Cisco Systems ASA 5555-X, ASA 5505, ASA 5545-X manual NAT and VPN Management Access, Subnet 10.2.2.0

Page 86

Chapter 3 Information About NAT

NAT for VPN

object network vpn_local

subnet 10.3.3.0 255.255.255.0

nat (outside,outside) dynamic interface

! Identify inside Boulder network, & perform object interface PAT when going to Internet:

object network boulder_inside

subnet 10.1.1.0 255.255.255.0

nat (inside,outside) dynamic interface

!Identify inside San Jose network for use in twice NAT rule: object network sanjose_inside

subnet 10.2.2.0 255.255.255.0

!Use twice NAT to pass traffic between the Boulder network and the VPN client without

!address translation (identity NAT):

nat (inside,outside) source static boulder_inside boulder_inside destination static vpn_local vpn_local

!Use twice NAT to pass traffic between the Boulder network and San Jose without

!address translation (identity NAT):

nat (inside,outside) source static boulder_inside boulder_inside destination static

sanjose_inside sanjose_inside

!Use twice NAT to pass traffic between the VPN client and San Jose without

!address translation (identity NAT):

nat (outside,outside) source static vpn_local vpn_local destination static sanjose_inside sanjose_inside

See the following sample NAT configuration for ASA2 (San Jose):

! Identify inside San Jose network, & perform object interface PAT when going to Internet:

object network sanjose_inside subnet 10.2.2.0 255.255.255.0

nat (inside,outside) dynamic interface

! Identify inside Boulder network for use in twice NAT rule:

object network boulder_inside

subnet 10.1.1.0 255.255.255.0

! Identify local VPN network for use in twice NAT rule:

object network vpn_local

subnet 10.3.3.0 255.255.255.0

!Use twice NAT to pass traffic between the San Jose network and Boulder without

!address translation (identity NAT):

nat (inside,outside) source static sanjose_inside sanjose_inside destination static

boulder_inside boulder_inside

!Use twice NAT to pass traffic between the San Jose network and the VPN client without

!address translation (identity NAT):

nat (inside,outside) source static sanjose_inside sanjose_inside destination static

vpn_local vpn_local

NAT and VPN Management Access

When using VPN, you can allow management access to an interface other than the one from which you entered the ASA (see the management-accesscommand). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface.

