Cisco Systems ASA 5580, ASA 5505, ASA 5545-X manual 11-8, Ciscoasaconfig# ras-rcf-pinholes enable

Page 256

Chapter 11 Configuring Inspection for Voice and Video Protocols

H.323 Inspection

You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on page 2-4.

Step 7 To configure parameters that affect the inspection engine, perform the following steps:

a.To enter parameters configuration mode, enter the following command:

ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)#

b.To enable call setup betweeen H.323 Endpoings, enter the following command:

ciscoasa(config)# ras-rcf-pinholes enable

You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint's IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0. By default, this option is disabled.

c.To define the H.323 call duration limit, enter the following command:

ciscoasa(config-pmap-p)# call-duration-limittime

Where time is the call duration limit in seconds. Range is from 0:0:0 ti 1163:0;0. A value of 0 means never timeout.

d.To enforce call party number used in call setup, enter the following command:

ciscoasa(config-pmap-p)# call-party-number

e.To enforce H.245 tunnel blocking, enter the following command:

ciscoasa(config-pmap-p)#h245-tunnel-block action {drop-connection log}

f.To define an hsi group and enter hsi group configuration mode, enter the following command:

ciscoasa(config-pmap-p)# hsi-groupid

Where id is the hsi group ID. Range is from 0 to 2147483647.

To add an hsi to the hsi group, enter the following command in hsi group configuration mode:

ciscoasa(config-h225-map-hsi-grp)# hsi ip_address

Where ip_address is the host to add. A maximum of five hosts per hsi group are allowed.

To add an endpoint to the hsi group, enter the following command in hsi group configuration mode:

ciscoasa(config-h225-map-hsi-grp)# endpoint ip_address if_name

Where ip_address is the endpoint to add and if_name is the interface through which the endpoint is connected to the security appliance. A maximum of ten endpoints per hsi group are allowed.

g.To check RTP packets flowing on the pinholes for protocol conformance, enter the following command:

ciscoasa(config-pmap-p)#rtp-conformance [enforce-payloadtype]

Where the enforce-payloadtypekeyword enforces the payload type to be audio or video based on the signaling exchange.

h.To enable state checking validation, enter the following command:

