Contents
Cisco ASA Series Firewall CLI Configuration Guide
Software Version
Cisco ASA Series Firewall CLI Configuration Guide
N T E N T S
Iii
Guidelines and Limitations Default Inspection Policy Maps
NAT for VPN
Guidelines and Limitations
Rules
Vii
Getting Started with Application Layer Protocol Inspection
Viii
IPv6 Inspection
Verifying and Monitoring Sun RPC Inspection
Configuring Unified Communications
Installing a Certificate
Xii
Enabling the Phone Proxy with SIP and Skinny Inspection
Xiii
CTL Client Overview
Xiv
Architecture
Configuring Connection Settings and QoS
Xvi
Configuring the Standard Priority Queue for an Interface
Xvii
Bypassing Scanning with Whitelists
Xviii
Information About the Static Database
Xix
Configuring Java Applet Filtering
Filtering URLs and FTP Requests with an External Server
Xxi
Xxii
30-15
ASA 5505 Configuring Basic Network Settings
Xxiii
Xxiv
Conventions
Document Objectives
Related Documentation
Convention Indication
Obtaining Documentation and Submitting a Service Request
Xxvi
R T
Page
Information About Service Policies
Feature Traffic? See
Supported Features
Feature Directionality
For Through
Feature Matching Within a Service Policy
Feature
Global Direction
Order in Which Multiple Feature Actions are Applied
ASA IPS ASA CX
Incompatibility of Certain Feature Actions
Licensing Requirements for Service Policies
Feature Matching for Multiple Service Policies
Guidelines and Limitations
Service Policy Guidelines
Class Map Guidelines
Policy Map Guidelines
Default Settings
Default Configuration
Default Configuration, Default Class Maps,
Task Flow for Using the Modular Policy Framework
Task Flows for Configuring Service Policies
Default Class Maps
This section includes the following topics
See the Identifying Traffic Layer 3/4 Class Maps section on
Layer 3/4 Policy Map
Creating a Layer 3/4 Class Map for Through Traffic
Command Purpose
Identifying Traffic Layer 3/4 Class Maps
Example
See the Default Settings and NAT Limitations section on
Ports are included in the match default-inspection-traffic
Match default-inspection-traffic command to narrow
Except for the match any , match access-list , or match
Match flow ip destination-address command to match flows
Creating a Layer 3/4 Class Map for Management Traffic
Creates a management class map, where classmapname is a
Defining Actions Layer 3/4 Policy Map
Identifying Traffic Layer 3/4 Class Maps section on
Task Flow for Configuring Hierarchical Policy Maps for
See the Supported Features section on
QoS Traffic Shaping section on page 1-11 for more
Applying Actions to an Interface Service Policy
Monitoring Modular Policy Framework
Configuration Examples for Modular Policy Framework
Displays the service policy statistics
IPv6, see the IPv6 Guidelines section on
Applying Inspection and QoS Policing to Http Traffic
See the following commands for this example
Ciscoasaconfig# class-map httptraffic
Applying Inspection to Http Traffic Globally
Ciscoasaconfig# policy-map httptrafficpolicy
Ciscoasaconfig# service-policy httptrafficpolicy global
Obj-192.168.1.1
Ciscoasaconfig# service-policy httpclient interface inside
Applying Inspection to Http Traffic with NAT
Host
Introduced class-map type management, and inspect
Feature History for Service Policies
Feature Name Releases Feature Information
Radius-accounting
Information About Inspection Policy Maps
Guidelines and Limitations
Default Inspection Policy Maps
Defining Actions in an Inspection Policy Map
Identifying Traffic in an Inspection Class Map section on
Identifying Traffic in an Inspection Class Map
Getting Started with Application Layer Protocol Inspection
Where to Go Next
Feature History for Inspection Policy Maps
1lists the release history for this feature
Page
Configuring Network Address Translation
Page
Why Use NAT?
Information About NAT
NAT Terminology
Static NAT
NAT Types
NAT Types Overview
Information About Static NAT
Information About Static NAT with Port Translation
Information About Static NAT with Port Address Translation
Information About One-to-Many Static NAT
Static NAT with Identity Port Translation
Information About Other Mapping Scenarios Not Recommended
4shows a typical few-to-many static NAT scenario
Dynamic NAT
Information About Dynamic NAT
Dynamic PAT
Dynamic NAT Disadvantages and Advantages
Information About Dynamic PAT
Per-Session PAT vs. Multi-Session PAT
Dynamic PAT Disadvantages and Advantages
NAT in Routed and Transparent Mode
Identity NAT
NAT in Routed Mode, NAT in Transparent Mode,
NAT in Routed Mode
NAT in Transparent Mode
10 NAT Example Transparent Mode
NAT and IPv6
How NAT is Implemented
Main Differences Between Network Object NAT and Twice NAT
Information About Network Object NAT
Information About Twice NAT
11 Twice NAT with Different Destination Addresses
12 Twice NAT with Different Destination Ports
13 Twice Static NAT with Destination Address Translation
NAT Rule Order
Rule Type Order of Rules within the Section
NAT Interfaces
Routing NAT Packets
Mapped Addresses and Routing
Transparent Mode Routing Requirements for Remote Networks
Too late
NAT for VPN
NAT and Remote Access VPN
203.0.113.16075
NAT and Site-to-Site VPN
Same-security-traffic permit intra-interface
See the following sample NAT configuration for ASA1 Boulder
19 Interface PAT and Identity NAT for Site-to-Site VPN
Object network boulderinside Subnet 10.1.1.0
NAT and VPN Management Access
Subnet 10.2.2.0
Object network vpnlocal Subnet 10.3.3.0
Management-access inside
Subnet 10.1.1.0 Nat inside,outside dynamic interface
DNS and NAT
Troubleshooting NAT and VPN
Add the identity NAT configuration
Enter show nat detail and show conn all