Cisco ASA Series Firewall CLI Configuration Guide

3-26

Image 86
Contents Cisco ASA Series Firewall CLI Configuration Guide Software VersionCisco ASA Series Firewall CLI Configuration Guide N T E N T S IiiGuidelines and Limitations Default Inspection Policy Maps NAT for VPN Guidelines and Limitations Rules ViiGetting Started with Application Layer Protocol Inspection ViiiIPv6 Inspection Verifying and Monitoring Sun RPC Inspection Configuring Unified Communications Installing a Certificate XiiEnabling the Phone Proxy with SIP and Skinny Inspection XiiiCTL Client Overview XivArchitecture Configuring Connection Settings and QoS XviConfiguring the Standard Priority Queue for an Interface XviiBypassing Scanning with Whitelists XviiiInformation About the Static Database XixConfiguring Java Applet Filtering Filtering URLs and FTP Requests with an External Server XxiXxii 30-15ASA 5505 Configuring Basic Network Settings XxiiiXxiv Conventions Document ObjectivesRelated Documentation Convention IndicationObtaining Documentation and Submitting a Service Request XxviR T Page Information About Service Policies Feature Traffic? See Supported FeaturesFeature Directionality For ThroughGlobal Direction Feature Matching Within a Service PolicyFeature Order in Which Multiple Feature Actions are Applied ASA IPS ASA CXIncompatibility of Certain Feature Actions Guidelines and Limitations Licensing Requirements for Service PoliciesFeature Matching for Multiple Service Policies Policy Map Guidelines Service Policy GuidelinesClass Map Guidelines Default Configuration, Default Class Maps, Default SettingsDefault Configuration Task Flow for Using the Modular Policy Framework Task Flows for Configuring Service PoliciesDefault Class Maps This section includes the following topicsSee the Identifying Traffic Layer 3/4 Class Maps section on Layer 3/4 Policy Map Creating a Layer 3/4 Class Map for Through Traffic Command PurposeIdentifying Traffic Layer 3/4 Class Maps ExampleMatch default-inspection-traffic command to narrow See the Default Settings and NAT Limitations section onPorts are included in the match default-inspection-traffic Creating a Layer 3/4 Class Map for Management Traffic Except for the match any , match access-list , or matchMatch flow ip destination-address command to match flows Creates a management class map, where classmapname is a Defining Actions Layer 3/4 Policy MapIdentifying Traffic Layer 3/4 Class Maps section on Task Flow for Configuring Hierarchical Policy Maps forSee the Supported Features section on QoS Traffic Shaping section on page 1-11 for moreApplying Actions to an Interface Service Policy Monitoring Modular Policy Framework Configuration Examples for Modular Policy FrameworkDisplays the service policy statistics IPv6, see the IPv6 Guidelines section onApplying Inspection and QoS Policing to Http Traffic See the following commands for this exampleCiscoasaconfig# class-map httptraffic Applying Inspection to Http Traffic GloballyCiscoasaconfig# policy-map httptrafficpolicy Ciscoasaconfig# service-policy httptrafficpolicy globalObj-192.168.1.1 Ciscoasaconfig# service-policy httpclient interface insideApplying Inspection to Http Traffic with NAT HostIntroduced class-map type management, and inspect Feature History for Service PoliciesFeature Name Releases Feature Information Radius-accountingInformation About Inspection Policy Maps Guidelines and Limitations Default Inspection Policy Maps Defining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class Map section onIdentifying Traffic in an Inspection Class Map Getting Started with Application Layer Protocol Inspection 1lists the release history for this feature Where to Go NextFeature History for Inspection Policy Maps Page Configuring Network Address Translation Page Why Use NAT? Information About NATNAT Terminology Static NAT NAT TypesNAT Types Overview Information About Static NATInformation About Static NAT with Port Translation Information About Static NAT with Port Address TranslationInformation About One-to-Many Static NAT Static NAT with Identity Port TranslationInformation About Other Mapping Scenarios Not Recommended 4shows a typical few-to-many static NAT scenarioDynamic NAT Information About Dynamic NATInformation About Dynamic PAT Dynamic PATDynamic NAT Disadvantages and Advantages Per-Session PAT vs. Multi-Session PAT Dynamic PAT Disadvantages and AdvantagesNAT in Routed Mode, NAT in Transparent Mode, NAT in Routed and Transparent ModeIdentity NAT NAT in Routed Mode NAT in Transparent Mode10 NAT Example Transparent Mode Main Differences Between Network Object NAT and Twice NAT NAT and IPv6How NAT is Implemented Information About Network Object NAT Information About Twice NAT11 Twice NAT with Different Destination Addresses 12 Twice NAT with Different Destination Ports 13 Twice Static NAT with Destination Address Translation NAT Rule Order Rule Type Order of Rules within the SectionNAT Interfaces Routing NAT PacketsMapped Addresses and Routing Transparent Mode Routing Requirements for Remote Networks Too lateNAT for VPN NAT and Remote Access VPN 203.0.113.16075NAT and Site-to-Site VPN Same-security-traffic permit intra-interfaceSee the