ciscoasa(config-pmap-p)#state-checking {h225 ras}

Cisco ASA Series Firewall CLI Configuration Guide

11-8

Image 256
Contents Cisco ASA Series Firewall CLI Configuration Guide Software VersionCisco ASA Series Firewall CLI Configuration Guide N T E N T S IiiGuidelines and Limitations Default Inspection Policy Maps NAT for VPN Guidelines and Limitations Rules ViiGetting Started with Application Layer Protocol Inspection ViiiIPv6 Inspection Verifying and Monitoring Sun RPC Inspection Configuring Unified Communications Installing a Certificate XiiEnabling the Phone Proxy with SIP and Skinny Inspection XiiiCTL Client Overview XivArchitecture Configuring Connection Settings and QoS XviConfiguring the Standard Priority Queue for an Interface XviiBypassing Scanning with Whitelists XviiiInformation About the Static Database XixConfiguring Java Applet Filtering Filtering URLs and FTP Requests with an External Server XxiXxii 30-15ASA 5505 Configuring Basic Network Settings XxiiiXxiv Document Objectives Related DocumentationConventions Convention IndicationObtaining Documentation and Submitting a Service Request XxviR T Page Information About Service Policies Supported Features Feature DirectionalityFeature Traffic? See For ThroughFeature Feature Matching Within a Service PolicyGlobal Direction Order in Which Multiple Feature Actions are Applied ASA IPS ASA CXIncompatibility of Certain Feature Actions Feature Matching for Multiple Service Policies Licensing Requirements for Service PoliciesGuidelines and Limitations Class Map Guidelines Service Policy GuidelinesPolicy Map Guidelines Default Configuration Default SettingsDefault Configuration, Default Class Maps, Task Flows for Configuring Service Policies Default Class MapsTask Flow for Using the Modular Policy Framework This section includes the following topicsSee the Identifying Traffic Layer 3/4 Class Maps section on Layer 3/4 Policy Map Command Purpose Identifying Traffic Layer 3/4 Class MapsCreating a Layer 3/4 Class Map for Through Traffic ExamplePorts are included in the match default-inspection-traffic See the Default Settings and NAT Limitations section onMatch default-inspection-traffic command to narrow Match flow ip destination-address command to match flows Except for the match any , match access-list , or matchCreating a Layer 3/4 Class Map for Management Traffic Creates a management class map, where classmapname is a Defining Actions Layer 3/4 Policy MapTask Flow for Configuring Hierarchical Policy Maps for See the Supported Features section onIdentifying Traffic Layer 3/4 Class Maps section on QoS Traffic Shaping section on page 1-11 for moreApplying Actions to an Interface Service Policy Configuration Examples for Modular Policy Framework Displays the service policy statisticsMonitoring Modular Policy Framework IPv6, see the IPv6 Guidelines section onSee the following commands for this example Ciscoasaconfig# class-map httptrafficApplying Inspection and QoS Policing to Http Traffic Applying Inspection to Http Traffic GloballyCiscoasaconfig# policy-map httptrafficpolicy Ciscoasaconfig# service-policy httptrafficpolicy globalCiscoasaconfig# service-policy httpclient interface inside Applying Inspection to Http Traffic with NATObj-192.168.1.1 HostFeature History for Service Policies Feature Name Releases Feature InformationIntroduced class-map type management, and inspect Radius-accountingInformation About Inspection Policy Maps Guidelines and Limitations Default Inspection Policy Maps Defining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class Map section onIdentifying Traffic in an Inspection Class Map Getting Started with Application Layer Protocol Inspection Feature History for Inspection Policy Maps Where to Go Next1lists the release history for this feature Page Configuring Network Address Translation Page Why Use NAT? Information About NATNAT Terminology NAT Types NAT Types OverviewStatic NAT Information About Static NATInformation About Static NAT with Port Translation Information About Static NAT with Port Address TranslationInformation About One-to-Many Static NAT Static NAT with Identity Port TranslationInformation About Other Mapping Scenarios Not Recommended 4shows a typical few-to-many static NAT scenarioDynamic NAT Information About Dynamic NATDynamic NAT Disadvantages and Advantages Dynamic PATInformation About Dynamic PAT Per-Session PAT vs. Multi-Session PAT Dynamic PAT Disadvantages and AdvantagesIdentity NAT NAT in Routed and Transparent ModeNAT in Routed Mode, NAT in Transparent Mode, NAT in Routed Mode NAT in Transparent Mode10 NAT Example Transparent Mode How NAT is Implemented NAT and IPv6Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT11 Twice NAT with Different Destination Addresses 12 Twice NAT with Different Destination Ports 13 Twice Static NAT with Destination Address Translation NAT Rule Order Rule Type Order of Rules within the SectionNAT Interfaces Routing NAT PacketsMapped Addresses and Routing Transparent Mode Routing Requirements for Remote Networks Too lateNAT for VPN NAT and Remote Access VPN 203.0.113.16075NAT and Site-to-Site VPN Same-security-traffic permit intra-interfaceSee the following sample NAT configuration for ASA1 Boulder 19 Interface PAT and Identity NAT for Site-to-Site VPNNAT and VPN Management Access Subnet 10.2.2.0Object network boulderinside Subnet 10.1.1.0 Object network vpnlocal Subnet 10.3.3.0Management-access inside Subnet 10.1.1.0 Nat inside,outside dynamic interfaceTroubleshooting NAT and VPN Add the identity NAT configurationDNS and NAT Enter show nat detail and show conn all22 DNS Reply Modification, DNS Server on Outside 192.168.1.10 24 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 26 PTR Modification, DNS Server on Host Network Page Configuring Network Object NAT Information About Network Object NATPrerequisites for Network Object NAT Licensing Requirements for Network Object NATSupports IPv6. See also the NAT and IPv6 section on Additional Guidelines Configuring Network Object NAT Adding Network Objects for Mapped AddressesObject Configuring Dynamic NATObject network objname Additional Guidelines section on DNS and NAT section on page 3-28 for more informationConfiguring Dynamic PAT Hide Nat inside,outside dynamic nat-pat-grp interfaceConfigures a network object for which you want to configure Optional Create a network object or group forSee the Adding