Access Control Entry Order

An access list is made up of one or more Access Control Entries. Depending on the access list type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type (for ICMP), or the EtherType. Each ACE that you enter for a given access list name is appended to the end of the access list. The order of ACEs is important. When the security appliance decides whether to forward or drop a packet, the security appliance tests the packet against each ACE...

Access List Types

Table 16-1 lists the types of access lists and some common uses for them. Table 16-1 Access List Types and Common Uses Table 16-1 Access List Types and Common Uses Control network access for IP traffic (routed and transparent mode) The security appliance does not allow any traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list. Note To access the security appliance interface for management access, you do not also need...

Adding a Static MAC Address

Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message. When you add...

Adding a Time Range

To add a time range to implement a time-based access list, perform the following steps Step 1 Identify the time-range name by entering the following command Step 2 Specify the time range as either a recurring time range or an absolute time range. Multiple periodic entries are allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated...

Adding an Ether Type ACE

To add an EtherType ACE, enter the following command hostname(config) access-list access_list_name ethertype permit deny ipx bpdu mpls-unicast mpls-multicast any hex_number The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. See RFC 1700, Assigned Numbers, at http www.ietf.org rfc rfc1700.txt for a list of EtherTypes. Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical...

Adding an Extended ACE

When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number. To add an ACE, enter the following command hostname(config) access-list access_list_name line line_number extended deny permit protocol source_address mask operator port dest_address mask operator port icmp_type inactive Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might want to name...

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on...

Allowed MAC Addresses

The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF BPDU multicast address equal to 0100.0CCC.CCCD Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Allowing Broadcast and Multicast Traffic through the Transparent Firewall

In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple context mode, which does not allow dynamic routing, for example. _ Note Because these special types of traffic are connectionless, you need to apply an extended access list to both interfaces,...

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits You can configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100). You want traffic to flow freely between all same security interfaces without access lists. Note If...

Allowing Communication Between VLAN Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the NAT and Same Security Level Interfaces section on page 17-12 for more information on NAT and same security level interfaces. If you enable same security...

An 0utside User Visits a Web Server on the Inside Network

Figure 15-10 shows an outside user accessing the inside web server. The following steps describe how data moves through the security appliance (see Figure 15-10) 1. A user on the outside network requests a web page from the inside web server. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters,...

An Inside User Visits a Web Server

Router Firewall Server

Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside The following steps describe how data moves through the security appliance (see Figure 15-2) 1. The user on the inside network requests a web page from www.example.com. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed...

An Inside User Visits a Web Server on the DMZ

Figure 15-4 shows an inside user accessing the DMZ web server. The following steps describe how data moves through the security appliance (see Figure 15-4) 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For...

An Outside User Visits a Web Server on the DMZ

Figure 15-3 shows an outside user accessing the DMZ web server. j Cisco Security Appliance Command Line Configuration Guide The following steps describe how data moves through the security appliance (see Figure 15-3) 1. A user on the outside network requests a web page from the DMZ web server using the global destination address of 209.165.201.3, which is on the outside interface subnet. 2. The security appliance receives the packet and because it is a new session, the security appliance...

Applying AAA for Network Access 191

Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Line Configuration Guide Enabling Secure Authentication of Web Clients 19-5 Authenticating Directly with the Security Appliance 19-6 Enabling Direct Authentication Using HTTP and HTTPS 19-6 Enabling Direct Authentication Using Telnet 19-6 Configuring Authorization for Network Access 19-6 Configuring TACACS+ Authorization 19-7 Configuring RADIUS Authorization 19-8 Configuring a RADIUS Server to Send...

Applying an Access List to an Interface

To apply an extended access list to the inbound or outbound direction of an interface, enter the following command hostname(config) access-group access_list_name in out interface interface_name per-user-override You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the Inbound and Outbound Access List Overview section on page 18-1 for more information about access list directions. The per-user-override keyword allows dynamic access lists...

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

In this example (see Figure 21-3), any HTTP connection destined for Server A (TCP traffic on port 80) that enters the security appliance through the outside interface is classified for HTTP inspection and maximum connection limits. Connections initiated from server A to Host A does not match the access list in the class map, so it is not affected. Any HTTP connection destined for Server B that enters the security appliance through the inside interface is classified for HTTP inspection....