22 DNS Reply Modification, DNS Server on Outside
192.168.1.10
24 DNS Reply Modification, DNS Server on Host Network
2001DB8D1A5C8E1
26 PTR Modification, DNS Server on Host Network
Page
Configuring Network Object NAT
Information About Network Object NAT
Licensing Requirements for Network Object NAT
Prerequisites for Network Object NAT
Supports IPv6. See also the NAT and IPv6 section on
Additional Guidelines
Configuring Network Object NAT
Adding Network Objects for Mapped Addresses
Configuring Dynamic NAT
Object
Object network objname
Additional Guidelines section on
DNS and NAT section on page 3-28 for more information
Configuring Dynamic PAT Hide
Nat inside,outside dynamic nat-pat-grp interface
See the Adding Network Objects for Mapped Addresses section
Configures a network object for which you want to configure
Optional Create a network object or group for
Mapped addresses
Used. For this option, you must configure a specific
Configures dynamic PAT for the object IP addresses. You can
Interface-Routed mode only The IP address
When you want to use the interface IP address you
Ciscoasaconfig-network-object#nat inside,outside dynamic
Configuring Static NAT or Static NAT-with-Port-Translation
Ciscoasaconfig# object network IPv4POOL
Ciscoasaconfig# object network IPv6INSIDE
Addresses IPv4 or IPv6 that you want to translate
Static NAT section on
See the DNS and NAT section on page 3-28. This option is
See the Mapped Addresses and Routing section on
Configuring Identity NAT
Translate. See the Adding Network Objects for Mapped
Addresses section on
Mapped Addresses and Routing section on
NAT command. See the Determining the Egress Interface
See the Additional Guidelines section on
Section on page 3-22 for more information
Configuring Per-Session PAT Rules
By default, the following rules are installed
Monitoring Network Object NAT
Shows NAT statistics, including hits for each NAT rule
How many times they were allocated
Configuration Examples for Network Object NAT
Ciscoasaconfig# object network myWebServ
Providing Access to an Inside Web Server Static NAT
Configure static NAT for the object
Create a network object for the internal web server
Create a network object for the inside network
Configure static NAT for the web server
Ciscoasaconfig-network-object#nat outside,inside static
Create a network object for the outside web server
Ciscoasaconfig# object network myLBHost
Configure static NAT for the load balancer
Ciscoasaconfig# object network myPublicIPs
Create a network object for the load balancer
Create a network object for the FTP server address
Ciscoasaconfig# object network Ftpserver
Ciscoasaconfig# object network Httpserver
Create a network object for the Http server address
Ciscoasaconfig# object network Smtpserver
Create a network object for the Smtp server address
DNS Reply Modification
DNS Reply Modification Using Outside NAT
2001DB8D1A5C8E1
Ciscoasaconfig# object network Dnsserver
Feature History for Network Object NAT
Platform Feature Name Releases Feature Information
Pat-pool mappedobject flat include-reserve
Pat-pool mappedobject extended
General-attributes configuration mode
Configuration mode, show nat, show nat pool, show xlate
Nat-assigned-to-public-ip interface tunnel-group
Show nat pool
Page
Configuring Twice NAT
Information About Twice NAT
Licensing Requirements for Twice NAT
Prerequisites for Twice NAT
Supports IPv6
Configuring Twice NAT Guidelines and Limitations
Configuring Twice NAT
Adding Network Objects for Real and Mapped Addresses
Configuring Twice NAT
Optional Adding Service Objects for Real and Mapped Ports
Configure service objects for
Command Purpose
See the Optional Adding Service Objects for Real and Mapped
See the Adding Network Objects for Real and Mapped
Ports section on
Anywhere in the applicable section using the line argument
Configure dynamic NAT. See the following guidelines
Section and Line-Optional By default, the NAT rule is
You can optionally configure the following fallback
Command Purpose
For a PAT pool
Subnet 203.0.113.0
Subnet 2001DB8AAAA/96
Configuring Twice NAT
Detailed Steps
Interface-Routed mode only Specify the interface
Configures dynamic PAT hide. See the following guidelines
Mapped-Configure one of the following
Interface keyword enables interface PAT fallback. After
Command Purpose
Command Purpose
Service tcp destination eq
Subnet 192.168.1.0
Host 2001DB823
Source or Destination real ports
Source or Destination mapped ports
Rule Order section on page 3-18for more information about
See the Static Interface NAT with Port Translation
Examples
Subnet 2001DB8BBBB/96
Object
MAPPEDIPv6NW
OUTSIDEIPv6NW
Source real addresses you will typically use
Static Interface NAT with Port Translation section on
Shows NAT statistics, including hits for each NAT rule
To monitor twice NAT, enter one of the following commands
Monitoring Twice NAT
How many times they were allocated
Add a network object for the inside network
Configuration Examples for Twice NAT
Ciscoasaconfig# object network PATaddress1
Add a network object for the DMZ network
Configure the first twice NAT rule
Configure the second twice NAT rule
Ciscoasaconfig# object network myInsideNetwork
Add a network object for the PAT address when using Telnet
Add a service object for Telnet
Ciscoasaconfig# object network TelnetWebServer
Add a service object for Http
Show nat, show xlate, show nat pool
Feature History for Twice NAT
We modified the following command nat source static
Existing functionality. The unidirectional keyword is
Pat-pool mappedobject flat include-reserve
Nat-assigned-to-public-ip interface tunnel-group
Show nat pool
Configuring Access Control
Page