Network Objects for Mapped Addresses section Mapped addressesConfigures dynamic PAT for the object IP addresses. You can Interface-Routed mode only The IP addressUsed. For this option, you must configure a specific When you want to use the interface IP address youCiscoasaconfig-network-object#nat inside,outside dynamic Ciscoasaconfig# object network IPv4POOL Configuring Static NAT or Static NAT-with-Port-TranslationCiscoasaconfig# object network IPv6INSIDE Addresses IPv4 or IPv6 that you want to translate See the DNS and NAT section on page 3-28. This option is Static NAT section onSee the Mapped Addresses and Routing section on Translate. See the Adding Network Objects for Mapped Configuring Identity NATAddresses section on NAT command. See the Determining the Egress Interface See the Additional Guidelines section onMapped Addresses and Routing section on Section on page 3-22 for more informationConfiguring Per-Session PAT Rules By default, the following rules are installedShows NAT statistics, including hits for each NAT rule Monitoring Network Object NATHow many times they were allocated Configuration Examples for Network Object NAT Providing Access to an Inside Web Server Static NAT Configure static NAT for the objectCiscoasaconfig# object network myWebServ Create a network object for the internal web serverConfigure static NAT for the web server Ciscoasaconfig-network-object#nat outside,inside staticCreate a network object for the inside network Create a network object for the outside web serverConfigure static NAT for the load balancer Ciscoasaconfig# object network myPublicIPsCiscoasaconfig# object network myLBHost Create a network object for the load balancerCiscoasaconfig# object network Ftpserver Ciscoasaconfig# object network HttpserverCreate a network object for the FTP server address Create a network object for the Http server addressCiscoasaconfig# object network Smtpserver Create a network object for the Smtp server addressDNS Reply Modification DNS Reply Modification Using Outside NAT 2001DB8D1A5C8E1 Ciscoasaconfig# object network Dnsserver Feature History for Network Object NAT Platform Feature Name Releases Feature InformationPat-pool mappedobject flat include-reserve Pat-pool mappedobject extendedConfiguration mode, show nat, show nat pool, show xlate General-attributes configuration modeNat-assigned-to-public-ip interface tunnel-group Show nat pool Page Configuring Twice NAT Information About Twice NATPrerequisites for Twice NAT Licensing Requirements for Twice NATSupports IPv6 Configuring Twice NAT Guidelines and Limitations Configuring Twice NAT Adding Network Objects for Real and Mapped AddressesConfiguring Twice NAT Optional Adding Service Objects for Real and Mapped Ports Configure service objects forCommand Purpose See the Adding Network Objects for Real and Mapped See the Optional Adding Service Objects for Real and MappedPorts section on Configure dynamic NAT. See the following guidelines Section and Line-Optional By default, the NAT rule isAnywhere in the applicable section using the line argument You can optionally configure the following fallbackCommand Purpose Subnet 203.0.113.0 For a PAT poolSubnet 2001DB8AAAA/96 Configuring Twice NAT Detailed Steps Configures dynamic PAT hide. See the following guidelines Mapped-Configure one of the followingInterface-Routed mode only Specify the interface Interface keyword enables interface PAT fallback. AfterCommand Purpose Command Purpose Subnet 192.168.1.0 Service tcp destination eqHost 2001DB823 Source or Destination real ports Source or Destination mapped portsRule Order section on page 3-18for more information about See the Static Interface NAT with Port TranslationExamples Object MAPPEDIPv6NWSubnet 2001DB8BBBB/96 OUTSIDEIPv6NWSource real addresses you will typically use Static Interface NAT with Port Translation section on To monitor twice NAT, enter one of the following commands Monitoring Twice NATShows NAT statistics, including hits for each NAT rule How many times they were allocatedConfiguration Examples for Twice NAT Ciscoasaconfig# object network PATaddress1Add a network object for the inside network Add a network object for the DMZ networkConfigure the first twice NAT rule Configure the second twice NAT ruleAdd a network object for the PAT address when using Telnet Add a service object for TelnetCiscoasaconfig# object network myInsideNetwork Ciscoasaconfig# object network TelnetWebServerAdd a service object for Http Feature History for Twice NAT We modified the following command nat source staticShow nat, show xlate, show nat pool Existing functionality. The unidirectional keyword isPat-pool mappedobject flat include-reserve Nat-assigned-to-public-ip interface tunnel-group Show nat pool Configuring Access Control Page Configuring Access Rules Information About Access RulesImplicit Permits General Information About RulesInformation About EtherType Rules, Implicit Deny Inbound and Outbound RulesTransactional-Commit Model Outbound ACLAccess Rules for Returning Traffic Information About Extended Access RulesAdditional Guidelines and Limitations Management Access Rules Information About EtherType RulesSupported EtherTypes and Other Traffic Traffic Type Protocol or PortLicensing Requirements for Access Rules PrerequisitesAllowing Mpls Supported in routed and transparent firewall modesDefault Settings Configuring Access RulesTo apply an access rule, perform the following steps Per-User ACL GuidelinesPer-user-override option See Per-User ACL Guidelines,Monitoring Access Rules To monitor network access, enter the following commandShow running-config access-group Hostname config# object-group service myaclogExtended Feature History for Access RulesPermit deny is-is Extended, access-list webtype Ipv6 access-list webtype, ipv6-vpn-filterAccess-list extended, service-object, service Transactional-commit,show running-config aspAAA Performance Licensing Requirements for AAA RulesConfiguring Authentication for Network Access Information About AuthenticationOne-Time Authentication ASA Authentication PromptsName name1@name2 Password password1@password2 AAA Prompts and Identity FirewallAAA Rules as a Backup Authentication Method Static PAT and HttpNat inside,outside static 10.48.66.155 service tcp 111 Authentication include command which Configuring Network Access AuthenticationUser-group any and user-group none can be Lockout