Applying Inspection and QoS Policing to HTTP Traffic

In this example (see Figure 21-1), any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing. See the following commands for this example hostname(config) class-map http_traffic hostname(config-cmap) match port tcp eq 80 hostname(config) policy-map http traffic policy hostname(config-pmap) class http_traffic...

Applying Inspection to HTTP Traffic Globally

In this example (see Figure 21-2), any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface. See the following commands for this example hostname(config) class-map http_traffic hostname(config-cmap) match port tcp eq 80 hostname(config) policy-map http traffic policy hostname(config-pmap) class http_traffic...

Applying Inspection to HTTP Traffic with NAT

In this example, the Host on the inside network has two addresses one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225. Because the policy is applied to the inside interface, where the real address is used, then you must use the real IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped address. Real IP 192.168.1.1 Mapped IP 209.165.200.225 See the following...

ASA 5510 and Higher Default Configuration

The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following The management interface, Management 0 0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible...

Authentication Overview

The security appliance lets you configure network access authentication using AAA servers. This section includes the following topics One-Time Authentication, page 19-2 Applications Required to Receive an Authentication Challenge, page 19-2 Security Appliance Authentication Prompts, page 19-2 Static PAT and HTTP, page 19-3 Enabling Network Access Authentication, page 19-3 A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session...

Authentication with LDAP

During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL...

Authorization with LDAP for VPN

When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step. There may be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or...

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun. Note If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections automatically. To shun a connection manually, perform the following steps Step 1 If necessary, view information about the...

Buffering the Content Server Response

When a user issues a request to connect to a content server, the security appliance sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This delays the web server response from the point of view of the web client because the client must reissue the request. By enabling the HTTP response buffer, replies from web content servers are buffered and the responses are...

Bypassing NAT When NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT (see the When to Use Application Protocol Inspection section on page 25-2 for information about inspection engines that do not support NAT). You can configure...

Caching Server Addresses

After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again. Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a...

Cascading Security Contexts

Placing a context directly in front of another context is called cascading contexts the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context. Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared...

Changing Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration when you are in a context, the running configuration consists...

Chapter 13Configuring AAA Servers and the Local Database 131

About Authentication 13-1 About Authorization 13-2 About Accounting 13-2 AAA Server and Local Database Support 13-2 Summary of Support 13-3 RADIUS Server Support 13-3 Authentication Methods 13-4 Attribute Support 13-4 RADIUS Authorization Functions 13-4 TACACS+ Server Support 13-4 SDI Server Support 13-4 SDI Version Support 13-5 Two-step Authentication Process 13-5 SDI Primary and Replica Servers 13-5 NT Server Support 13-5 Kerberos Server Support 13-5 LDAP Server Support 13-6 Authentication...

Chapter 15Firewall Mode Overview 151

Routed Mode Overview 15-1 IP Routing Support 15-1 Network Address Translation 15-2 How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3 An Inside User Visits a Web Server 15-3 An Outside User Visits a Web Server on the DMZ 15-4 An Inside User Visits a Web Server on the DMZ 15-6 An Outside User Attempts to Access an Inside Host 15-7 A DMZ User Attempts to Access an Inside Host 15-8 Transparent Mode Overview 15-8 Transparent Firewall Network 15-9 Allowing Layer 3 Traffic...

Chapter 1Introduction to the Security Appliance

Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3 Sending Traffic to the Content Security and Control Security Services Module 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5...

Chapter 25Configuring Application Layer Protocol Inspection 251

When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-2 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-9 CTIQBE Inspection Overview 25-9 Limitations and Restrictions 25-10 Verifying and Monitoring CTIQBE Inspection 25-10 DCERPC Inspection 25-11 DCERPC Overview 25-11 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12 DNS Inspection 25-13 How DNS Application Inspection Works 25-13 How DNS Rewrite...

Chapter 30Configuring Tunnel Groups Group Policies and Users 301

Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Default IPSec Remote Access Tunnel Group Configuration 30-5 Configuring IPSec Tunnel-Group General Attributes 30-6 Configuring IPSec Remote-Access Tunnel Groups 30-6 Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6 Configuring...