following sample NAT configuration for ASA1 Boulder 19 Interface PAT and Identity NAT for Site-to-Site VPNObject network boulderinside Subnet 10.1.1.0 NAT and VPN Management AccessSubnet 10.2.2.0 Object network vpnlocal Subnet 10.3.3.0Management-access inside Subnet 10.1.1.0 Nat inside,outside dynamic interfaceDNS and NAT Troubleshooting NAT and VPNAdd the identity NAT configuration Enter show nat detail and show conn all22 DNS Reply Modification, DNS Server on Outside 192.168.1.10 24 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 26 PTR Modification, DNS Server on Host Network Page Configuring Network Object NAT Information About Network Object NATSupports IPv6. See also the NAT and IPv6 section on Licensing Requirements for Network Object NATPrerequisites for Network Object NAT Additional Guidelines Configuring Network Object NAT Adding Network Objects for Mapped AddressesObject network objname Configuring Dynamic NATObject Additional Guidelines section on DNS and NAT section on page 3-28 for more informationConfiguring Dynamic PAT Hide Nat inside,outside dynamic nat-pat-grp interfaceSee the Adding Network Objects for Mapped Addresses section Configures a network object for which you want to configureOptional Create a network object or group for Mapped addressesUsed. For this option, you must configure a specific Configures dynamic PAT for the object IP addresses. You canInterface-Routed mode only The IP address When you want to use the interface IP address youCiscoasaconfig-network-object#nat inside,outside dynamic Ciscoasaconfig# object network IPv6INSIDE Configuring Static NAT or Static NAT-with-Port-TranslationCiscoasaconfig# object network IPv4POOL Addresses IPv4 or IPv6 that you want to translate See the Mapped Addresses and Routing section on Static NAT section onSee the DNS and NAT section on page 3-28. This option is Addresses section on Configuring Identity NATTranslate. See the Adding Network Objects for Mapped Mapped Addresses and Routing section on NAT command. See the Determining the Egress InterfaceSee the Additional Guidelines section on Section on page 3-22 for more informationConfiguring Per-Session PAT Rules By default, the following rules are installedHow many times they were allocated Monitoring Network Object NATShows NAT statistics, including hits for each NAT rule Configuration Examples for Network Object NAT Ciscoasaconfig# object network myWebServ Providing Access to an Inside Web Server Static NATConfigure static NAT for the object Create a network object for the internal web serverCreate a network object for the inside network Configure static NAT for the web serverCiscoasaconfig-network-object#nat outside,inside static Create a network object for the outside web serverCiscoasaconfig# object network myLBHost Configure static NAT for the load balancerCiscoasaconfig# object network myPublicIPs Create a network object for the load balancerCreate a network object for the FTP server address Ciscoasaconfig# object network FtpserverCiscoasaconfig# object network Httpserver Create a network object for the Http server addressCiscoasaconfig# object network Smtpserver Create a network object for the Smtp server addressDNS Reply Modification DNS Reply Modification Using Outside NAT 2001DB8D1A5C8E1 Ciscoasaconfig# object network Dnsserver Feature History for Network Object NAT Platform Feature Name Releases Feature InformationPat-pool mappedobject flat include-reserve Pat-pool mappedobject extendedNat-assigned-to-public-ip interface tunnel-group General-attributes configuration modeConfiguration mode, show nat, show nat pool, show xlate Show nat pool Page Configuring Twice NAT Information About Twice NATSupports IPv6 Licensing Requirements for Twice NATPrerequisites for Twice NAT Configuring Twice NAT Guidelines and Limitations Configuring Twice NAT Adding Network Objects for Real and Mapped AddressesConfiguring Twice NAT Optional Adding Service Objects for Real and Mapped Ports Configure service objects forCommand Purpose Ports section on See the Optional Adding Service Objects for Real and MappedSee the Adding Network Objects for Real and Mapped Anywhere in the applicable section using the line argument Configure dynamic NAT. See the following guidelinesSection and Line-Optional By default, the NAT rule is You can optionally configure the following fallbackCommand Purpose Subnet 2001DB8AAAA/96 For a PAT poolSubnet 203.0.113.0 Configuring Twice NAT Detailed Steps Interface-Routed mode only Specify the interface Configures dynamic PAT hide. See the following guidelinesMapped-Configure one of the following Interface keyword enables interface PAT fallback. AfterCommand Purpose Command Purpose Host 2001DB823 Service tcp destination eqSubnet 192.168.1.0 Source or Destination real ports Source or Destination mapped portsRule Order section on page 3-18for more information about See the Static Interface NAT with Port TranslationExamples Subnet 2001DB8BBBB/96 ObjectMAPPEDIPv6NW OUTSIDEIPv6NWSource real addresses you will typically use Static Interface NAT with Port Translation section on Shows NAT statistics, including hits for each NAT rule To monitor twice NAT, enter one of the