command Ldap-login-password Ldap-over-ssl enableAaa authentication match Auth inside Ldap Protocol ldapEnabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating Https Connections with a Virtual ServerAuthenticating Telnet Connections with a Virtual Server Authentication include command Configuring Authorization for Network Access Configuring TACACS+ AuthorizationAuthenticate. For details, see the general operations Authentication, while deny entries exclude matchingTraffic from authentication. Be sure to include FTP in the ACL, because the user must authenticateAuthentication match command Authorization include command whichConfiguring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACSACSCiscoSecure-Defined-ACL=acl-set-name Configuring Cisco Secure ACS for Downloadable ACLs Access-list aclname extendedWith the following text Downloaded ACL on the ASA consists of the following linesIpinacl#nnn= Configuring Accounting for Network Access Filter-id=aclnameInformation, see the Configuring Network Access Authentication section on page 7-7. If you wantAccess-list command Accounting include command whichConfiguring AAA Rules for Network Access Mac-exempt match command Feature History for AAA Rules Page Configuring Application Inspection Page Getting Started with Application Layer Protocol Inspection How Inspection Engines WorkWhen to Use Application Protocol Inspection How Inspection Engines WorkFailover Guidelines Supports IPv6 for the following inspectionsDefault Settings and NAT Limitations 323 H.225IP Options NetBIOS NameServer over IP SQL*Net SmtpSun RPC over Configuring Application Layer Protocol Inspection View the entire class map using the following command Ciscoasaconfig# policy-mapname ciscoasaconfig-pmap# Keywords Icmp Icmp error Ils Netbios mapnameIp-options mapname Ipsec-pass-thru mapnameSqlnet Sunrpc Scansafe mapnameTftp Waas Xdmcp DNS Inspection 10-1Default Settings for DNS Inspection Information About DNS InspectionGeneral Information About DNS DNS Inspection Actions10-3 Do one of the followingClass-map type inspect dns match-all Defining Actions in an Inspection Policy Map section on 10-4Keyword specifies the question portion of a DNS message. Section the authority keyword specifies the Authority RRSection the additional keyword specifies the Additional RR Section10-6 Matches a DNS message domain name list. The regexnameMatch not domain-name regex regexid Id-mismatch count number duration seconds action Message-length maximum length client length autoTsig enforced action drop log-Requires a Tsig 10-7Layer 3/4 Class Maps section on page 1-12 for more Configuring DNS Inspection10-8 Dynamic-filter-snoop keyword, see the Enabling DNS Monitoring DNS Inspection10-9 Ciscoasa# show service-policy FTP InspectionFTP Inspection Overview 10-10Using the strict Option 10-1110-12 10-13 Ciscoasaconfig# policy-map type inspect ftp mymap 10-14Ciscoasaconfig# service-policy ftp-policy interface inside Http InspectionVerifying and Monitoring FTP Inspection Http Inspection Overview10-16 Ciscoasaconfig-cmap#match not req-resp content-type mismatch 10-17Ciscoasaconfig# policy-map type inspect http policymapname 10-1810-19 Icmp Error Inspection Icmp InspectionInstant Messaging Inspection IM Inspection Overview10-21 Ciscoasaconfig-cmap#match not protocol im-yahoo im-msnConference games Ciscoasaconfig# policy-map type inspect im policymapname 10-22IP Options Inspection 10-23IP Options Inspection Overview 10-24IPsec Pass Through Inspection Ciscoasaconfig-pmap-p#router-alert action allow clear10-25 IPv6 Inspection IPsec Pass Through Inspection OverviewExample for Defining an IPsec Pass Through Parameter Map 10-26Default Settings for IPv6 Inspection Optional Configuring an IPv6 Inspection Policy MapInformation about IPv6 Inspection 10-27Routing-address count gt number -Sets the maximum 10-28To enable IPv6 inspection, perform the following steps Configuring IPv6 Inspection10-29 NetBIOS Inspection Overview NetBIOS Inspection10-30 10-31 Pptp Inspection Smtp and Extended Smtp InspectionSmtp and Esmtp Inspection Overview 10-3210-33 Ciscoasaconfig# policy-map type inspect esmtp policymapname 10-34Tftp Inspection 10-3510-36 Ctiqbe Inspection Overview Ctiqbe Inspection11-1 Verifying and Monitoring Ctiqbe Inspection Limitations and Restrictions11-2 Inspection 11-3How H.323 Works Inspection Overview11-4 Support in H.245 Messages 11-511-6 Ciscoasaconfig# policy-map type inspect h323 policymapname Ciscoasaconfig-cmap#match not media-type audio data video11-7 Ciscoasaconfig# ras-rcf-pinholes enable Ciscoasaconfig-pmap-p#rtp-conformance enforce-payloadtypeCiscoasaconfig-pmap-p#state-checking h225 ras 11-8Configuring H.323 and H.225 Timeout Values Verifying and Monitoring H.323 InspectionMonitoring H.225 Sessions 11-9Monitoring H.245 Sessions Monitoring H.323 RAS Sessions11-10 Ciscoasa# show h323-rasMgcp Inspection Overview Mgcp Inspection11-11 Ciscoasaconfig# policy-map type inspect mgcp mapname 11-12Following example shows how to define an Mgcp map Configuring Mgcp Timeout Values11-13 Verifying and Monitoring Mgcp Inspection Rtsp Inspection11-14 Using RealPlayer Rtsp Inspection OverviewRestrictions and Limitations 11-15Ciscoasaconfig-cmap#match not request-method method 11-16Ciscoasaconfig# policy-map type inspect rtsp policymapname 11-17SIP Inspection Overview SIP Inspection11-18 SIP Instant Messaging 11-1911-20 Ciscoasaconfig-cmap#match not content length gt length 11-21Ciscoasaconfig# policy-map type inspect sip policymapname Ciscoasaconfig-cmap#match not uri sip tel length gt length11-22 Ciscoasaconfig-pmap-p#uri-non-sip action mask log log Ciscoasaconfig-pmap-p#software-version action mask log log11-23 Configuring SIP Timeout Values Skinny Sccp InspectionVerifying and Monitoring SIP Inspection 11-24Supporting Cisco IP Phones Sccp Inspection Overview11-25 Ciscoasaconfig# policy-map type inspect skinny policymapname 11-26Ciscoasaconfig-pmap-p#sccp-prefix-len max min valuelength 11-27Verifying and Monitoring Sccp Inspection 11-28ILS Inspection, SQL*Net Inspection, Sun RPC Inspection, ILS Inspection12-1 SQL*Net Inspection 12-2Sun RPC Inspection Overview Sun RPC Inspection12-3 Verifying and Monitoring Sun RPC Inspection Managing Sun RPC Services12-4 12-5 Ciscoasa# show sunrpc-server active12-6 Dcerpc Overview Dcerpc Inspection13-1 Ciscoasaconfig# policy-map type inspect dcerpc policymapname 13-2GTP Inspection