Chapter 3Enabling Multiple Context Mode

Common Uses for Security Contexts 3-1 Unsupported Features 3-2 Context Configuration Files 3-2 Context Configurations 3-2 System Configuration 3-2 Admin Context Configuration 3-2 How the Security Appliance Classifies Packets 3-3 Valid Classifier Criteria 3-3 Invalid Classifier Criteria 3-4 Classification Examples 3-5 Cascading Security Contexts 3-8 Management Access to Security Contexts 3-9 System Administrator Access 3-9 Context Administrator Access 3-10 Enabling or Disabling Multiple Context...

Checking SSM Status

To check the status of an SSM, use the show module command. The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status field indicates the operational status of the SSM. An SSM operating normally has a status of Up in the output of the show module command. While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads Recover. For more information about possible statuses, see the entry for the show...

Clearing Security Associations

Certain configuration changes take effect only during the negotiation of subsequent SAs. If you want the new settings to take effect immediately, clear the existing SAs to reestablish them with the changed configuration. If the security appliance is actively processing IPSec traffic, clear only the portion of the SA database that the configuration changes affect. Reserve clearing the full SA database for large-scale changes, or when the security appliance is processing a small amount of IPSec...

Configuring a Class

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value. Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Step 2 To set the resource limits, see the following options To set all...

Configuring a Default Route

A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0 0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route...

Configuring a GTP Inspection Policy Map for Additional Inspection Control

If you want to enforce additional parameters on GTP traffic, create and configure a GTP map. If you do not specify a map with the inspect gtp command, the security appliance uses the default GTP map, which is preconfigured with the following default values timeout pdp-context 0 30 00 To create and configure a GTP map, perform the following steps. You can then apply the GTP map when you enable GTP inspection according to the Configuring Application Inspection section on page 25-5. Step 1 Create...

Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create a NETBIOS inspection policy map. You can then apply the inspection policy map when you enable NETBIOS inspection according to the Configuring Application Inspection section on page 25-5. To create a NETBIOS inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of...

Configuring a Switch Port as a Trunk Port

By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. To create an access port, where an interface is assigned to only one VLAN, see the Configuring Switch Ports as Access Ports section on page 4-9. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI MDIX...

Configuring an External Group Policy

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to...

Configuring an HTTP Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can then apply the inspection policy map when you enable HTTP inspection according to the Configuring Application Inspection section on page 25-5. Note When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict...

Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection according to the Configuring Application Inspection section on page 25-5. To create an IM inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of text you can...

Configuring and Enabling VLAN Subinterfaces and 8021Q Trunking

This section describes how to configure and enable a VLAN subinterface. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. You must enable the physical interface before any traffic can pass through an enabled subinterface (see the Configuring and Enabling RJ-45 Interfaces section on page 5-1 or the Configuring and Enabling Fiber Interfaces section on page 5-2). For multiple context mode, if you allocate a subinterface to a context, the interfaces...

Configuring Cable Based Active Active Failover PIX security appliance

Follow these steps to configure Active Active failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled Primary plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave...

Configuring Cable Based Active Standby Failover PIX Security Appliance Only

Follow these steps to configure Active Standby failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled Primary plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave...

Configuring Certificate Group Matching

Tunnel groups define user connection terms and permissions. Certificate group matching lets you match a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate. To match users to tunnel groups based on these fields of the certificate, you must first create rules that define a matching criteria, and then associate each rule with the desired tunnel group. To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use the...

Configuring DHCP Relay Services

A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router connected to a different interface. The following restrictions apply to the use of the DHCP relay agent The relay agent cannot be enabled if the DHCP server feature is also enabled. Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router. For multiple context mode, you cannot enable DHCP relay on an interface that is used by...

Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains. Defining a Default Domain Name for Tunneled Packets The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name...

Configuring Dynamic DNS

This section describes examples for configuring the security appliance to support Dynamic DNS. DDNS update integrates DNS with DHCP. The two protocols are complementary DHCP centralizes and automates IP address allocation, while dynamic DNS update automatically records the association between assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this configures a host automatically for network access whenever it attaches to the IP network. You can locate and reach the host...