following commandsMonitoring Twice NAT How many times they were allocatedAdd a network object for the inside network Configuration Examples for Twice NATCiscoasaconfig# object network PATaddress1 Add a network object for the DMZ networkConfigure the first twice NAT rule Configure the second twice NAT ruleCiscoasaconfig# object network myInsideNetwork Add a network object for the PAT address when using TelnetAdd a service object for Telnet Ciscoasaconfig# object network TelnetWebServerAdd a service object for Http Show nat, show xlate, show nat pool Feature History for Twice NATWe modified the following command nat source static Existing functionality. The unidirectional keyword isPat-pool mappedobject flat include-reserve Nat-assigned-to-public-ip interface tunnel-group Show nat pool Configuring Access Control Page Configuring Access Rules Information About Access RulesInformation About EtherType Rules, General Information About RulesImplicit Permits Implicit Deny Inbound and Outbound RulesTransactional-Commit Model Outbound ACLAdditional Guidelines and Limitations Information About Extended Access RulesAccess Rules for Returning Traffic Supported EtherTypes and Other Traffic Management Access RulesInformation About EtherType Rules Traffic Type Protocol or PortAllowing Mpls Licensing Requirements for Access RulesPrerequisites Supported in routed and transparent firewall modesTo apply an access rule, perform the following steps Default SettingsConfiguring Access Rules Per-User ACL GuidelinesPer-user-override option See Per-User ACL Guidelines,Show running-config access-group Monitoring Access RulesTo monitor network access, enter the following command Hostname config# object-group service myaclogPermit deny is-is Feature History for Access RulesExtended Access-list extended, service-object, service Extended, access-list webtypeIpv6 access-list webtype, ipv6-vpn-filter Transactional-commit,show running-config aspAAA Performance Licensing Requirements for AAA RulesConfiguring Authentication for Network Access Information About AuthenticationOne-Time Authentication ASA Authentication PromptsName name1@name2 Password password1@password2 AAA Prompts and Identity FirewallAAA Rules as a Backup Authentication Method Static PAT and HttpNat inside,outside static 10.48.66.155 service tcp 111 User-group any and user-group none can be Configuring Network Access AuthenticationAuthentication include command which Lockout command Aaa authentication match Auth inside Ldap Ldap-login-passwordLdap-over-ssl enable Protocol ldapEnabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating Https Connections with a Virtual ServerAuthenticating Telnet Connections with a Virtual Server Authentication include command Configuring Authorization for Network Access Configuring TACACS+ AuthorizationTraffic from authentication. Be sure to include Authenticate. For details, see the general operationsAuthentication, while deny entries exclude matching FTP in the ACL, because the user must authenticateAuthentication match command Authorization include command whichConfiguring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACSACSCiscoSecure-Defined-ACL=acl-set-name Configuring Cisco Secure ACS for Downloadable ACLs Access-list aclname extendedIpinacl#nnn= Downloaded ACL on the ASA consists of the following linesWith the following text Configuring Accounting for Network Access Filter-id=aclnameAccess-list command Information, see the Configuring Network AccessAuthentication section on page 7-7. If you want Accounting include command whichConfiguring AAA Rules for Network Access Mac-exempt match command Feature History for AAA Rules Page Configuring Application Inspection Page Getting Started with Application Layer Protocol Inspection How Inspection Engines WorkWhen to Use Application Protocol Inspection How Inspection Engines WorkFailover Guidelines Supports IPv6 for the following inspectionsDefault Settings and NAT Limitations 323 H.225Server over IP NetBIOS NameIP Options Sun RPC over SmtpSQL*Net Configuring Application Layer Protocol Inspection View the entire class map using the following command Ciscoasaconfig# policy-mapname ciscoasaconfig-pmap# Keywords Ip-options mapname Icmp Icmp error IlsNetbios mapname Ipsec-pass-thru mapnameTftp Waas Xdmcp Scansafe mapnameSqlnet Sunrpc DNS Inspection 10-1General Information About DNS Default Settings for DNS InspectionInformation About DNS Inspection DNS Inspection ActionsClass-map type inspect dns match-all Do one of the following10-3 Defining Actions in an Inspection Policy Map section on 10-4Section the additional keyword specifies the Additional RR Keyword specifies the question portion of a DNS message.Section the authority keyword specifies the Authority RR SectionMatch not domain-name regex regexid Matches a DNS message domain name list. The regexname10-6 Tsig enforced action drop log-Requires a Tsig Id-mismatch count number duration seconds actionMessage-length maximum length client length auto 10-710-8 Configuring DNS InspectionLayer 3/4 Class Maps section on page 1-12 for more 10-9 Monitoring DNS InspectionDynamic-filter-snoop keyword, see the Enabling DNS FTP Inspection Overview