Overview GTP Inspection13-3 Ciscoasaconfig# policy-map type inspect gtp policymapname 13-4Ciscoasaconfig-network#network-object host Ciscoasaconfig# object-group network GSN-pool-name13-5 Ciscoasaconfig# object-group network sgsn32 Ciscoasaconfig# object-group network SGSN-name13-6 Ciscoasaconfig# service-policy globalpolicy global Ciscoasa# show service-policy inspect gtp statisticsVerifying and Monitoring GTP Inspection 13-7Radius Accounting Inspection Ciscoasa# show service-policy gtp statistics grep gsn13-8 Configure the service policy Radius Accounting Inspection Overview13-9 Inspect radius-accounting radiusaccountingmapRSH Inspection Snmp InspectionSnmp Inspection Overview 13-10Xdmcp Inspection 13-1113-12 Configuring Unified Communications Page 14-1 14-2 Might not need Certificate forPhone proxy ApplicationModel License Requirement1 ASA Base License and Security Plus License 2 sessionsASA Base License 2 sessions 14-4ASA 5585-X with Base License 2 sessions SSP-20, -40, or ASA 5585-X with Base License 2 sessions SSP-1014-5 IME 14-6Cisco Mobility Advantage Proxy Cisco Presence Federation ProxyCisco Intercompany Media Engine Proxy 15-115-2 Licensing Requirements for the Unified Communication Wizard 15-3Supports IPv6 addresses 15-4Configuring the Private Network for the Phone Proxy 15-5Click the Generate and Export LDC Certificate button Configuring Servers for the Phone Proxy15-6 Address Default Port Description 15-715-8 Configuring the Public IP Phone Network 15-915-10 15-11 15-12 15-13 15-14 Certificate, Dialog box. See Installing a Certificate,15-15 15-16 15-17 Off-path Deployment Basic Deployment15-18 15-19 15-20 Wizard supports using self-signed certificates only Cisco UCMs need to be installed on the security applianceSupports installing self-signed certificates Other, respectively, during TLS handshakes15-22 Exporting an Identity Certificate Installing a Certificate15-23 Click Install Certificate 15-24Saving the Identity Certificate Request 15-2515-26 15-27 15-28 Phone Proxy Functionality Information About the Cisco Phone Proxy16-1 16-2 TCP/RTP TLS/SRTPSupported Cisco UCM and IP Phones for the Phone Proxy Cisco Unified Communications ManagerCisco Unified IP Phones 16-3Licensing Requirements for the Phone Proxy 16-416-5 Prerequisites for the Phone Proxy Media Termination Instance PrerequisitesThis section contains the following topics 16-6Certificates from the Cisco UCM DNS Lookup PrerequisitesCisco Unified Communications Manager Prerequisites ACL RulesNAT and PAT Prerequisites Address Port Protocol DescriptionNAT Prerequisites PAT PrerequisitesPrerequisites for IP Phones on Multiple Interfaces 7940 IP Phones SupportThere must be two CTL file record entries for the Cisco UCM 16-9Cisco IP Communicator Prerequisites Cipc security-mode authenticated16-10 Rate Limiting Configuration Example Prerequisites for Rate Limiting Tftp RequestsIcmp deny any outside 16-11Phone Proxy Guidelines and Limitations End-User Phone ProvisioningWays to Deploy IP Phones to End Users 16-12General Guidelines and Limitations 16-13Media Termination Address Guidelines and Limitations Configuring the Phone Proxy16-14 Choose Security Certificate Management Importing Certificates from the Cisco UCM16-15 Authenticating IP phones with an LSC Hostnameconfig# crypto ca trustpoint trustpointnameHostnameconfig# crypto ca authenticate trustpoint Certificate Name Required forCreating Trustpoints and Generating Certificates 16-17Creating the CTL File PrerequisitesWhat to Do Next 16-1816-19 Using an Existing CTL File 16-20Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-2116-22 Creating the Media Termination Instance Cucm/cucos/504/iptpch6.html#wp1040848Cucm/cucos/504/iptpch6.html#wp1040354 16-23See Media Termination Instance Prerequisites Creating the Phone Proxy Instance16-24 See Creating the Media Termination Instance 16-25See Cisco IP Communicator Prerequisites Enabling the Phone Proxy with SIP and Skinny Inspection16-26 16-27 Troubleshooting the Phone Proxy Configuring Your RouterDebugging Information from the Security Appliance 16-28Use the Command 16-2916-30 Show asp drop Debugging Information from IP PhonesShow asp table classify domain Show conn allDebugging Information from IP Phones 16-32Tftp Auth Error Displays on IP Phone Console Problem The IP phone displays the following Status messageIP Phone Registration Failure 16-33Configuration File Parsing Error Configuration File Parsing Error Unable to Get DNS ResponseCiscoasa# show running-config all ctl-file ctlname 16-34Non-configuration File Parsing Error Phone-proxy tftp16-35 Hostname# debug phone-proxy tftp16-36 Hostname# capture out interface outsideIP Phone Requesting Unsigned File Error Hostnameconfig# show running-config all phone-proxyIP Phone Unable to Download CTL File 16-37IP Phone Registration Failure from Signaling Connections 16-38To add the required ciphers, enter the following command Debug sip Debug skinny16-39 Hostname# show run all sslSSL Handshake Failure 16-40Certificate Validation Errors Media Termination Address Errors16-41 Saving Sast Keys Audio Problems with IP Phones16-42 16-43 Configuration Examples for the Phone Proxy 16-44Record-entry cucm trustpoint trustpoint address address Record-entry capf trustpoint trustpoint address address16-45 Corporate Network16-46 Fqdn my-ldc-ca.exmaple.com16-47 Phone a 10.10.0.2416-48 16-49 ASA Outside Interface Phone a 10.10.0.2416-50 Enroll terminal crypto ca authenticate capf ctl-file myctl 16-51Example 6 Vlan Transversal 16-5216-53 ASA Inside Interface 10.130.50.24Feature History for the Phone Proxy 16-5417-1 Supported Cisco UCM and IP Phones for the TLS Proxy 17-2CTL Client Overview 17-3CTL Client TLS Proxy Features ASA IP Address or Domain Name 17-4Licensing for the TLS Proxy 17-517-6 Configuring the TLS Proxy for Encrypted Voice Inspection 17-7Ciscoasaconfig# show crypto ca server certificate Ciscoasaconfig# tls-proxy maximum-sessions17-8 17-9 Creating an Internal CA 17-10Creating a CTL Provider Instance 17-11Creating the TLS Proxy Instance 17-12Crypto ca trustpoint command 17-1317-14 Monitoring the TLS Proxy 17-1517-16 AES128-SHATLS Proxy TLS proxy feature was introduced 2lists the release history for this feature17-17 17-18 Cisco Mobility Advantage Proxy Functionality 18-1Mobility Advantage Proxy Deployment Scenarios Hostnameconfig-tlsp#no server authenticate-client18-2 18-3 TLSVersus Mobility