Configuring Access Rules
Information About Access Rules
General Information About Rules
Implicit Permits
Information About EtherType Rules,
Implicit Deny
Inbound and Outbound Rules
Transactional-Commit Model
Outbound ACL
Information About Extended Access Rules
Access Rules for Returning Traffic
Additional Guidelines and Limitations
Supported EtherTypes and Other Traffic
Management Access Rules
Information About EtherType Rules
Traffic Type Protocol or Port
Allowing Mpls
Licensing Requirements for Access Rules
Prerequisites
Supported in routed and transparent firewall modes
To apply an access rule, perform the following steps
Default Settings
Configuring Access Rules
Per-User ACL Guidelines
Per-user-override option
See Per-User ACL Guidelines,
Show running-config access-group
Monitoring Access Rules
To monitor network access, enter the following command
Hostname config# object-group service myaclog
Feature History for Access Rules
Extended
Permit deny is-is
Access-list extended, service-object, service
Extended, access-list webtype
Ipv6 access-list webtype, ipv6-vpn-filter
Transactional-commit,show running-config asp
AAA Performance
Licensing Requirements for AAA Rules
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
ASA Authentication Prompts
Name name1@name2 Password password1@password2
AAA Prompts and Identity Firewall
AAA Rules as a Backup Authentication Method
Static PAT and Http
Nat inside,outside static 10.48.66.155 service tcp 111
Configuring Network Access Authentication
Authentication include command which
User-group any and user-group none can be
Lockout command
Aaa authentication match Auth inside Ldap
Ldap-login-password
Ldap-over-ssl enable
Protocol ldap
Enabling Secure Authentication of Web Clients
Authenticating Directly with the ASA
Authenticating Https Connections with a Virtual Server
Authenticating Telnet Connections with a Virtual Server
Authentication include command
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Traffic from authentication. Be sure to include
Authenticate. For details, see the general operations
Authentication, while deny entries exclude matching
FTP in the ACL, because the user must authenticate
Authentication match command
Authorization include command which
Configuring Radius Authorization
About the Downloadable ACL Feature and Cisco Secure ACS
ACSCiscoSecure-Defined-ACL=acl-set-name
Configuring Cisco Secure ACS for Downloadable ACLs
Access-list aclname extended
Downloaded ACL on the ASA consists of the following lines
With the following text
Ipinacl#nnn=
Configuring Accounting for Network Access
Filter-id=aclname
Access-list command
Information, see the Configuring Network Access
Authentication section on page 7-7. If you want
Accounting include command which
Configuring AAA Rules for Network Access
Mac-exempt match command
Feature History for AAA Rules
Page
Configuring Application Inspection
Page
Getting Started with Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
How Inspection Engines Work
Failover Guidelines
Supports IPv6 for the following inspections
Default Settings and NAT Limitations
323 H.225
NetBIOS Name
IP Options
Server over IP
Smtp
SQL*Net
Sun RPC over
Configuring Application Layer Protocol Inspection
View the entire class map using the following command
Ciscoasaconfig# policy-mapname ciscoasaconfig-pmap#
Keywords
Ip-options mapname
Icmp Icmp error Ils
Netbios mapname
Ipsec-pass-thru mapname
Scansafe mapname
Sqlnet Sunrpc
Tftp Waas Xdmcp
DNS Inspection
10-1
General Information About DNS
Default Settings for DNS Inspection
Information About DNS Inspection
DNS Inspection Actions
Do one of the following
10-3
Class-map type inspect dns match-all
Defining Actions in an Inspection Policy Map section on
10-4
Section the additional keyword specifies the Additional RR
Keyword specifies the question portion of a DNS message.
Section the authority keyword specifies the Authority RR
Section
Matches a DNS message domain name list. The regexname
10-6
Match not domain-name regex regexid
Tsig enforced action drop log-Requires a Tsig
Id-mismatch count number duration seconds action
Message-length maximum length client length auto
10-7
Configuring DNS Inspection
Layer 3/4 Class Maps section on page 1-12 for more
10-8
Monitoring DNS Inspection
Dynamic-filter-snoop keyword, see the Enabling DNS
10-9
FTP Inspection Overview
Ciscoasa# show service-policy
FTP Inspection
10-10
Using the strict Option
10-11
10-12
10-13
Ciscoasaconfig# policy-map type inspect ftp mymap
10-14
Verifying and Monitoring FTP Inspection
Ciscoasaconfig# service-policy ftp-policy interface inside
Http Inspection
Http Inspection Overview
10-16
Ciscoasaconfig-cmap#match not req-resp content-type mismatch
10-17
Ciscoasaconfig# policy-map type inspect http policymapname
10-18
10-19
Instant Messaging Inspection
Icmp Error Inspection
Icmp Inspection
IM Inspection Overview
Ciscoasaconfig-cmap#match not protocol im-yahoo im-msn
10-21
Conference games
Ciscoasaconfig# policy-map type inspect im policymapname
10-22
IP Options Inspection
10-23
IP Options Inspection Overview
10-24
Ciscoasaconfig-pmap-p#router-alert action allow clear
IPsec Pass Through Inspection
10-25
Example for Defining an IPsec Pass Through Parameter Map
IPv6 Inspection
IPsec Pass Through Inspection Overview
10-26
Information about IPv6 Inspection
Default Settings for IPv6 Inspection
Optional Configuring an IPv6 Inspection Policy Map
10-27
Routing-address count gt number -Sets the maximum
10-28
Configuring IPv6 Inspection
To enable IPv6 inspection, perform the following steps
10-29
NetBIOS Inspection
NetBIOS Inspection Overview
10-30
10-31
Smtp and Esmtp Inspection Overview