Configuring Group Policy Attributes

For internal group policies, you can specify particular attribute values. To begin, enter group-policy attributes mode, by entering the group-policy attributes command in global configuration mode. hostname(config) group-policy name attributes The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure the attribute-value pairs that you do not want to...

Configuring Identity NAT

Identity NAT translates the real IP address to the same IP address. Only translated hosts can create NAT translations, and responding traffic is allowed back. Figure 17-23 shows a typical identity NAT scenario. Figure 17-23 Identity NAT Note If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table...

Configuring IP Audit for Basic IPS Support

The IP audit feature provides basic IPS support for a security appliance that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the security appliance to perform one or more actions on traffic that matches a signature. To enable IP audit, perform the following steps Step 1 To define an IP audit policy for informational signatures, enter the following command hostname(config) ip audit name name info action alarm drop reset Where alarm generates a system...

Configuring IPSec to Bypass ACLs

To permit any packets that come from an IPSec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-ipsec command in global configuration mode. You might want to bypass interface ACLs for IPSec traffic if you use a separate VPN concentrator behind the security appliance and want to maximize the security appliance performance. Typically, you create an ACL that permits IPSec packets using the access-list command and apply it to the source...

Configuring IPv6 Duplicate Address Detection

During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the...

Configuring IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and keep track of neighboring routers. This section contains the following topics Configuring Neighbor Solicitation Messages, page 12-7 Configuring Router Advertisement Messages, page 12-9 Multicast Listener Discovery Support, page 12-11 Configuring Neighbor Solicitation Messages...

Configuring Isakmp Policies

To configure ISAKMP policies, in global configuration mode, use the crypto isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is as follows crypto isakmp policy priority attribute_name attribute_value integer You must include the priority in each of the ISAKMP commands. The priority number uniquely identifies the policy, and determines the priority of the policy in ISAKMP negotiations. To enable and configure ISAKMP, complete the following steps, using the...

Configuring L2TP over IPSec Connections

To configure the security appliance to accept L2TP over IPSec connections, follow these steps Configuring L2TP over IPSec Connections H Note The security appliance does not establish an L2TP IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click...

Configuring Microsoft Active Directory Settings for Password Management

Note If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory. Sun The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN....

Configuring Multicast Routing

This chapter describes how to configure multicast routing. This section includes the following topics Multicast Routing Overview, page 11-13 Enabling Multicast Routing, page 11-14 Configuring IGMP Features, page 11-14 Configuring Stub Multicast Routing, page 11-17 Configuring a Static Multicast Route, page 11-17 Configuring PIM Features, page 11-18 For More Information about Multicast Routing, page 11-22 The security appliance supports both stub multicast routing and PIM multicast routing....

Configuring NAT Exemption

NAT exemption exempts addresses from translation and allows both real and remote hosts to originate connections. NAT exemption lets you specify the real and destination addresses when determining the real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list. Use static identity NAT to consider ports in the access list. Figure 17-25 shows a typical NAT...

Configuring Optional Active Active Failover Settings

The following optional Active Active failover settings can be configured when you are initially configuring failover or after you have already established failover. Unless otherwise noted, the commands should be entered on the unit that has failover group 1 in the active state. This section includes the following topics Configuring Failover Group Preemption, page 14-33 Enabling HTTP Replication with Stateful Failover, page 14-33 Disabling and Enabling Interface Monitoring, page 14-33...

Configuring OSPF Area Parameters

You can configure several area parameters. These area parameters (shown in the following task table) include setting authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area. Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the ABR, into the stub area for destinations outside the...

Configuring OSPF Interface Parameters

You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if you configure any of these parameters, the configurations for all routers on your network have compatible values. To configure OSPF interface parameters, perform the following steps Step 1...

Configuring RIP

Devices that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the devices can reach, as well as the number of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure. RIP has advantages over static routes because the initial configuration is simple, and you do not need to update the...

Configuring Route Calculation Timers

You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations. To configure route calculation timers, perform the following steps Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command hostname(config) router ospf process_id Step 2 To configure the route calculation...

Configuring Route Summarization Between OSPF Areas

Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified...

