How the Routing Table is Populated

The security appliance routing table can be populated by statically defined routes, directly connected routes, and routes discovered by the RIP and OSPF routing protocols. Because the security appliance can run multiple routing protocols in addition to having static and connected routed in the routing table, it is possible that the same route is discovered or entered in more than one manner. When two routes to the same destination are put into the routing table, the one that remains in the...

Enabling the TCP Normalizer

This feature uses Modular Policy Framework, so that implementing TCP normalization consists of identifying traffic, specifying the TCP normalization actions, and activating TCP normalization on an interface. See Chapter 21, Using Modular Policy Framework, for more information. To configure TCP normalization, perform the following steps Step 1 To specify the TCP normalization criteria that you want to look for, create a TCP map by entering the following command hostname(config) tcp-map...

FTP Inspection

This section describes the FTP inspection engine. This section includes the following topics FTP Inspection Overview, page 25-27 Using the strict Option, page 25-27 Configuring an FTP Inspection Policy Map for Additional Inspection Control, page 25-28 Verifying and Monitoring FTP Inspection, page 25-31 The FTP application inspection inspects the FTP sessions and performs four tasks Prepares dynamic secondary data connection Tracks the FTP command-response sequence Translates the embedded IP...

Configuring Microsoft Internet Explorer Client Parameters

The following commands configure the proxy server parameters for a Microsoft Internet Explorer client. Step 1 Configure a Microsoft Internet Explorer browser proxy server and port for a client PC by entering the msie-proxy server command in group-policy configuration mode hostname(config-group-policy) msie-proxy server value server port none hostname(config-group-policy) The default value is none. To remove the attribute from the configuration, use the no form of the command....

Configuring IPSec Remote Access Tunnel Group IPSec Attributes

To configure the IPSec attributes for a remote-access tunnel group, do the following steps. The following description assumes that you have already created the IPSec remote-access tunnel group. IPSec remote-access tunnel groups have more attributes than IPSec LAN-to-LAN tunnel groups Step 1 To specify the attributes of an IPSec remote-access tunnel-group, enter tunnel-group ipsec-attributes mode by entering the following command. The prompt changes to indicate the mode change hostname(config)...

Configuring Integrity Server Support

This section describes an example procedure for configuring the security appliance to support the Zone Labs Integrity Servers. The procedure involves configuring address, port, connection fail timeout and fail states, and SSL certificate parameters. First, you must configure the hostname or IP address of the Integrity server. The following example commands, entered in global configuration mode, configure an Integrity server using the IP address 10.0.0.5. They also specify port 300 (the default...

Using Static PAT

This section describes how to configure a static port translation. Static PAT lets you translate the real IP address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate the real port to the same port, which lets you translate only specific types of traffic, or you can take it further by translating to a different port. Figure 17-22 shows a typical static PAT scenario. The translation is always active so both translated and remote hosts can originate...

Configuring an FTP Inspection Policy Map for Additional Inspection Control

FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation. Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes....

Configuring Tacacs Authorization

You can configure the security appliance to perform network access authorization with TACACS+. You identify the traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you can identify the traffic directly in authorization rules themselves. Tip Using access lists to identify traffic to be authorized can greatly reduced the number of authorization commands you must enter. This is because each authorization rule you enter can specify only one source...

Configuring IPSec Remote Access Tunnel Group General Attributes

To configure or change the tunnel group general attributes, specify the parameters in the following steps. Step 1 To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. The prompt changes to indicate the change in mode. hostname(config) tunnel-group tunnel_group_name general-attributes hostname(config-tunnel-general) Step 2 Specify the name of the authentication-server group, if any, to use. If you...

Configuring Application Inspection

This feature uses Modular Policy Framework, so that implementing application inspection consists of identifying traffic, applying inspections to the traffic, and activating inspections on an interface. For some applications, you can perform special actions when you enable inspection. See Chapter 21, Using Modular Policy Framework, for more information. Inspection is enabled by default for some applications. See the Default Inspection Policy section for more information. Use this section to...

Sessioning to the Aip Ssm and Running Setup

After you have completed configuration of the ASA 5500 series adaptive security appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the setup utility for initial configuration. _ Note You can either session to the SSM from the adaptive security appliance (by using the session 1 command) or you can connect directly to the SSM using SSH or Telnet on its management interface. Alternatively, you can use ASDM. To session to the AIP SSM from the adaptive security appliance,...

Configuring Network Admission Control Parameters

The group-policy NAC commands in this section all have default values. Unless you have a good reason for changing them, accept the default values for these parameters. The security appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate the posture of remote hosts. Posture validation involves the checking of a remote host for compliancy with safety requirements before the assignment of a network access policy. An Access Control Server must be configured...

Identifying AAA Server Groups and Servers

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if...

Configuring LANBased Active Standby Failover

This section describes how to configure Active Standby failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. Note If you are changing from cable-based failover to LAN-based failover, you can skip any steps, such as assigning the active and standby IP addresses for each interface, that you completed for the...

Configuring an H323 Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an H.323 inspection policy map. You can then apply the inspection policy map when you enable H.323 inspection according to the Configuring Application Inspection section on page 25-5. To create an H.323 inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of text...

Configuring Attributes for VPN Hardware Clients

The commands in this section enable or disable secure unit authentication and user authentication, and set a user authentication timeout value for VPN hardware clients. They also let you allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect. Configuring Secure Unit Authentication Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and...