Advantage Proxy Using NAT/PAT18-4 Trust Relationships for Cisco UMA Deployments 18-5Longer requires a Unified Communications Proxy license Configuring Cisco Mobility Advantage18-6 Task Flow for Configuring Cisco Mobility Advantage Installing the Cisco UMA Server CertificateEnabling the TLS Proxy for MMP Inspection, 18-718-8 Enabling the TLS Proxy for MMP Inspection 18-9Exits from the Policy Map configuration mode Enables the service policy on all interfacesMonitoring for Cisco Mobility Advantage 18-10Configuration Examples for Cisco Mobility Advantage 18-1118-12 18-13 Feature History for Cisco Mobility Advantage 18-14Information About Cisco Unified Presence 19-1Ciscoasaconfig# object network obj-10.0.0.2-01 19-219-3 Trust Relationship in the Presence Federation 19-4Xmpp Federation Deployments 19-5Configuration Requirements for Xmpp Federation Configure the following NAT commandsAllow traffic from any address to any single node on port 19-6Licensing for Cisco Unified Presence 19-7Configuring Cisco Unified Presence Proxy for SIP Federation 19-8Install the certificates. See Installing Certificates, 19-9Trustpoint for the remote entity Installing Certificates19-10 19-11 19-12 Enabling the TLS Proxy for SIP Inspection Trust-pointcommand is the remote entity proxy19-13 Configuration Example for Cisco Unified Presence Example Configuration for SIP Federation Deployments,Monitoring Cisco Unified Presence 19-14Example Configuration for SIP Federation Deployments 19-1519-16 Example ACL Configuration for Xmpp Federation 19-17Example NAT Configuration for Xmpp Federation 19-1819-19 Feature History for Cisco Unified Presence 19-20Features of Cisco Intercompany Media Engine Proxy 20-1How the UC-IME Works with the Pstn and the Internet 20-2Tickets and Passwords 20-3Call Fallback to the Pstn 20-4Architecture, Basic Deployment, Off Path Deployment, Architecture20-5 Basic Deployment 20-6Off Path Deployment Licensing for Cisco Intercompany Media Engine20-7 Supported in single context mode only Supported in routed firewall mode onlyDoes not support IPv6 addresses 20-820-9 Task Flow for Configuring Cisco Intercompany Media Engine Configuring Cisco Intercompany Media Engine Proxy20-10 Create the TLS proxy. See Creating the TLS Proxy, Configuring NAT for Cisco Intercompany Media Engine Proxy20-11 Cisco UCM that you want to translate 20-12Configuring PAT for the Cisco UCM Server 20-1320-14 Creating ACLs for Cisco Intercompany Media Engine Proxy 20-15Guidelines Procedure20-16 See Creating the Cisco Intercompany Media Engine Creating the Cisco Intercompany Media Engine Proxy20-17 20-18 Show running-config uc-ime command 20-1920-20 Prerequisites for Installing Certificates 20-2120-22 Creating the TLS Proxy Creating Trustpoints and GeneratingCertificates section on 20-2320-24 ACLs for Cisco Intercompany Media Engine Proxy Created in , page 20-15of the task Creating20-25 Optional Configuring TLS within the Local Enterprise Where policymapname is the name of the policyMap you created in of this task 20-26Commands Purpose 20-27Where proxytrustpoint for the client trust-point Where proxytrustpoint for the server trust-point20-28 Optional Configuring Off Path Signaling 20-29Intercompany Media Engine Proxy, Creating the Cisco Intercompany MediaEngine Proxy, 20-3020-31 20-32 Show uc-ime signaling-sessions 20-33Show uc-ime media-sessions detail Show uc-ime signaling-sessions statistics20-34 Show uc-ime mapping-service-sessions Show uc-ime mapping-service-sessions statisticsShow uc-ime fallback-notification statistics 20-3520-36 Configuring Connection Settings and QoS Page Information About Connection Settings 22-1Dead Connection Detection DCD TCP Intercept and Limiting Embryonic Connections22-2 TCP Sequence Randomization TCP NormalizationTCP State Bypass 22-3Licensing Requirements for Connection Settings 22-4TCP State Bypass Unsupported Features Maximum Concurrent and Embryonic Connection GuidelinesTCP State Bypass TCP NormalizerConfiguring Connection Settings Task Flow For Configuring Connection SettingsFor each TCP map, you can customize one or more settings Customizing the TCP Normalizer with a TCP Map22-7 Command 22-8Command 22-922-10 Configuring Connection Settings Urgent-flag allow clearWindow-variation allow drop 22-1122-12 Random-sequence-number enable disable keyword TCP Sequence Randomization section on page 22-3 section forEmbryonic-conn-max keywords 22-13Command in the command reference Embryonic hh mm ss keyword sets the timeout period until aIdle hh mm ss keyword sets the idle timeout period after To 0, which means the connection never times outMonitoring Connection Settings Configuration Examples for Connection SettingsConfiguration Examples for Connection Limits and Timeouts 22-15Configuration Examples for TCP State Bypass Configuration Examples for TCP NormalizationFollowing is a sample configuration for TCP state bypass 22-16Feature History for Connection Settings 22-17Timeout half-closed,timeout half-closed Conn-max,set connection embryonic-conn-max,setConnection per-client-embryonic-max,set connection Per-client-maxInformation About QoS 23-1What is a Token Bucket? Supported QoS Features23-2 Information About Priority Queuing Information About Policing23-3 Information About Traffic Shaping How QoS Features Interact23-4 Licensing Requirements for QoS Dscp and DiffServ PreservationDoes not support IPv6 Model GuidelinesConfiguring QoS 23-6Mbps 125Kbps 23-7Configuring the Standard Priority Queue for an Interface Priority queue, or for the ASA 5505 or ASASM, the VlanInterface name 23-823-9 23-10 Step 23-1123-12 23-13 Configuring the Service Rule 23-14Priority Queuing Policy section on Multiple of 8000. See the Information About Traffic Shaping23-15 Ciscoasa# show service-policy police Monitoring QoSViewing QoS Police Statistics 23-16Viewing QoS Shaping Statistics Viewing QoS Standard Priority Statistics23-17 23-18 Viewing QoS Standard Priority Queue StatisticsCiscoasa# show priority-queue statistics test Feature History for QoS 23-1923-20 Testing Your Configuration Troubleshooting Connections and Resources24-1 Enabling Icmp Debugging Messages and Syslog Messages 24-2Pinging ASA Interfaces 24-3ASA 24-4Passing Traffic Through the ASA 24-5Disabling the Test Configuration 24-6Monitoring Per-Process CPU Usage Determining Packet Routing with TracerouteTracing Packets with Packet Tracer 24-724-8 Configuring Advanced