-2 Understanding Features Not Supported for WebVPN 37-2 Using SSL to Access the Central Site 37-3 Using HT4TPS for WebVPN Sessions 37-3 Configuring WebVPN and ASDM on the Same Interface 37-3 Setting WebVPN HTTP HTTPS Proxy 37-4 Configuring SSL TLS Encryption Protocols 37-4 Authenticating with Digital Certificates 37-5 Enabling Cookies on Browsers for WebVPN 37-5 Managing Passwords 37-5 Using Single Sign-on with WebVPN 37-6 Configuring SSO with HTTP Basic...

Chapter 3Enabling Multiple Context Mode

Common Uses for Security Contexts 3-1 Unsupported Features 3-2 Context Configuration Files 3-2 Context Configurations 3-2 System Configuration 3-2 Admin Context Configuration 3-2 How the Security Appliance Classifies Packets 3-3 Valid Classifier Criteria 3-3 Invalid Classifier Criteria 3-4 Classification Examples 3-5 Cascading Security Contexts 3-8 Management Access to Security Contexts 3-9 System Administrator Access 3-9 Context Administrator Access 3-10 Enabling or Disabling Multiple Context...

Chapter 40Managing System Access 401

Allowing Telnet Access 40-1 Allowing SSH Access 40-2 Using an SSH Client 40-3 Allowing HTTPS Access for ASDM 40-3 Configuring ASDM and WebVPN on the Same Interface 40-4 Configuring AAA for System Administrators 40-5 Configuring Authentication for CLI Access 40-5 Configuring Authentication To Access Privileged EXEC Mode 40-6 Configuring Authentication for the Enable Command 40-6 Authenticating Users Using the Login Command 40-6 Configuring Command Authorization 40-7 Command Authorization...

Chapter 41Managing Software Licenses and Configurations 411

Obtaining an Activation Key 41-1 Entering a New Activation Key 41-2 Viewing Files in Flash Memory 41-2 Downloading Software or Configuration Files to Flash Memory 41-3 Downloading a File to a Specific Location 41-3 Downloading a File to the Startup or Running Configuration 41-4 Configuring the Application Image and ASDM Image to Boot 41-5 Configuring the File to Boot as the Startup Configuration 41-5 Performing Zero Downtime Upgrades for Failover Pairs 41-6 Upgrading an Active Standby Failover...

Chapter 42Monitoring the Security Appliance 421

SNMP Overview 42-1 Enabling SNMP 42-3 Configuring and Managing Logs 42-5 Logging Overview 42-5 Logging in Multiple Context Mode 42-5 Enabling and Disabling Logging 42-6 Enabling Logging to All Configured Output Destinations 42-6 Disabling Logging to All Configured Output Destinations 42-6 Viewing the Log Configuration 42-6 Configuring Log Output Destinations 42-7 Sending System Log Messages to a Syslog Server 42-7 Sending System Log Messages to the Console Port 42-8 Sending System Log Messages...

Checking SSM Status

To check the status of an SSM, use the show module command. The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status field indicates the operational status of the SSM. An SSM operating normally has a status of Up in the output of the show module command. While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads Recover. For more information about possible statuses, see the entry for the show...

Classes and Class Members Overview

The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can use up those...

Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands. To clear all the configuration for a specified command, enter the following command hostname(config) clear configure configurationcommand level2configurationcommand This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand. For example, to clear the configuration for all...

Clearing Crypto Map Configurations

The clear configure crypto command includes arguments that let you remove elements of the crypto configuration, including IPSec, crypto maps, dynamic crypto maps, CA trustpoints, all certificates, certificate map configurations, and ISAKMP. Be aware that if you enter the clear configure crypto command without arguments, you remove the entire crypto configuration, including all certificates. For more information, see the clear configure crypto command in the Cisco Security Appliance Command...

Clearing Security Associations

Certain configuration changes take effect only during the negotiation of subsequent SAs. If you want the new settings to take effect immediately, clear the existing SAs to reestablish them with the changed configuration. If the security appliance is actively processing IPSec traffic, clear only the portion of the SA database that the configuration changes affect. Reserve clearing the full SA database for large-scale changes, or when the security appliance is processing a small amount of IPSec...

Configuring a Class

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value. Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Step 2 To set the resource limits, see the following options To set all...