Configuring Security Attributes

The attributes in this section specify certain security settings for the group Step 1 Specify whether to let users store their login passwords on the client system, using the password-storage command with the enable keyword in group-policy configuration mode. To disable password storage, use the password-storage command with the disable keyword. hostname(config-group-policy) password-storage enable disable hostname(config-group-policy) For security reasons, password storage is disabled by...

Configuring Split Tunneling Attributes

Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specific network. Set the rules for tunneling traffic by specifying the...

Configuring Static Identity NAT

For example, you can use policy static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B. Figure 17-24 shows a typical static identity NAT scenario. Note If you remove a static command, existing connections that use the translation are not affected. To remove these connections, enter the clear local-host command. You cannot clear static...

Configuring the Local Database

This section describes how to manage users in the local database. You can use the local database for CLI access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization. You cannot use the local database for network access authorization. The local database does not support accounting. For multiple context mode, you can configure usernames in the system execution space to provide individual logins using the...

Configuring Tunnel Groups Group Policies and Users

This chapter describes how to configure VPN tunnel groups, group policies, and users. This chapter includes the following sections. Overview of Tunnel Groups, Group Policies, and Users, page 30-1 Configuring Tunnel Groups, page 30-5 Configuring User Attributes, page 30-69 In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups...

Configuring User Attributes

This section describes user attributes and how to configure them. It includes the following sections Viewing the Username Configuration, page 30-70 Configuring Attributes for Specific Users, page 30-70 By default, users inherit all user attributes from the assigned group policy. The security appliance also lets you assign individual attributes at the user level, overriding values in the group policy that applies to that user. For example, you can specify a group policy giving all users access...

Configuring VLAN Interfaces

For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface inside and you do not set the security level explicitly, then the adaptive security appliance sets the security level to 100. For information about how many VLANs you can configure, see the Maximum Active VLAN Interfaces for Your License section on page 4-2. If you are...

Configuring VPN Session Limits

You can run as many IPSec and WebVPN sessions as your platform and license for the security appliance supports. To view the licensing information for your security appliance, enter the show version command in global configuration mode. The following example shows the command and the licensing information excerpted from the output of this command Cisco Adaptive Security Appliance Software Version 7.1(0)182 Device Manager Version 5.1(0)128 Licensed features for this platform Maximum Physical...

Configuring VPNSpecific Attributes

Follow the steps in this section to configure attributes that set the values of VPN attributes. These attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the name of the ACL to use for VPN connections, and the tunnel protocol Step 1 Set the VPN access hours. To do this, you associate a group policy with a configured time-range policy, using the vpn-access-hours command in group-policy configuration mode. hostname(config-group-policy) vpn-access-hours...

Configuring Web Cache Services Using WCCP

The purpose of web caching is to reduce latency and network traffic. Previously-accessed web pages are stored in a cache buffer, so if a user needs the page again, they can retrieve it from the cache instead of the web server. WCCP specifies interactions between the security appliance and external web caches. The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times. The security appliance only supports WCCP...

Connection Limit Overview

This section describes why you might want to limit connections, and includes the following topics TCP Intercept Overview, page 23-7 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility, page 23-7 Dead Connection Detection (DCD) Overview, page 23-7 TCP Sequence Randomization Overview, page 23-8 Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the per-client limits and the embryonic connection limit to trigger TCP...

Copying the Startup Configuration to the Running Configuration

Copy a new startup configuration to the running configuration using one of these options To merge the startup configuration with the running configuration, enter the following command hostname(config) copy startup-config running-config A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the...

Creating a Basic IPSec Configuration

You can create basic IPSec configurations with static or dynamic crypto maps. To create a basic IPSec configuration using a static crypto map, perform the following steps Step 1 To create an access list to define the traffic to protect, enter the following command access-list access-list-name deny permit ip source source-netmask destination destination-netmask access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 In this example, the permit keyword causes all traffic that...

Creating a Policy for Standard Priority Queueing andor Policing

After you identify the traffic in Identifying Traffic for QoS Using Class Maps section on page 24-6, you can create a policy map for an interface or globally for all interfaces that assigns QoS actions (and other feature actions) to the traffic in the class map. (See the Chapter 21, Using Modular Policy Framework, for information about other features. This chapter only discusses QoS.) You can configure standard priority queueing and policing for different class maps within the same policy map....

Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing

You can create a policy map for an interface or globally for all interfaces that assigns QoS actions (and other feature actions) to the traffic in the class map. (See the Chapter 21, Using Modular Policy Framework, for information about other features. This chapter only discusses QoS.) You can configure traffic shaping for all traffic on an interface, and optionally hierarchical priority queueing for a subset of latency-sensitive traffic. See the How QoS Features Interact section on page 24-4...

Creating a Regular Expression

A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic for example, you can match a URL string inside an HTTP packet. Use Ctrl+V to escape all of the special characters in the CLI, such as question mark ( ) or a tab. For example, type d Ctrl+V g to enter d g in the configuration. See the regex command in the...

Creating Text Configuration Files Offline

This guide describes how to use the CLI to configure the security appliance when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the security appliance internal Flash memory. See Chapter 41, Managing Software, Licenses, and Configurations, for information...

Creating the Standard Priority Queue for an Interface

If you enable standard priority queueing for traffic on a physical interface, then you need to also create the priority queue on each interface. Each physical interface uses two queues one for priority traffic, and the other for all other traffic. For the other traffic, you can optionally configure policing. Note The standard priority queue is not required for hierarchical priority queueing with traffic shaping see the Priority Queueing Overview section on page 24-3 for more information. To...

Default Class Maps

The configuration includes a default Layer 3 4 class map that the security appliance uses in the default global policy. It is called inspection_default and matches the default inspection traffic class-map inspection_default match default-inspection-traffic Another class map that exists in the default configuration is called class-default, and it matches all traffic This class map appears at the end of all Layer 3 4 policy maps and essentially tells the security appliance to not perform any...

Default Global Policy

By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.) The default policy configuration...

Default Inspection Policy

By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the...

Default Layer 34 Policy

The configuration includes a default Layer 3 4 policy map that the security appliance uses in the default global policy. It is called global_policy and performs inspection on the default inspection traffic. You can only apply one global policy, so if you want to alter the global policy, you need to either reconfigure the default policy or disable it and apply a new one. The default policy map configuration includes the following commands The maximum number of policy maps is 64. To create a...

Defining Actions in an Inspection Policy

When you enable an inspection engine in the Layer 3 4 policy map, you can also optionally enable actions as defined in an inspection policy map. To create an inspection policy map, perform the following steps Step 1 To create the HTTP inspection policy map, enter the following command hostname(config) policy-map type inspect application policy_map_name hostname(config-pmap) See the Configuring Application Inspection section on page 25-5 for a list of applications that support inspection policy...

Determining What Traffic to Scan

The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic. It supports these protocols only when the destination port of the packet requesting the connection is the well known port for the protocol, that is, CSC SSM can scan only the following connections FTP connections opened to TCP port 21. HTTP connections opened to TCP port 80. POP3 connections opened to TCP port 110. SMTP connections opened to TCP port 25. You can choose to scan traffic for all of these protocols or any combination of them....

Determining Which Type of Failover to

The type of failover you choose depends upon your security appliance configuration and how you plan to use the security appliances. If you are running the security appliance in single mode, then you can only use Active Standby failover. Active Active failover is only available to security appliances running in multiple context mode. If you are running the security appliance in multiple context mode, then you can configure either Active Active failover or Active Standby failover. To provide load...

Disabling MAC Address Learning

By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired, however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance. To disable MAC address learning, enter the following command hostname(config) mac-learn interface_name disable The no form of this command reenables MAC address...

Diverting Traffic to the Aip Ssm

You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM. Before configuring the adaptive security appliance to do so, read Chapter 21, Using Modular Policy Framework, which introduces MPF concepts and common commands. To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following steps Step 1 Create an access list that matches all traffic hostname(config) access-list acl-name permit ip any any Step 2 Create a...

Diverting Traffic to the Csc Ssm

You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM. Before configuring the adaptive security appliance to do so, read Chapter 21, Using Modular Policy Framework, which introduces MPF concepts and common commands. To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following steps Step 1 Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the access-list extended...

Dynamic NAT

Static Port Servers Http Ftp

Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not...