Network Protection Page Configuring the ASA for Cisco Cloud Web Security 25-1User Authentication and Cloud Web Security Information About Cisco Cloud Web SecurityRedirection of Web Traffic to Cloud Web Security 25-2Authentication Keys Company Authentication Key Group Authentication KeyCompany Authentication Key, Group Authentication Key, 25-3ScanCenter Policy Directory GroupsCustom Groups 25-4Cloud Web Security Actions How Groups and the Authentication Key Interoperate25-5 Failover from Primary to Backup Proxy Server Licensing Requirements for Cisco Cloud Web SecurityBypassing Scanning with Whitelists IPv4 and IPv6 SupportOptional User Authentication Prerequisites Prerequisites for Cloud Web SecurityOptional Fully Qualified Domain Name Prerequisites 25-7By default, Cisco Cloud Web Security is not enabled Configuring Cisco Cloud Web Security25-8 See the Authentication Keys section on 25-9Config-url disk0/onectx.cfg Context two 25-10Optional Configuring Whitelisted Traffic section on 25-11Adding an Extended Access Control List, 25-12Policy section on page 1-17for more information 25-1325-14 Optional Configuring Whitelisted Traffic 25-15Optional Configuring the User Identity Monitor Configuring the Cloud Web Security PolicyObject-group-user-Specifies an object-group user name 25-16Http//Whoami.scansafe.net Monitoring Cloud Web Security25-17 Single Mode Example Configuration Examples for Cisco Cloud Web Security25-18 Multiple Mode Example Whitelist ExampleTo attach class-maps to the Cloud Web Security Policy map 25-19Directory Integration Examples Configuring the Active Directory Server Using Ldap25-20 Configuring the Active Directory Agent Using Radius Testing the AD AgentConfiguring the Identity Options on the ASA Creating the ASA as a Client on the AD Agent ServerCloud Web Security with Identity Firewall Example Monitoring the Active Directory GroupsDownloading the Database from the AD Agent Showing a List of Active Users25-23 25-24 Aaa-server AD inside host 192.168.116.220 server-port25-25 No call-home reporting anonymous call-homeFeature History for Cisco Cloud Web Security Related DocumentsRelated Documents 25-26Botnet Traffic Filter Address Types, Information About the Botnet Traffic Filter26-1 Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known AddressesBotnet Traffic Filter Databases Information About the Dynamic DatabaseInformation About the Static Database 26-326-4 How the Botnet Traffic Filter Works 26-5Prerequisites for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter26-6 Task Flow for Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter26-7 Configuring the Dynamic Database 26-8See the Adding Entries to the Static Database section on Adding Entries to the Static Database26-9 Enabling DNS Snooping See the Enabling DNS Snooping section onTCP DNS traffic is not supported 26-1026-11 Inspection section on page 10-1 for more information about 26-12Recommended Configuration 26-13Subset of the dynamic-filter enable ACL See the Blocking Botnet Traffic Manually section onThreat-level range moderate very-high Very-low Low Moderate High Very-highFor dropping purposes. If you do not enable this command Blocking Botnet Traffic ManuallyAbout the greylist 26-15Searching the Dynamic Database 26-16Botnet Traffic Filter Commands Monitoring the Botnet Traffic FilterBotnet Traffic Filter Syslog Messaging 26-17Dns-snoop command Infected-hosts command26-18 Configuration Examples for the Botnet Traffic Filter Recommended Configuration Example26-19 Ciscoasa# show dynamic-filter reports top malware-ports26-20 Other Configuration ExamplesOutside 26-21 Feature History for the Botnet Traffic Filter 26-22Configuring Threat Detection Information About Threat DetectionLicensing Requirements for Threat Detection 27-1Information About Basic Threat Detection Statistics Configuring Basic Threat Detection Statistics27-2 Trigger Settings Packet Drop Reason Average Rate Burst Rate Guidelines and LimitationsSecurity Context Guidelines Types of Traffic MonitoredConfiguring Basic Threat Detection Statistics 27-4Threat Detection Statistics section on Monitoring Basic Threat Detection Statistics27-5 Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection StatisticsInformation About Advanced Threat Detection Statistics 27-6Configuring Advanced Threat Detection Statistics 27-727-8 Monitoring Advanced Threat Detection Statistics 27-927-10 Using the show threat-detection rate acl-drop command 27-11Protocolnumber argument is an integer between 0 StatisticsField 27-12Field Description 27-13Feature History for Advanced Threat Detection Statistics 27-14Information About Scanning Threat Detection Configuring Scanning Threat Detection27-15 Average Rate Burst Rate 27-16Configuring Scanning Threat Detection Configuration see the Configuring Basic Threat DetectionMonitoring Shunned Hosts, Attackers, and Targets Displays the hosts that are currently shunnedFeature History for Scanning Threat Detection 27-18Configuration Examples for Threat Detection 27-1927-20 Preventing IP Spoofing 28-1Blocking Unwanted Connections Configuring the Fragment Size28-2 Configuring IP Audit for Basic IPS Support Configuring IP AuditConfiguring IP Audit, IP Audit Signature List, 28-3IP Audit Signature List 1lists supported signatures and system message numbersSignature Message Number Signature Title 28-428-5 28-6 28-7 28-8 Information About Web Traffic Filtering 29-1Configuring ActiveX Filtering Licensing Requirements for ActiveX FilteringInformation About ActiveX Filtering 29-2Configuring ActiveX Filtering Configuration Examples for ActiveX FilteringGuidelines and Limitations for ActiveX Filtering 29-3Configuring Java Applet Filtering Feature History for ActiveX FilteringInformation About Java Applet Filtering Licensing Requirements for Java Applet FilteringConfiguring Java Applet Filtering Configuration Examples for Java Applet FilteringGuidelines and Limitations for Java Applet Filtering 29-5Feature History for Java Applet Filtering Filtering URLs and FTP Requests with an External ServerInformation About URL Filtering 29-6Guidelines and Limitations for URL Filtering Licensing Requirements for URL Filtering29-7 Choose from the following options Identifying the Filtering Server29-8 29-9 Configuring Additional URL Filtering Settings Buffering the Content Server ResponseReplaces block-buffer with the maximum number of Http Maximum memory allocation