Configuring a GTP Inspection Policy Map for Additional Inspection Control

If you want to enforce additional parameters on GTP traffic, create and configure a GTP map. If you do not specify a map with the inspect gtp command, the security appliance uses the default GTP map, which is preconfigured with the following default values timeout pdp-context 0 30 00 To create and configure a GTP map, perform the following steps. You can then apply the GTP map when you enable GTP inspection according to the Configuring Application Inspection section on page 25-5. Step 1 Create...

Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create a NETBIOS inspection policy map. You can then apply the inspection policy map when you enable NETBIOS inspection according to the Configuring Application Inspection section on page 25-5. To create a NETBIOS inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of...

Configuring a Radius Inspection Policy Map for Additional Inspection Control

In order to use this feature, the radius-accounting-map will need to be specified in the policy-map and then applied to the service-policy to specify that this traffic is for to-the-box inspection. The following example shows the complete set of commands in context to properly configure this feature Step 1 Configure the class map and the port class-map type management c1 match port udp eq 1813 Step 2 Create the policy map, and configure the parameters for RADIUS accounting inspection using the...

Configuring a Static Route

To add a static route, enter the following command hostname(config) route if_name dest_ip mask gateway_ip distance The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router.The addresses you specify for the static route are the addresses that are in the packet before entering the security appliance and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value....

Configuring a Switch Port as a Trunk Port

By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. To create an access port, where an interface is assigned to only one VLAN, see the Configuring Switch Ports as Access Ports section on page 4-9. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI MDIX...

Configuring an External Group Policy

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to...

Configuring an HTTP Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can then apply the inspection policy map when you enable HTTP inspection according to the Configuring Application Inspection section on page 25-5. Note When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict...

Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection according to the Configuring Application Inspection section on page 25-5. To create an IM inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of text you can...

Configuring an Internal Group Policy

To configure an internal group policy, specify a name and type for the group policy hostname(config) group-policy group_policy_name type hostname(config) For example, the following command creates the internal group policy named GroupPolicy1 hostname(config) group-policy GroupPolicy1 internal You can initialize the attributes of an internal group policy to the values of a preexisting group policy by appending the keyword from and specifying the name of the existing policy hostname(config)...

Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control

Inspect IPSec Pass Through is disabled by default. When enabled without using a parameter map, the inspection uses the default IPSec Pass Through parameter map, which allows only ESP traffic with unlimited connections and the default idle timeout of 10 minutes for the ESP connection. To pass ESP or AH traffic, IPSec Pass Through parameter map is required. To create an IPSec Pass Through map, perform the following steps Step 1 To create an IPSec Pass Through inspection policy map, enter the...

Configuring and Enabling VLAN Subinterfaces and 8021Q Trunking

This section describes how to configure and enable a VLAN subinterface. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. You must enable the physical interface before any traffic can pass through an enabled subinterface (see the Configuring and Enabling RJ-45 Interfaces section on page 5-1 or the Configuring and Enabling Fiber Interfaces section on page 5-2). For multiple context mode, if you allocate a subinterface to a context, the interfaces...

Configuring Backup Server Attributes

Configure backup servers if you plan on using them. IPSec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable.When you configure backup servers, the security appliance pushes the server list to the client as the IPSec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary security appliance. Configure backup servers either on the client or on the primary security appliance. If...

Configuring Basic Settings

This chapter describes how to configure basic settings on your security appliance that are typically required for a functioning configuration. This chapter includes the following sections Changing the Login Password, page 8-1 Changing the Enable Password, page 8-1 Setting the Hostname, page 8-2 Setting the Domain Name, page 8-2 Setting the Date and Time, page 8-2 Setting the Management IP Address for a Transparent Firewall, page 8-S The login password is used for Telnet and SSH connections. By...

Configuring Cable Based Active Active Failover PIX security appliance

Follow these steps to configure Active Active failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled Primary plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave...

Configuring Cable Based Active Standby Failover PIX Security Appliance Only

Follow these steps to configure Active Standby failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled Primary plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave...

Configuring Certificate Group Matching

Tunnel groups define user connection terms and permissions. Certificate group matching lets you match a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate. To match users to tunnel groups based on these fields of the certificate, you must first create rules that define a matching criteria, and then associate each rule with the desired tunnel group. To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use the...

Configuring Dhcp Ddns and WCCP Services

This chapter describes how to configure the DHCP server, dynamic DNS (DDNS) update methods, and WCCP on the security appliance. DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The security appliance can provide a DHCP server or DHCP relay services to DHCP clients attached to security appliance interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to an...