Ciscoasa# show service-policyFTP Inspection 10-10Using the strict Option 10-1110-12 10-13 Ciscoasaconfig# policy-map type inspect ftp mymap 10-14Verifying and Monitoring FTP Inspection Ciscoasaconfig# service-policy ftp-policy interface insideHttp Inspection Http Inspection Overview10-16 Ciscoasaconfig-cmap#match not req-resp content-type mismatch 10-17Ciscoasaconfig# policy-map type inspect http policymapname 10-1810-19 Instant Messaging Inspection Icmp Error InspectionIcmp Inspection IM Inspection OverviewConference games Ciscoasaconfig-cmap#match not protocol im-yahoo im-msn10-21 Ciscoasaconfig# policy-map type inspect im policymapname 10-22IP Options Inspection 10-23IP Options Inspection Overview 10-2410-25 Ciscoasaconfig-pmap-p#router-alert action allow clearIPsec Pass Through Inspection Example for Defining an IPsec Pass Through Parameter Map IPv6 InspectionIPsec Pass Through Inspection Overview 10-26Information about IPv6 Inspection Default Settings for IPv6 InspectionOptional Configuring an IPv6 Inspection Policy Map 10-27Routing-address count gt number -Sets the maximum 10-2810-29 Configuring IPv6 InspectionTo enable IPv6 inspection, perform the following steps 10-30 NetBIOS InspectionNetBIOS Inspection Overview 10-31 Smtp and Esmtp Inspection Overview Pptp InspectionSmtp and Extended Smtp Inspection 10-3210-33 Ciscoasaconfig# policy-map type inspect esmtp policymapname 10-34Tftp Inspection 10-3510-36 11-1 Ctiqbe InspectionCtiqbe Inspection Overview 11-2 Limitations and RestrictionsVerifying and Monitoring Ctiqbe Inspection Inspection 11-311-4 Inspection OverviewHow H.323 Works Support in H.245 Messages 11-511-6 11-7 Ciscoasaconfig-cmap#match not media-type audio data videoCiscoasaconfig# policy-map type inspect h323 policymapname Ciscoasaconfig-pmap-p#state-checking h225 ras Ciscoasaconfig# ras-rcf-pinholes enableCiscoasaconfig-pmap-p#rtp-conformance enforce-payloadtype 11-8Monitoring H.225 Sessions Configuring H.323 and H.225 Timeout ValuesVerifying and Monitoring H.323 Inspection 11-911-10 Monitoring H.245 SessionsMonitoring H.323 RAS Sessions Ciscoasa# show h323-ras11-11 Mgcp InspectionMgcp Inspection Overview Ciscoasaconfig# policy-map type inspect mgcp mapname 11-1211-13 Configuring Mgcp Timeout ValuesFollowing example shows how to define an Mgcp map 11-14 Rtsp InspectionVerifying and Monitoring Mgcp Inspection Restrictions and Limitations Using RealPlayerRtsp Inspection Overview 11-15Ciscoasaconfig-cmap#match not request-method method 11-16Ciscoasaconfig# policy-map type inspect rtsp policymapname 11-1711-18 SIP InspectionSIP Inspection Overview SIP Instant Messaging 11-1911-20 Ciscoasaconfig-cmap#match not content length gt length 11-2111-22 Ciscoasaconfig-cmap#match not uri sip tel length gt lengthCiscoasaconfig# policy-map type inspect sip policymapname 11-23 Ciscoasaconfig-pmap-p#software-version action mask log logCiscoasaconfig-pmap-p#uri-non-sip action mask log log Verifying and Monitoring SIP Inspection Configuring SIP Timeout ValuesSkinny Sccp Inspection 11-2411-25 Sccp Inspection OverviewSupporting Cisco IP Phones Ciscoasaconfig# policy-map type inspect skinny policymapname 11-26Ciscoasaconfig-pmap-p#sccp-prefix-len max min valuelength 11-27Verifying and Monitoring Sccp Inspection 11-2812-1 ILS InspectionILS Inspection, SQL*Net Inspection, Sun RPC Inspection, SQL*Net Inspection 12-212-3 Sun RPC InspectionSun RPC Inspection Overview 12-4 Managing Sun RPC ServicesVerifying and Monitoring Sun RPC Inspection 12-5 Ciscoasa# show sunrpc-server active12-6 13-1 Dcerpc InspectionDcerpc Overview Ciscoasaconfig# policy-map type inspect dcerpc policymapname 13-213-3 GTP InspectionGTP Inspection Overview Ciscoasaconfig# policy-map type inspect gtp policymapname 13-413-5 Ciscoasaconfig# object-group network GSN-pool-nameCiscoasaconfig-network#network-object host 13-6 Ciscoasaconfig# object-group network SGSN-nameCiscoasaconfig# object-group network sgsn32 Verifying and Monitoring GTP Inspection Ciscoasaconfig# service-policy globalpolicy globalCiscoasa# show service-policy inspect gtp statistics 13-713-8 Ciscoasa# show service-policy gtp statistics grep gsnRadius Accounting Inspection 13-9 Configure the service policyRadius Accounting Inspection Overview Inspect radius-accounting radiusaccountingmapSnmp Inspection Overview RSH InspectionSnmp Inspection 13-10Xdmcp Inspection 13-1113-12 Configuring Unified Communications Page 14-1 14-2 Phone proxy Might not needCertificate for ApplicationASA Base License 2 sessions Model License Requirement1ASA Base License and Security Plus License 2 sessions 14-414-5 ASA 5585-X with Base License 2 sessions SSP-10ASA 5585-X with Base License 2 sessions SSP-20, -40, or IME 14-6Cisco Intercompany Media Engine Proxy Cisco Mobility Advantage ProxyCisco Presence Federation Proxy 15-115-2 Licensing Requirements for the Unified Communication Wizard 15-3Supports IPv6 addresses 15-4Configuring the Private Network for the Phone Proxy 15-515-6 Configuring Servers for the Phone ProxyClick the Generate and Export LDC Certificate button Address Default Port Description 15-715-8 Configuring the Public IP Phone Network 15-915-10 15-11 15-12 15-13 15-14 15-15 Dialog box. See