Pptp Inspection
Smtp and Extended Smtp Inspection
10-32
10-33
Ciscoasaconfig# policy-map type inspect esmtp policymapname
10-34
Tftp Inspection
10-35
10-36
Ctiqbe Inspection
Ctiqbe Inspection Overview
11-1
Limitations and Restrictions
Verifying and Monitoring Ctiqbe Inspection
11-2
Inspection
11-3
Inspection Overview
How H.323 Works
11-4
Support in H.245 Messages
11-5
11-6
Ciscoasaconfig-cmap#match not media-type audio data video
Ciscoasaconfig# policy-map type inspect h323 policymapname
11-7
Ciscoasaconfig-pmap-p#state-checking h225 ras
Ciscoasaconfig# ras-rcf-pinholes enable
Ciscoasaconfig-pmap-p#rtp-conformance enforce-payloadtype
11-8
Monitoring H.225 Sessions
Configuring H.323 and H.225 Timeout Values
Verifying and Monitoring H.323 Inspection
11-9
11-10
Monitoring H.245 Sessions
Monitoring H.323 RAS Sessions
Ciscoasa# show h323-ras
Mgcp Inspection
Mgcp Inspection Overview
11-11
Ciscoasaconfig# policy-map type inspect mgcp mapname
11-12
Configuring Mgcp Timeout Values
Following example shows how to define an Mgcp map
11-13
Rtsp Inspection
Verifying and Monitoring Mgcp Inspection
11-14
Restrictions and Limitations
Using RealPlayer
Rtsp Inspection Overview
11-15
Ciscoasaconfig-cmap#match not request-method method
11-16
Ciscoasaconfig# policy-map type inspect rtsp policymapname
11-17
SIP Inspection
SIP Inspection Overview
11-18
SIP Instant Messaging
11-19
11-20
Ciscoasaconfig-cmap#match not content length gt length
11-21
Ciscoasaconfig-cmap#match not uri sip tel length gt length
Ciscoasaconfig# policy-map type inspect sip policymapname
11-22
Ciscoasaconfig-pmap-p#software-version action mask log log
Ciscoasaconfig-pmap-p#uri-non-sip action mask log log
11-23
Verifying and Monitoring SIP Inspection
Configuring SIP Timeout Values
Skinny Sccp Inspection
11-24
Sccp Inspection Overview
Supporting Cisco IP Phones
11-25
Ciscoasaconfig# policy-map type inspect skinny policymapname
11-26
Ciscoasaconfig-pmap-p#sccp-prefix-len max min valuelength
11-27
Verifying and Monitoring Sccp Inspection
11-28
ILS Inspection
ILS Inspection, SQL*Net Inspection, Sun RPC Inspection,
12-1
SQL*Net Inspection
12-2
Sun RPC Inspection
Sun RPC Inspection Overview
12-3
Managing Sun RPC Services
Verifying and Monitoring Sun RPC Inspection
12-4
12-5
Ciscoasa# show sunrpc-server active
12-6
Dcerpc Inspection
Dcerpc Overview
13-1
Ciscoasaconfig# policy-map type inspect dcerpc policymapname
13-2
GTP Inspection
GTP Inspection Overview
13-3
Ciscoasaconfig# policy-map type inspect gtp policymapname
13-4
Ciscoasaconfig# object-group network GSN-pool-name
Ciscoasaconfig-network#network-object host
13-5
Ciscoasaconfig# object-group network SGSN-name
Ciscoasaconfig# object-group network sgsn32
13-6
Verifying and Monitoring GTP Inspection
Ciscoasaconfig# service-policy globalpolicy global
Ciscoasa# show service-policy inspect gtp statistics
13-7
Ciscoasa# show service-policy gtp statistics grep gsn
Radius Accounting Inspection
13-8
13-9
Configure the service policy
Radius Accounting Inspection Overview
Inspect radius-accounting radiusaccountingmap
Snmp Inspection Overview
RSH Inspection
Snmp Inspection
13-10
Xdmcp Inspection
13-11
13-12
Configuring Unified Communications
Page
14-1
14-2
Phone proxy
Might not need
Certificate for
Application
ASA Base License 2 sessions
Model License Requirement1
ASA Base License and Security Plus License 2 sessions
14-4
ASA 5585-X with Base License 2 sessions SSP-10
ASA 5585-X with Base License 2 sessions SSP-20, -40, or
14-5
IME
14-6
Cisco Intercompany Media Engine Proxy
Cisco Mobility Advantage Proxy
Cisco Presence Federation Proxy
15-1
15-2
Licensing Requirements for the Unified Communication Wizard
15-3
Supports IPv6 addresses
15-4
Configuring the Private Network for the Phone Proxy
15-5
Configuring Servers for the Phone Proxy
Click the Generate and Export LDC Certificate button
15-6
Address Default Port Description
15-7
15-8
Configuring the Public IP Phone Network
15-9
15-10
15-11
15-12
15-13
15-14
Dialog box. See Installing a Certificate,
Certificate,
15-15
15-16
15-17
Basic Deployment
Off-path Deployment
15-18
15-19
15-20
Supports installing self-signed certificates
Wizard supports using self-signed certificates only
Cisco UCMs need to be installed on the security appliance
Other, respectively, during TLS handshakes
15-22
Installing a Certificate
Exporting an Identity Certificate
15-23
Click Install Certificate
15-24
Saving the Identity Certificate Request
15-25
15-26
15-27
15-28
Information About the Cisco Phone Proxy
Phone Proxy Functionality
16-1
16-2
TCP/RTP TLS/SRTP
Cisco Unified IP Phones
Supported Cisco UCM and IP Phones for the Phone Proxy
Cisco Unified Communications Manager
16-3
Licensing Requirements for the Phone Proxy
16-4
16-5
This section contains the following topics
Prerequisites for the Phone Proxy
Media Termination Instance Prerequisites
16-6
Cisco Unified Communications Manager Prerequisites
Certificates from the Cisco UCM
DNS Lookup Prerequisites
ACL Rules
NAT Prerequisites
NAT and PAT Prerequisites
Address Port Protocol Description
PAT Prerequisites
There must be two CTL file record entries for the Cisco UCM
Prerequisites for IP Phones on Multiple Interfaces
7940 IP Phones Support
16-9
Cipc security-mode authenticated
Cisco IP Communicator Prerequisites
16-10
Icmp deny any outside
Rate Limiting Configuration Example
Prerequisites for Rate Limiting Tftp Requests
16-11
Ways to Deploy IP Phones to End Users
Phone Proxy Guidelines and Limitations
End-User Phone Provisioning
16-12
General Guidelines and Limitations
16-13
Configuring the Phone Proxy
Media Termination Address Guidelines and Limitations
16-14
Importing Certificates from the Cisco UCM