Configuring DHCP Relay Services

A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router connected to a different interface. The following restrictions apply to the use of the DHCP relay agent The relay agent cannot be enabled if the DHCP server feature is also enabled. Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router. For multiple context mode, you cannot enable DHCP relay on an interface that is used by...

Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains. Defining a Default Domain Name for Tunneled Packets The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name...

Configuring Dynamic DNS

This section describes examples for configuring the security appliance to support Dynamic DNS. DDNS update integrates DNS with DHCP. The two protocols are complementary DHCP centralizes and automates IP address allocation, while dynamic DNS update automatically records the association between assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this configures a host automatically for network access whenever it attaches to the IP network. You can locate and reach the host...

Configuring Failover

This chapter describes the security appliance failover feature, which lets you configure two security appliances so that one takes over operation if the other one fails. Note The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active Active failover. This chapter includes the following sections Understanding Failover, page 14-1 Configuring Failover, page 14-18 Controlling and Monitoring Failover, page 14-49 For failover configuration examples, see Appendix B,...

Configuring Failover Communication Authentication Encryption

You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key. Note On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect the units, then communication over the failover link is not encrypted even if a failover key is configured. The failover key only encrypts LAN-based failover communication. Caution All information sent over the failover and Stateful Failover links is sent in clear...

Configuring Group Policy Attributes

For internal group policies, you can specify particular attribute values. To begin, enter group-policy attributes mode, by entering the group-policy attributes command in global configuration mode. hostname(config) group-policy name attributes The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure the attribute-value pairs that you do not want to...

Configuring Identity NAT

Identity NAT translates the real IP address to the same IP address. Only translated hosts can create NAT translations, and responding traffic is allowed back. Figure 17-23 shows a typical identity NAT scenario. Figure 17-23 Identity NAT Note If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table...

Configuring IP Audit for Basic IPS Support

The IP audit feature provides basic IPS support for a security appliance that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the security appliance to perform one or more actions on traffic that matches a signature. To enable IP audit, perform the following steps Step 1 To define an IP audit policy for informational signatures, enter the following command hostname(config) ip audit name name info action alarm drop reset Where alarm generates a system...

Configuring IPSec to Bypass ACLs

To permit any packets that come from an IPSec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-ipsec command in global configuration mode. You might want to bypass interface ACLs for IPSec traffic if you use a separate VPN concentrator behind the security appliance and want to maximize the security appliance performance. Typically, you create an ACL that permits IPSec packets using the access-list command and apply it to the source...

Configuring IPSecUDP Attributes

IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a security appliance that is running NAT. It is disabled by default. IPSec over UDP is proprietary it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPSec over UDP may slightly degrade system performance. To enable IPSec over UDP, configure the...

Configuring IPv6 Duplicate Address Detection

During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the...

Configuring IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and keep track of neighboring routers. This section contains the following topics Configuring Neighbor Solicitation Messages, page 12-7 Configuring Router Advertisement Messages, page 12-9 Multicast Listener Discovery Support, page 12-11 Configuring Neighbor Solicitation Messages...

Configuring ISAKMP

This section describes the Internet Key Exchange protocol which is also called the Internet Security Association and Key Management Protocol. The security appliance IKE commands use ISAKMP as a keyword, which this guide echoes. ISAKMP works with IPSec to make VPNs more scalable. This section includes the following topics Configuring ISAKMP Policies, page 27-5 Enabling ISAKMP on the Outside Interface, page 27-6 Disabling ISAKMP in Aggressive Mode, page 27-6 Determining an ID Method for ISAKMP...

Configuring Isakmp Policies

To configure ISAKMP policies, in global configuration mode, use the crypto isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is as follows crypto isakmp policy priority attribute_name attribute_value integer You must include the priority in each of the ISAKMP commands. The priority number uniquely identifies the policy, and determines the priority of the policy in ISAKMP negotiations. To enable and configure ISAKMP, complete the following steps, using the...

Configuring L2TP over IPSec Connections

To configure the security appliance to accept L2TP over IPSec connections, follow these steps Configuring L2TP over IPSec Connections H Note The security appliance does not establish an L2TP IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click...

Configuring LANtoLAN Tunnel Group General Attributes

To configure the tunnel group general attributes, do the following steps Step 1 Enter tunnel-group general-attributes mode by specifying the general-attributes keyword hostname(config) tunnel-group_tunnel-group-name general-attributes hostname(config-tunnel-general) The prompt changes to indicate that you are now in config-general mode, in which you configure the tunnel-group general attributes. For example, for the tunnel group named docs, enter the following command hostname(config)...