Installing a Certificate,Certificate, 15-16 15-17 15-18 Basic DeploymentOff-path Deployment 15-19 15-20 Supports installing self-signed certificates Wizard supports using self-signed certificates onlyCisco UCMs need to be installed on the security appliance Other, respectively, during TLS handshakes15-22 15-23 Installing a CertificateExporting an Identity Certificate Click Install Certificate 15-24Saving the Identity Certificate Request 15-2515-26 15-27 15-28 16-1 Information About the Cisco Phone ProxyPhone Proxy Functionality 16-2 TCP/RTP TLS/SRTPCisco Unified IP Phones Supported Cisco UCM and IP Phones for the Phone ProxyCisco Unified Communications Manager 16-3Licensing Requirements for the Phone Proxy 16-416-5 This section contains the following topics Prerequisites for the Phone ProxyMedia Termination Instance Prerequisites 16-6Cisco Unified Communications Manager Prerequisites Certificates from the Cisco UCMDNS Lookup Prerequisites ACL RulesNAT Prerequisites NAT and PAT PrerequisitesAddress Port Protocol Description PAT PrerequisitesThere must be two CTL file record entries for the Cisco UCM Prerequisites for IP Phones on Multiple Interfaces7940 IP Phones Support 16-916-10 Cipc security-mode authenticatedCisco IP Communicator Prerequisites Icmp deny any outside Rate Limiting Configuration ExamplePrerequisites for Rate Limiting Tftp Requests 16-11Ways to Deploy IP Phones to End Users Phone Proxy Guidelines and LimitationsEnd-User Phone Provisioning 16-12General Guidelines and Limitations 16-1316-14 Configuring the Phone ProxyMedia Termination Address Guidelines and Limitations 16-15 Importing Certificates from the Cisco UCMChoose Security Certificate Management Hostnameconfig# crypto ca authenticate trustpoint Authenticating IP phones with an LSCHostnameconfig# crypto ca trustpoint trustpointname Certificate Name Required forCreating Trustpoints and Generating Certificates 16-17What to Do Next Creating the CTL FilePrerequisites 16-1816-19 Using an Existing CTL File 16-20Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-2116-22 Cucm/cucos/504/iptpch6.html#wp1040354 Creating the Media Termination InstanceCucm/cucos/504/iptpch6.html#wp1040848 16-2316-24 Creating the Phone Proxy InstanceSee Media Termination Instance Prerequisites See Creating the Media Termination Instance 16-2516-26 Enabling the Phone Proxy with SIP and Skinny InspectionSee Cisco IP Communicator Prerequisites 16-27 Debugging Information from the Security Appliance Troubleshooting the Phone ProxyConfiguring Your Router 16-28Use the Command 16-2916-30 Show asp table classify domain Show asp dropDebugging Information from IP Phones Show conn allDebugging Information from IP Phones 16-32IP Phone Registration Failure Tftp Auth Error Displays on IP Phone ConsoleProblem The IP phone displays the following Status message 16-33Ciscoasa# show running-config all ctl-file ctlname Configuration File Parsing ErrorConfiguration File Parsing Error Unable to Get DNS Response 16-3416-35 Non-configuration File Parsing ErrorPhone-proxy tftp Hostname# debug phone-proxy tftp16-36 Hostname# capture out interface outsideIP Phone Unable to Download CTL File IP Phone Requesting Unsigned File ErrorHostnameconfig# show running-config all phone-proxy 16-37IP Phone Registration Failure from Signaling Connections 16-3816-39 To add the required ciphers, enter the following commandDebug sip Debug skinny Hostname# show run all sslSSL Handshake Failure 16-4016-41 Media Termination Address ErrorsCertificate Validation Errors 16-42 Audio Problems with IP PhonesSaving Sast Keys 16-43 Record-entry cucm trustpoint trustpoint address address Configuration Examples for the Phone Proxy16-44 Record-entry capf trustpoint trustpoint address address16-45 Corporate Network16-46 Fqdn my-ldc-ca.exmaple.com16-47 Phone a 10.10.0.2416-48 16-49 ASA Outside Interface Phone a 10.10.0.2416-50 Enroll terminal crypto ca authenticate capf ctl-file myctl 16-51Example 6 Vlan Transversal 16-5216-53 ASA Inside Interface 10.130.50.24Feature History for the Phone Proxy 16-5417-1 Supported Cisco UCM and IP Phones for the TLS Proxy 17-2CTL Client Overview 17-3CTL Client TLS Proxy Features ASA IP Address or Domain Name 17-4Licensing for the TLS Proxy 17-517-6 Configuring the TLS Proxy for Encrypted Voice Inspection 17-717-8 Ciscoasaconfig# tls-proxy maximum-sessionsCiscoasaconfig# show crypto ca server certificate 17-9 Creating an Internal CA 17-10Creating a CTL Provider Instance 17-11Creating the TLS Proxy Instance 17-12Crypto ca trustpoint command 17-1317-14 Monitoring the TLS Proxy 17-1517-16 AES128-SHA17-17 2lists the release history for this featureTLS Proxy TLS proxy feature was introduced 17-18 Cisco Mobility Advantage Proxy Functionality 18-118-2 Hostnameconfig-tlsp#no server authenticate-clientMobility Advantage Proxy Deployment Scenarios 18-3 TLS18-4 Mobility Advantage Proxy Using NAT/PATVersus Trust Relationships for Cisco UMA Deployments 18-518-6 Configuring Cisco Mobility AdvantageLonger requires a Unified Communications Proxy license Enabling the TLS Proxy for MMP Inspection, Task Flow for Configuring Cisco Mobility AdvantageInstalling the Cisco UMA Server Certificate 18-718-8 