of 2 KB to 10 MBCaching Server Addresses Filtering Http URLsOn the Websense server Websense server29-12 Filtering Https URLs 29-13Might enter cd ./files instead of cd /public/files Filtering FTP Requests29-14 Following is sample output from the show url-servercommand Monitoring Filtering Statistics29-15 Ciscoasa# show url-serverFollowing is sample output from the show url-blockcommand Following is sample output from the show perfmon commandFollowing is sample output from the show filter command 29-16Feature History for URL Filtering 29-1729-18 Configuring Modules Page Information About the ASA CX Module 30-1How the ASA CX Module Works with the ASA 30-2Monitor-Only Mode Service Policy in Monitor-Only ModeTraffic-Forwarding Interface in Monitor-Only Mode 30-3Initial Configuration Initial Configuration, Policy Configuration and Management,Information About ASA CX Management 30-4Information About Authentication Proxy Compatibility with ASA FeaturesPolicy Configuration and Management Information About VPN and the ASA CX ModuleLicensing Requirements for the ASA CX Module 30-6Monitor-Only Mode Guidelines ASA Clustering GuidelinesDoes not support clustering 30-7Configuring the ASA CX Module See the Compatibility with ASA Features section onParameters Default Task Flow for the ASA CX ModuleASA 5585-X Hardware Module Connecting the ASA CX Management Interface30-9 If you do not have an inside router If you have an inside router30-10 ASA 5512-X through ASA 5555-X Software Module 30-1130-12 Partition the SSD Example30-13 Session 1 do setup host ip ASA 5585-X Changing the ASA CX Management IP AddressSets the ASA CX management IP address, mask, and gateway 30-14Configuring Basic ASA CX Settings at the ASA CX CLI 30-15Ciscoasa# session cxsc console Enter an IPv6 address 2001DB80CD301234/64Asacx config passwd Change the admin password by entering the following command30-16 Optional Configuring the Authentication Proxy Port 30-17Redirecting Traffic to the ASA CX Module Creating the ASA CX Service Policy30-18 See the Monitor-Only Mode section on page 30-3 for more 30-19See the Feature Matching Within a Service Policy section on Configuring Traffic-Forwarding Interfaces Monitor-Only Mode30-20 Managing the ASA CX Module 30-21Resetting the Password Reloading or Resetting the ModuleFor a software module ASA 5512-X through ASA 30-22Shutting Down the Module 30-23Sw-module module cxsc uninstall New module type30-24 ReloadAdmin123 Monitoring the ASA CX ModuleShowing Module Status 30-25Showing Module Statistics 30-26Monitoring Module Connections 30-27Dp-cp ‘X’ flag30-28 Show asp event dp-cp cxsc-msgCiscoasa# show asp drop 30-29Ciscoasa# show asp event dp-cp cxsc-msg Troubleshooting the ASA CX Module Capturing Module TrafficDebugging the Module 30-30Problems with the Authentication Proxy 30-31Configuration Examples for the ASA CX Module Check the authentication proxy portCheck the authentication proxy rules 30-32Feature History for the ASA CX Module 30-33We modified or introduced the following commands cxsc Fail-close fail-openmonitor-only,traffic-forwardCxsc monitor-only 30-34Asadataplane Capture interface asadataplane command30-35 30-36 Information About the ASA IPS Module 31-1How the ASA IPS Module Works with the ASA 31-2Operating Modes Using Virtual Sensors ASA 5510 and Higher31-3 Information About Management Access 31-4Licensing Requirements for the ASA IPS module 31-5Management Vlan ASA 5505 only 1lists the default settings for the ASA IPS module31-6 Task Flow for the ASA IPS Module Configuring the ASA IPS module31-7 Connecting the ASA IPS Management Interface 31-831-9 ASA 31-10Sessioning to the Module from the ASA ASA 5512-X through ASA 5555-X Booting the Software Module31-11 Configuring Basic IPS Module Network Settings For example, using the filename in the example in , enterCiscoasa# sw-module module ips recover boot 31-12ASA 5510 and Higher Configuring Basic Network Settings ASA 5505 Configuring Basic Network SettingsConnecting the ASA IPS Management Interface section on Sessioning to the Module from the ASA Section on31-14 Details command Configuring the Security Policy on the ASA IPS Module31-15 31-16 31-17 Diverting Traffic to the ASA IPS module 31-1831-19 31-20 Installing and Booting an Image on the Module Managing the ASA IPS moduleIPS module 31-2131-22 Uninstalling a Software Module Image Sw-module module ips uninstallFor a software module for example, the ASA 5545-X 31-23For a software module for example, the ASA Sw-module module ips password-reset31-24 Ips for a software module Monitoring the ASA IPS module31-25 31-26 Configuration Examples for the ASA IPS moduleCiscoasa# show module ips Feature History for the ASA IPS module Allow-ssc-mgmt,hw-module module ip, and hw-moduleModule allow-ip 31-27Session, show module, sw-module Inventory, show environment31-28 Information About the CSC SSM 32-1ASA 32-2Determining What Traffic to Scan 32-3Common Network Configuration for CSC SSM Scanning 32-4Prerequisites for the CSC SSM Licensing Requirements for the CSC SSM32-5 1lists the default settings for the CSC SSM Parameter DefaultSupported in single and multiple context modes 32-6Before Configuring the CSC SSM Configuring the CSC SSM32-7 See the Connecting to the CSC SSM section on Connecting to the CSC SSM32-8 32-9 Diverting Traffic to the CSC SSM See the Diverting Traffic to the CSC SSM section onDetermining What Traffic to Scan section on 32-1032-11 Guidelines and Limitations section on 32-12Monitoring the CSC SSM See the Monitoring the CSC SSM section onDisplays the status Displays additional status informationInstalling an Image on the Module Troubleshooting the CSC Module32-14 Recover command Resetting the Password32-15 Reloading or Resetting the Module 32-16Configuration Examples for the CSC SSM Ciscoasaconfig-cmap#policy-map cscinpolicyShutting Down the Module Shuts down the moduleAdditional References Related Topic Document TitleInstructions on use of the CSC SSM GUI Assistance with the Startup WizardFeature History for the CSC SSM Feature Name Platform Releases Feature InformationDetails recover 32-1932-20 IN-1 IN-2 IN-3 IN-4 IN-5 See also policy map LDP 6-7router-id 6-7TDP Multi-session PATRPC not supported with IN-6IN-7 IN-8 IN-9 IN-10
Related manuals
Manual 754 pages 55.66 Kb Manual 52 pages 35.74 Kb

ASA 5555-X, and the ASA Services Module, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.