Active Active Failover

This section describes Active Active failover. This section includes the following topics Active Active Failover Overview, page 14-10 Primary Secondary Status and Active Standby Status, page 14-10 Device Initialization and Configuration Synchronization, page 14-11 Command Replication, page 14-12 Failover Triggers, page 14-13 Failover Actions, page 14-13 Active Active failover is only available to security appliances in multiple context mode. In an Active Active failover configuration, both...

Using the show failover Command

This section describes the show failover command output. On each unit you can verify the failover status by entering the show failover command. The information displayed depends upon whether you are using Active Standby or Active Active failover. This section includes the following topics show failover Active Standby, page 14-40 Show Failover Active Active, page 14-44 The following is sample output from the show failover command for Active Standby Failover. Table 14-7 provides descriptions for...

GTP Inspection Overview

GPRS provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet. The GGSN is the interface between the GPRS wireless data network and other networks. The SGSN performs mobility, data session management, and data compression (See Figure 25-3). The UMTS is the commercial convergence of fixed-line telephony, mobile, Internet and computer technology. UTRAN is the networking protocol used for implementing wireless networks in this system....

Configuring IGMP Features

IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses group addresses (Class D IP address) as group identifiers. Host group address can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet. When you enable multicast routing on the security appliance, IGMP Version 2 is...

Enabling the DHCP Server

The security appliance can act as a DHCP server. DHCP is a protocol that supplies network settings to hosts including the host IP address, the default gateway, and a DNS server. Note The security appliance DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. You can configure a DHCP server on each interface of the security appliance. Each interface can have its own pool of...

Configuring Dynamic NAT or PAT

This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic NAT and PAT are almost identical for NAT you specify a range of mapped addresses, and for PAT you specify a single address. Figure 17-19 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined by the global command. Figure 17-20 shows a typical dynamic PAT scenario....

Configuring LANBased Active Active Failover

This section describes how to configure Active Active failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. This section includes the following topics Configure the Primary Unit, page 14-29 Configure the Secondary Unit, page 14-31 To configure the primary unit in an Active Active failover configuration, perform...

Using MAC Addresses to Exempt Traffic from Authentication and Authorization

The security appliance can exempt from authentication and authorization any traffic from specific MAC addresses. For example, if the security appliance authenticates TCP traffic originating on a particular network but you want to allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to exempt from authentication and authorization any traffic from the server specified by the rule. This feature is particularly useful to exempt devices such as IP phones that...

Configuring DNS Rewrite

Using the Static Command for DNS Rewrite Note Using the nat command is similar to using the static command except that DNS Rewrite is based on dynamic translation instead of a static mapping. Using the Alias Command for DNS Rewrite The alias command causes the security appliance to translate addresses on an IP network residing on any interface into addresses on another IP network connected through a different interface. The syntax for this command is as follows hostname(config) alias...

Configuring WebVPN Tunnel Group WebVPN Attributes

To configure the parameters specific to a WebVPN tunnel group, follow the steps in this section. Step 1 To specify the attributes of a WebVPN tunnel-group, enter tunnel-group webvpn-attributes mode by entering the following command. The prompt changes to indicate the mode change hostname(config) tunnel-group tunnel-group-name webvpn-attributes hostname(config-tunnel-ipsec) For example, to specify the webvpn-attributes for the WebVPN tunnel-group named sales, enter the following command...

Configuring a DNS Inspection Policy Map for Additional Inspection Control

DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow filtering based on DNS header, domain name, resource record type and class. Zone transfer can be restricted between servers with this function, for example. The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In...

Configuring a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use. Note If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command hostname(config) admin-context name Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the...

Active Standby Failover

This section describes Active Standby failover and includes the following topics Active Standby Failover Overview, page 14-6 Primary Secondary Status and Active Standby Status, page 14-6 Device Initialization and Configuration Synchronization, page 14-7 Command Replication, page 14-7 Failover Triggers, page 14-8 Failover Actions, page 14-9 Active Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to...

Configuring Firewall Policies

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the...

Configuring Static Route Tracking

One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static routes are only removed from the routing table if the associated interface on the security appliance goes down. The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. This allows...

Configuring Radius Authorization

When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept message sent by a RADIUS server. For more information about configuring authentication, see the Configuring Authentication for Network Access section on page 19-1. When you configure the security appliance to authenticate users for network access, you are also implicitly enabling RADIUS authorizations therefore, this section contains no information about configuring RADIUS authorization on the...

Configuring the Interface

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that...

Configuring WebVPN Tunnel Group General Attributes

To configure or change the tunnel group general attributes, specify the parameters in the following steps. Step 1 To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. Note that the prompt changes hostname(config) tunnel-group tunnel_group_name general-attributes hostname(config-tunnel-general) To configure the general attributes for TunnelGroup3, created in the previous section, enter the following...

Configuring a SIP Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create a SIP inspection policy map. You can then apply the inspection policy map when you enable SIP inspection according to the Configuring Application Inspection section on page 25-5. To create a SIP inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of text you can...

Configuring an Esmtp Inspection Policy Map for Additional Inspection Control

To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You can then apply the inspection policy map when you enable ESMTP inspection according to the Configuring Application Inspection section on page 25-5. To create an ESMTP inspection policy map, perform the following steps Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the Creating a Regular Expression section on page 21-12. See the types of text...