Enabling the TLS Proxy for MMP Inspection 18-9Monitoring for Cisco Mobility Advantage Exits from the Policy Map configuration modeEnables the service policy on all interfaces 18-10Configuration Examples for Cisco Mobility Advantage 18-1118-12 18-13 Feature History for Cisco Mobility Advantage 18-14Information About Cisco Unified Presence 19-1Ciscoasaconfig# object network obj-10.0.0.2-01 19-219-3 Trust Relationship in the Presence Federation 19-4Xmpp Federation Deployments 19-5Allow traffic from any address to any single node on port Configuration Requirements for Xmpp FederationConfigure the following NAT commands 19-6Licensing for Cisco Unified Presence 19-7Configuring Cisco Unified Presence Proxy for SIP Federation 19-8Install the certificates. See Installing Certificates, 19-919-10 Installing CertificatesTrustpoint for the remote entity 19-11 19-12 19-13 Trust-pointcommand is the remote entity proxyEnabling the TLS Proxy for SIP Inspection Monitoring Cisco Unified Presence Configuration Example for Cisco Unified PresenceExample Configuration for SIP Federation Deployments, 19-14Example Configuration for SIP Federation Deployments 19-1519-16 Example ACL Configuration for Xmpp Federation 19-17Example NAT Configuration for Xmpp Federation 19-1819-19 Feature History for Cisco Unified Presence 19-20Features of Cisco Intercompany Media Engine Proxy 20-1How the UC-IME Works with the Pstn and the Internet 20-2Tickets and Passwords 20-3Call Fallback to the Pstn 20-420-5 ArchitectureArchitecture, Basic Deployment, Off Path Deployment, Basic Deployment 20-620-7 Licensing for Cisco Intercompany Media EngineOff Path Deployment Does not support IPv6 addresses Supported in single context mode onlySupported in routed firewall mode only 20-820-9 20-10 Configuring Cisco Intercompany Media Engine ProxyTask Flow for Configuring Cisco Intercompany Media Engine 20-11 Configuring NAT for Cisco Intercompany Media Engine ProxyCreate the TLS proxy. See Creating the TLS Proxy, Cisco UCM that you want to translate 20-12Configuring PAT for the Cisco UCM Server 20-1320-14 Creating ACLs for Cisco Intercompany Media Engine Proxy 20-1520-16 ProcedureGuidelines 20-17 Creating the Cisco Intercompany Media Engine ProxySee Creating the Cisco Intercompany Media Engine 20-18 Show running-config uc-ime command 20-1920-20 Prerequisites for Installing Certificates 20-2120-22 Certificates section on Creating the TLS ProxyCreating Trustpoints and Generating 20-2320-24 20-25 Created in , page 20-15of the task CreatingACLs for Cisco Intercompany Media Engine Proxy Map you created in of this task Optional Configuring TLS within the Local EnterpriseWhere policymapname is the name of the policy 20-26Commands Purpose 20-2720-28 Where proxytrustpoint for the server trust-pointWhere proxytrustpoint for the client trust-point Optional Configuring Off Path Signaling 20-29Engine Proxy, Intercompany Media Engine Proxy,Creating the Cisco Intercompany Media 20-3020-31 20-32 Show uc-ime signaling-sessions 20-3320-34 Show uc-ime signaling-sessions statisticsShow uc-ime media-sessions detail Show uc-ime fallback-notification statistics Show uc-ime mapping-service-sessionsShow uc-ime mapping-service-sessions statistics 20-3520-36 Configuring Connection Settings and QoS Page Information About Connection Settings 22-122-2 TCP Intercept and Limiting Embryonic ConnectionsDead Connection Detection DCD TCP State Bypass TCP Sequence RandomizationTCP Normalization 22-3Licensing Requirements for Connection Settings 22-4TCP State Bypass TCP State Bypass Unsupported FeaturesMaximum Concurrent and Embryonic Connection Guidelines TCP NormalizerFor each TCP map, you can customize one or more settings Configuring Connection SettingsTask Flow For Configuring Connection Settings Customizing the TCP Normalizer with a TCP Map22-7 Command 22-8Command 22-922-10 Window-variation allow drop Configuring Connection SettingsUrgent-flag allow clear 22-1122-12 Embryonic-conn-max keywords Random-sequence-number enable disable keywordTCP Sequence Randomization section on page 22-3 section for 22-13Idle hh mm ss keyword sets the idle timeout period after Command in the command referenceEmbryonic hh mm ss keyword sets the timeout period until a To 0, which means the connection never times outConfiguration Examples for Connection Limits and Timeouts Monitoring Connection SettingsConfiguration Examples for Connection Settings 22-15Following is a sample configuration for TCP state bypass Configuration Examples for TCP State BypassConfiguration Examples for TCP Normalization 22-16Feature History for Connection Settings 22-17Connection per-client-embryonic-max,set connection Timeout half-closed,timeout half-closedConn-max,set connection embryonic-conn-max,set Per-client-maxInformation About QoS 23-123-2 Supported QoS FeaturesWhat is a Token Bucket? 