Choose Security Certificate Management
16-15
Hostnameconfig# crypto ca authenticate trustpoint
Authenticating IP phones with an LSC
Hostnameconfig# crypto ca trustpoint trustpointname
Certificate Name Required for
Creating Trustpoints and Generating Certificates
16-17
What to Do Next
Creating the CTL File
Prerequisites
16-18
16-19
Using an Existing CTL File
16-20
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
16-21
16-22
Cucm/cucos/504/iptpch6.html#wp1040354
Creating the Media Termination Instance
Cucm/cucos/504/iptpch6.html#wp1040848
16-23
Creating the Phone Proxy Instance
See Media Termination Instance Prerequisites
16-24
See Creating the Media Termination Instance
16-25
Enabling the Phone Proxy with SIP and Skinny Inspection
See Cisco IP Communicator Prerequisites
16-26
16-27
Debugging Information from the Security Appliance
Troubleshooting the Phone Proxy
Configuring Your Router
16-28
Use the Command
16-29
16-30
Show asp table classify domain
Show asp drop
Debugging Information from IP Phones
Show conn all
Debugging Information from IP Phones
16-32
IP Phone Registration Failure
Tftp Auth Error Displays on IP Phone Console
Problem The IP phone displays the following Status message
16-33
Ciscoasa# show running-config all ctl-file ctlname
Configuration File Parsing Error
Configuration File Parsing Error Unable to Get DNS Response
16-34
16-35
Non-configuration File Parsing Error
Phone-proxy tftp
Hostname# debug phone-proxy tftp
16-36
Hostname# capture out interface outside
IP Phone Unable to Download CTL File
IP Phone Requesting Unsigned File Error
Hostnameconfig# show running-config all phone-proxy
16-37
IP Phone Registration Failure from Signaling Connections
16-38
16-39
To add the required ciphers, enter the following command
Debug sip Debug skinny
Hostname# show run all ssl
SSL Handshake Failure
16-40
Media Termination Address Errors
Certificate Validation Errors
16-41
Audio Problems with IP Phones
Saving Sast Keys
16-42
16-43
Record-entry cucm trustpoint trustpoint address address
Configuration Examples for the Phone Proxy
16-44
Record-entry capf trustpoint trustpoint address address
16-45
Corporate Network
16-46
Fqdn my-ldc-ca.exmaple.com
16-47
Phone a 10.10.0.24
16-48
16-49
ASA Outside Interface Phone a 10.10.0.24
16-50
Enroll terminal crypto ca authenticate capf ctl-file myctl
16-51
Example 6 Vlan Transversal
16-52
16-53
ASA Inside Interface 10.130.50.24
Feature History for the Phone Proxy
16-54
17-1
Supported Cisco UCM and IP Phones for the TLS Proxy
17-2
CTL Client Overview
17-3
CTL Client TLS Proxy Features ASA IP Address or Domain Name
17-4
Licensing for the TLS Proxy
17-5
17-6
Configuring the TLS Proxy for Encrypted Voice Inspection
17-7
Ciscoasaconfig# tls-proxy maximum-sessions
Ciscoasaconfig# show crypto ca server certificate
17-8
17-9
Creating an Internal CA
17-10
Creating a CTL Provider Instance
17-11
Creating the TLS Proxy Instance
17-12
Crypto ca trustpoint command
17-13
17-14
Monitoring the TLS Proxy
17-15
17-16
AES128-SHA
2lists the release history for this feature
TLS Proxy TLS proxy feature was introduced
17-17
17-18
Cisco Mobility Advantage Proxy Functionality
18-1
Hostnameconfig-tlsp#no server authenticate-client
Mobility Advantage Proxy Deployment Scenarios
18-2
18-3
TLS
Mobility Advantage Proxy Using NAT/PAT
Versus
18-4
Trust Relationships for Cisco UMA Deployments
18-5
Configuring Cisco Mobility Advantage
Longer requires a Unified Communications Proxy license
18-6
Enabling the TLS Proxy for MMP Inspection,
Task Flow for Configuring Cisco Mobility Advantage
Installing the Cisco UMA Server Certificate
18-7
18-8
Enabling the TLS Proxy for MMP Inspection
18-9
Monitoring for Cisco Mobility Advantage
Exits from the Policy Map configuration mode
Enables the service policy on all interfaces
18-10
Configuration Examples for Cisco Mobility Advantage
18-11
18-12
18-13
Feature History for Cisco Mobility Advantage
18-14
Information About Cisco Unified Presence
19-1
Ciscoasaconfig# object network obj-10.0.0.2-01
19-2
19-3
Trust Relationship in the Presence Federation
19-4
Xmpp Federation Deployments
19-5
Allow traffic from any address to any single node on port
Configuration Requirements for Xmpp Federation
Configure the following NAT commands
19-6
Licensing for Cisco Unified Presence
19-7
Configuring Cisco Unified Presence Proxy for SIP Federation
19-8
Install the certificates. See Installing Certificates,
19-9
Installing Certificates
Trustpoint for the remote entity
19-10
19-11
19-12
Trust-pointcommand is the remote entity proxy
Enabling the TLS Proxy for SIP Inspection
19-13
Monitoring Cisco Unified Presence
Configuration Example for Cisco Unified Presence
Example Configuration for SIP Federation Deployments,
19-14
Example Configuration for SIP Federation Deployments
19-15
19-16
Example ACL Configuration for Xmpp Federation
19-17
Example NAT Configuration for Xmpp Federation
19-18
19-19
Feature History for Cisco Unified Presence
19-20
Features of Cisco Intercompany Media Engine Proxy
20-1
How the UC-IME Works with the Pstn and the Internet
20-2
Tickets and Passwords
20-3
Call Fallback to the Pstn
20-4
Architecture
Architecture, Basic Deployment, Off Path Deployment,
20-5
Basic Deployment
20-6
Licensing for Cisco Intercompany Media Engine
Off Path Deployment
20-7
Does not support IPv6 addresses
Supported in single context mode only
Supported in routed firewall mode only
20-8
20-9
Configuring Cisco Intercompany Media Engine Proxy
Task Flow for Configuring Cisco Intercompany Media Engine
20-10
Configuring NAT for Cisco Intercompany Media Engine Proxy
Create the TLS proxy. See Creating the TLS Proxy,
20-11
Cisco UCM that you want to translate
20-12
Configuring PAT for the Cisco UCM Server
20-13
20-14
Creating ACLs for Cisco Intercompany Media Engine Proxy
20-15
Procedure
Guidelines
20-16
Creating the Cisco Intercompany Media Engine Proxy
See Creating the Cisco Intercompany Media Engine
20-17
20-18
Show running-config uc-ime command
20-19
20-20
Prerequisites for Installing Certificates
20-21
20-22
Certificates section on
Creating the TLS Proxy
Creating Trustpoints and Generating
20-23
20-24
Created in , page 20-15of the task Creating
ACLs for Cisco Intercompany Media Engine Proxy
20-25
Map you created in of this task
Optional Configuring TLS within the Local Enterprise
Where policymapname is the name of the policy
20-26
Commands Purpose
20-27
Where proxytrustpoint for the server trust-point
Where proxytrustpoint for the client trust-point
20-28
Optional Configuring Off Path Signaling
20-29
Engine Proxy,
Intercompany Media Engine Proxy,
Creating the Cisco Intercompany Media
20-30
20-31
20-32
Show uc-ime signaling-sessions
20-33
Show uc-ime signaling-sessions statistics
Show uc-ime media-sessions detail
20-34
Show uc-ime fallback-notification statistics
Show uc-ime mapping-service-sessions
Show uc-ime mapping-service-sessions statistics
20-35
20-36
Configuring Connection Settings and QoS
Page
Information About Connection Settings
22-1
TCP Intercept and Limiting Embryonic Connections
Dead Connection Detection DCD
22-2
TCP State Bypass
TCP Sequence Randomization
TCP Normalization
22-3
Licensing Requirements for Connection Settings
22-4
TCP State Bypass
TCP State Bypass Unsupported Features
Maximum Concurrent and Embryonic Connection Guidelines
TCP Normalizer
For each TCP map, you can customize one or more settings
Configuring Connection Settings
Task Flow For Configuring Connection Settings
Customizing the TCP Normalizer with a TCP Map
22-7
Command
22-8
Command
22-9
22-10
Window-variation allow drop
Configuring Connection Settings
Urgent-flag allow clear
22-11
22-12
Embryonic-conn-max keywords
Random-sequence-number enable disable keyword
TCP Sequence Randomization section on page 22-3 section for
22-13
Idle hh mm ss keyword sets the idle timeout period after
Command in the command reference
Embryonic hh mm ss keyword sets the timeout period until a
To 0, which means the connection never times out
Configuration Examples for Connection Limits and Timeouts
Monitoring Connection Settings
Configuration Examples for Connection Settings
22-15
Following is a sample configuration for TCP state bypass
Configuration Examples for TCP State Bypass
Configuration Examples for TCP Normalization
22-16
Feature History for Connection Settings
22-17
Connection per-client-embryonic-max,set connection
Timeout half-closed,timeout half-closed
Conn-max,set connection embryonic-conn-max,set
Per-client-max
Information About QoS
23-1
Supported QoS Features
What is a Token Bucket?
23-2
Information About Policing
Information About Priority Queuing
23-3
How QoS Features Interact
Information About Traffic Shaping
23-4
Does not support IPv6
Licensing Requirements for QoS
Dscp and DiffServ Preservation
Model Guidelines
Configuring QoS
23-6
Kbps
Mbps
125
23-7
Interface name
Configuring the Standard Priority Queue for an Interface
Priority queue, or for the ASA 5505 or ASASM, the Vlan
23-8
23-9
23-10
Step
23-11
23-12
23-13
Configuring the Service Rule
23-14
Multiple of 8000. See the Information About Traffic Shaping
Priority Queuing Policy section on
23-15
Viewing QoS Police Statistics
Ciscoasa# show service-policy police
Monitoring QoS
23-16
Viewing QoS Standard Priority Statistics
Viewing QoS Shaping Statistics
23-17
Viewing QoS Standard Priority Queue Statistics
23-18
Ciscoasa# show priority-queue statistics test
Feature History for QoS
23-19
23-20
Troubleshooting Connections and Resources
Testing Your Configuration
24-1
Enabling Icmp Debugging Messages and Syslog Messages
24-2
Pinging ASA Interfaces
24-3
ASA
24-4
Passing Traffic Through the ASA
24-5
Disabling the Test Configuration
24-6
Tracing Packets with Packet Tracer
Monitoring Per-Process CPU Usage
Determining Packet Routing with Traceroute
24-7
24-8
Configuring Advanced Network Protection
Page
Configuring the ASA for Cisco Cloud Web Security
25-1
Redirection of Web Traffic to Cloud Web Security
User Authentication and Cloud Web Security
Information About Cisco Cloud Web Security
25-2
Company Authentication Key, Group Authentication Key,
Authentication Keys
Company Authentication Key Group Authentication Key
25-3
Custom Groups
ScanCenter Policy
Directory Groups
25-4
How Groups and the Authentication Key Interoperate
Cloud Web Security Actions
25-5
Bypassing Scanning with Whitelists
Failover from Primary to Backup Proxy Server
Licensing Requirements for Cisco Cloud Web Security
IPv4 and IPv6 Support
Optional Fully Qualified Domain Name Prerequisites
Optional User Authentication Prerequisites
Prerequisites for Cloud Web Security
25-7
Configuring Cisco Cloud Web Security
By default, Cisco Cloud Web Security is not enabled
25-8
See the Authentication Keys section on
25-9
Config-url disk0/onectx.cfg Context two
25-10
Optional Configuring Whitelisted Traffic section on
25-11
Adding an Extended Access Control List,
25-12
Policy section on page 1-17for more information
25-13
25-14
Optional Configuring Whitelisted Traffic
25-15
Object-group-user-Specifies an object-group user name
Optional Configuring the User Identity Monitor
Configuring the Cloud Web Security Policy
25-16
Monitoring Cloud Web Security
Http//Whoami.scansafe.net
25-17
Configuration Examples for Cisco Cloud Web Security
Single Mode Example
25-18
To attach class-maps to the Cloud Web Security Policy map
Multiple Mode Example
Whitelist Example
25-19
Configuring the Active Directory Server Using Ldap
Directory Integration Examples
25-20
Configuring the Identity Options on the ASA
Configuring the Active Directory Agent Using Radius
Testing the AD Agent
Creating the ASA as a Client on the AD Agent Server
Downloading the Database from the AD Agent
Cloud Web Security with Identity Firewall Example
Monitoring the Active Directory Groups
Showing a List of Active Users
25-23
25-24
Aaa-server AD inside host 192.168.116.220 server-port
25-25
No call-home reporting anonymous call-home
Related Documents
Feature History for Cisco Cloud Web Security
Related Documents
25-26
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Types,
26-1
Botnet Traffic Filter Databases
Botnet Traffic Filter Address Types
Botnet Traffic Filter Actions for Known Addresses
Information About the Dynamic Database
Information About the Static Database
26-3
26-4
How the Botnet Traffic Filter Works
26-5
Licensing Requirements for the Botnet Traffic Filter
Prerequisites for the Botnet Traffic Filter
26-6
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
26-7
Configuring the Dynamic Database
26-8
Adding Entries to the Static Database
See the Adding Entries to the Static Database section on
26-9
TCP DNS traffic is not supported
Enabling DNS Snooping
See the Enabling DNS Snooping section on
26-10
26-11
Inspection section on page 10-1 for more information about
26-12
Recommended Configuration
26-13
Threat-level range moderate very-high
Subset of the dynamic-filter enable ACL
See the Blocking Botnet Traffic Manually section on
Very-low Low Moderate High Very-high
About the greylist
For dropping purposes. If you do not enable this command
Blocking Botnet Traffic Manually
26-15
Searching the Dynamic Database
26-16
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Commands
Monitoring the Botnet Traffic Filter
26-17
Infected-hosts command
Dns-snoop command
26-18
26-19
Configuration Examples for the Botnet Traffic Filter
Recommended Configuration Example
Ciscoasa# show dynamic-filter reports top malware-ports
Other Configuration Examples
26-20
Outside
26-21
Feature History for the Botnet Traffic Filter
26-22
Licensing Requirements for Threat Detection
Configuring Threat Detection
Information About Threat Detection
27-1
Configuring Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
27-2
Security Context Guidelines
Trigger Settings Packet Drop Reason Average Rate Burst Rate
Guidelines and Limitations
Types of Traffic Monitored
Configuring Basic Threat Detection Statistics
27-4
Monitoring Basic Threat Detection Statistics
Threat Detection Statistics section on
27-5
Information About Advanced Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Feature History for Basic Threat Detection Statistics
27-6
Configuring Advanced Threat Detection Statistics
27-7
27-8
Monitoring Advanced Threat Detection Statistics
27-9
27-10
Using the show threat-detection rate acl-drop command
27-11
Field
Protocolnumber argument is an integer between 0
Statistics
27-12
Field Description
27-13
Feature History for Advanced Threat Detection Statistics
27-14
Configuring Scanning Threat Detection
Information About Scanning Threat Detection
27-15
Average Rate Burst Rate
27-16
Monitoring Shunned Hosts, Attackers, and Targets
Configuring Scanning Threat Detection
Configuration see the Configuring Basic Threat Detection
Displays the hosts that are currently shunned
Feature History for Scanning Threat Detection
27-18
Configuration Examples for Threat Detection
27-19
27-20
Preventing IP Spoofing
28-1
Configuring the Fragment Size
Blocking Unwanted Connections
28-2
Configuring IP Audit, IP Audit Signature List,
Configuring IP Audit for Basic IPS Support
Configuring IP Audit
28-3
Signature Message Number Signature Title
IP Audit Signature List
1lists supported signatures and system message numbers
28-4
28-5
28-6
28-7
28-8
Information About Web Traffic Filtering
29-1
Information About ActiveX Filtering
Configuring ActiveX Filtering
Licensing Requirements for ActiveX Filtering
29-2
Guidelines and Limitations for ActiveX Filtering
Configuring ActiveX Filtering
Configuration Examples for ActiveX Filtering
29-3
Information About Java Applet Filtering
Configuring Java Applet Filtering
Feature History for ActiveX Filtering
Licensing Requirements for Java Applet Filtering
Guidelines and Limitations for Java Applet Filtering
Configuring Java Applet Filtering
Configuration Examples for Java Applet Filtering
29-5
Information About URL Filtering
Feature History for Java Applet Filtering
Filtering URLs and FTP Requests with an External Server
29-6
Licensing Requirements for URL Filtering
Guidelines and Limitations for URL Filtering
29-7
Identifying the Filtering Server
Choose from the following options
29-8
29-9
Replaces block-buffer with the maximum number of Http
Configuring Additional URL Filtering Settings
Buffering the Content Server Response
Maximum memory allocation of 2 KB to 10 MB
On the Websense server
Caching Server Addresses
Filtering Http URLs
Websense server
29-12
Filtering Https URLs
29-13
Filtering FTP Requests
Might enter cd ./files instead of cd /public/files
29-14
29-15
Following is sample output from the show url-servercommand
Monitoring Filtering Statistics
Ciscoasa# show url-server
Following is sample output from the show filter command
Following is sample output from the show url-blockcommand
Following is sample output from the show perfmon command
29-16
Feature History for URL Filtering
29-17
29-18
Configuring Modules
Page
Information About the ASA CX Module
30-1
How the ASA CX Module Works with the ASA
30-2
Traffic-Forwarding Interface in Monitor-Only Mode
Monitor-Only Mode
Service Policy in Monitor-Only Mode
30-3
Information About ASA CX Management
Initial Configuration
Initial Configuration, Policy Configuration and Management,
30-4
Policy Configuration and Management
Information About Authentication Proxy
Compatibility with ASA Features
Information About VPN and the ASA CX Module
Licensing Requirements for the ASA CX Module
30-6
Does not support clustering
Monitor-Only Mode Guidelines
ASA Clustering Guidelines
30-7
Parameters Default
Configuring the ASA CX Module
See the Compatibility with ASA Features section on
Task Flow for the ASA CX Module
Connecting the ASA CX Management Interface
ASA 5585-X Hardware Module
30-9
If you have an inside router
If you do not have an inside router
30-10
ASA 5512-X through ASA 5555-X Software Module
30-11
30-12
Example
Partition the SSD
30-13
Sets the ASA CX management IP address, mask, and gateway
Session 1 do setup host ip
ASA 5585-X Changing the ASA CX Management IP Address
30-14
Ciscoasa# session cxsc console
Configuring Basic ASA CX Settings at the ASA CX CLI
30-15
Enter an IPv6 address 2001DB80CD301234/64
Change the admin password by entering the following command
Asacx config passwd
30-16
Optional Configuring the Authentication Proxy Port
30-17
Creating the ASA CX Service Policy
Redirecting Traffic to the ASA CX Module
30-18
See the Monitor-Only Mode section on page 30-3 for more
30-19
Configuring Traffic-Forwarding Interfaces Monitor-Only Mode
See the Feature Matching Within a Service Policy section on
30-20
Managing the ASA CX Module
30-21
For a software module ASA 5512-X through ASA
Resetting the Password
Reloading or Resetting the Module
30-22
Shutting Down the Module
30-23
30-24
Sw-module module cxsc uninstall
New module type
Reload
Showing Module Status
Admin123
Monitoring the ASA CX Module
30-25
Showing Module Statistics
30-26
Monitoring Module Connections
30-27
30-28
Dp-cp
‘X’ flag
Show asp event dp-cp cxsc-msg
30-29
Ciscoasa# show asp drop
Ciscoasa# show asp event dp-cp cxsc-msg
Debugging the Module
Troubleshooting the ASA CX Module
Capturing Module Traffic
30-30
Problems with the Authentication Proxy
30-31
Check the authentication proxy rules
Configuration Examples for the ASA CX Module
Check the authentication proxy port
30-32
Feature History for the ASA CX Module
30-33
Cxsc monitor-only
We modified or introduced the following commands cxsc
Fail-close fail-openmonitor-only,traffic-forward
30-34
Capture interface asadataplane command
Asadataplane
30-35
30-36
Information About the ASA IPS Module
31-1
How the ASA IPS Module Works with the ASA
31-2
Using Virtual Sensors ASA 5510 and Higher
Operating Modes
31-3
Information About Management Access
31-4
Licensing Requirements for the ASA IPS module
31-5
1lists the default settings for the ASA IPS module
Management Vlan ASA 5505 only
31-6
Configuring the ASA IPS module
Task Flow for the ASA IPS Module
31-7
Connecting the ASA IPS Management Interface
31-8
31-9
ASA
31-10
ASA 5512-X through ASA 5555-X Booting the Software Module
Sessioning to the Module from the ASA
31-11
Ciscoasa# sw-module module ips recover boot
Configuring Basic IPS Module Network Settings
For example, using the filename in the example in , enter
31-12
Connecting the ASA IPS Management Interface section on
ASA 5510 and Higher Configuring Basic Network Settings
ASA 5505 Configuring Basic Network Settings
Sessioning to the Module from the ASA Section on
31-14
Configuring the Security Policy on the ASA IPS Module
Details command
31-15
31-16
31-17
Diverting Traffic to the ASA IPS module
31-18
31-19
31-20
IPS module
Installing and Booting an Image on the Module
Managing the ASA IPS module
31-21
31-22
For a software module for example, the ASA 5545-X
Uninstalling a Software Module Image
Sw-module module ips uninstall
31-23
Sw-module module ips password-reset
For a software module for example, the ASA
31-24
Monitoring the ASA IPS module
Ips for a software module
31-25
Configuration Examples for the ASA IPS module
31-26
Ciscoasa# show module ips
Module allow-ip
Feature History for the ASA IPS module
Allow-ssc-mgmt,hw-module module ip, and hw-module
31-27
Inventory, show environment
Session, show module, sw-module
31-28
Information About the CSC SSM
32-1
ASA
32-2
Determining What Traffic to Scan
32-3
Common Network Configuration for CSC SSM Scanning
32-4
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
32-5
Supported in single and multiple context modes
1lists the default settings for the CSC SSM
Parameter Default
32-6
Configuring the CSC SSM
Before Configuring the CSC SSM
32-7
Connecting to the CSC SSM
See the Connecting to the CSC SSM section on
32-8
32-9
Determining What Traffic to Scan section on
Diverting Traffic to the CSC SSM
See the Diverting Traffic to the CSC SSM section on
32-10
32-11
Guidelines and Limitations section on
32-12
Displays the status
Monitoring the CSC SSM
See the Monitoring the CSC SSM section on
Displays additional status information
Troubleshooting the CSC Module
Installing an Image on the Module
32-14
Resetting the Password
Recover command
32-15
Reloading or Resetting the Module
32-16
Shutting Down the Module
Configuration Examples for the CSC SSM
Ciscoasaconfig-cmap#policy-map cscinpolicy
Shuts down the module
Instructions on use of the CSC SSM GUI
Additional References
Related Topic Document Title
Assistance with the Startup Wizard
Details recover
Feature History for the CSC SSM
Feature Name Platform Releases Feature Information
32-19
32-20
IN-1
IN-2
IN-3
IN-4
IN-5
RPC not supported with
See also policy map
LDP 6-7router-id 6-7TDP Multi-session PAT
IN-6
IN-7
IN-8
IN-9
IN-10