23-3 Information About PolicingInformation About Priority Queuing 23-4 How QoS Features InteractInformation About Traffic Shaping Does not support IPv6 Licensing Requirements for QoSDscp and DiffServ Preservation Model GuidelinesConfiguring QoS 23-6Kbps Mbps125 23-7Interface name Configuring the Standard Priority Queue for an InterfacePriority queue, or for the ASA 5505 or ASASM, the Vlan 23-823-9 23-10 Step 23-1123-12 23-13 Configuring the Service Rule 23-1423-15 Multiple of 8000. See the Information About Traffic ShapingPriority Queuing Policy section on Viewing QoS Police Statistics Ciscoasa# show service-policy policeMonitoring QoS 23-1623-17 Viewing QoS Standard Priority StatisticsViewing QoS Shaping Statistics Ciscoasa# show priority-queue statistics test Viewing QoS Standard Priority Queue Statistics23-18 Feature History for QoS 23-1923-20 24-1 Troubleshooting Connections and ResourcesTesting Your Configuration Enabling Icmp Debugging Messages and Syslog Messages 24-2Pinging ASA Interfaces 24-3ASA 24-4Passing Traffic Through the ASA 24-5Disabling the Test Configuration 24-6Tracing Packets with Packet Tracer Monitoring Per-Process CPU UsageDetermining Packet Routing with Traceroute 24-724-8 Configuring Advanced Network Protection Page Configuring the ASA for Cisco Cloud Web Security 25-1Redirection of Web Traffic to Cloud Web Security User Authentication and Cloud Web SecurityInformation About Cisco Cloud Web Security 25-2Company Authentication Key, Group Authentication Key, Authentication KeysCompany Authentication Key Group Authentication Key 25-3Custom Groups ScanCenter PolicyDirectory Groups 25-425-5 How Groups and the Authentication Key InteroperateCloud Web Security Actions Bypassing Scanning with Whitelists Failover from Primary to Backup Proxy ServerLicensing Requirements for Cisco Cloud Web Security IPv4 and IPv6 SupportOptional Fully Qualified Domain Name Prerequisites Optional User Authentication PrerequisitesPrerequisites for Cloud Web Security 25-725-8 Configuring Cisco Cloud Web SecurityBy default, Cisco Cloud Web Security is not enabled See the Authentication Keys section on 25-9Config-url disk0/onectx.cfg Context two 25-10Optional Configuring Whitelisted Traffic section on 25-11Adding an Extended Access Control List, 25-12Policy section on page 1-17for more information 25-1325-14 Optional Configuring Whitelisted Traffic 25-15Object-group-user-Specifies an object-group user name Optional Configuring the User Identity MonitorConfiguring the Cloud Web Security Policy 25-1625-17 Monitoring Cloud Web SecurityHttp//Whoami.scansafe.net 25-18 Configuration Examples for Cisco Cloud Web SecuritySingle Mode Example To attach class-maps to the Cloud Web Security Policy map Multiple Mode ExampleWhitelist Example 25-1925-20 Configuring the Active Directory Server Using LdapDirectory Integration Examples Configuring the Identity Options on the ASA Configuring the Active Directory Agent Using RadiusTesting the AD Agent Creating the ASA as a Client on the AD Agent ServerDownloading the Database from the AD Agent Cloud Web Security with Identity Firewall ExampleMonitoring the Active Directory Groups Showing a List of Active Users25-23 25-24 Aaa-server AD inside host 192.168.116.220 server-port25-25 No call-home reporting anonymous call-homeRelated Documents Feature History for Cisco Cloud Web SecurityRelated Documents 25-2626-1 Information About the Botnet Traffic FilterBotnet Traffic Filter Address Types, Botnet Traffic Filter Databases Botnet Traffic Filter Address TypesBotnet Traffic Filter Actions for Known Addresses Information About the Dynamic DatabaseInformation About the Static Database 26-326-4 How the Botnet Traffic Filter Works 26-526-6 Licensing Requirements for the Botnet Traffic FilterPrerequisites for the Botnet Traffic Filter 26-7 Configuring the Botnet Traffic FilterTask Flow for Configuring the Botnet Traffic Filter Configuring the Dynamic Database 26-826-9 Adding Entries to the Static DatabaseSee the Adding Entries to the Static Database section on TCP DNS traffic is not supported Enabling DNS SnoopingSee the Enabling DNS Snooping section on 26-1026-11 Inspection section on page 10-1 for more information about 26-12Recommended Configuration 26-13Threat-level range moderate very-high Subset of the dynamic-filter enable ACLSee the Blocking Botnet Traffic Manually section on Very-low Low Moderate High Very-highAbout the greylist For dropping purposes. If you do not enable this commandBlocking Botnet Traffic Manually 26-15Searching the Dynamic Database 26-16Botnet Traffic Filter Syslog Messaging Botnet Traffic Filter CommandsMonitoring the Botnet Traffic Filter 26-1726-18 Infected-hosts commandDns-snoop command 26-19 Configuration Examples for the Botnet Traffic FilterRecommended Configuration Example Ciscoasa# show dynamic-filter reports top malware-portsOutside Other Configuration Examples26-20 26-21 Feature History for the Botnet Traffic Filter 26-22Licensing Requirements for Threat Detection Configuring Threat DetectionInformation About Threat Detection 27-127-2 Configuring Basic Threat Detection StatisticsInformation About Basic Threat Detection Statistics Security Context Guidelines Trigger Settings Packet Drop Reason Average Rate Burst RateGuidelines and Limitations Types of Traffic MonitoredConfiguring Basic Threat Detection Statistics 27-427-5 Monitoring Basic Threat Detection StatisticsThreat Detection Statistics section on Information About Advanced Threat Detection Statistics Configuring Advanced Threat Detection StatisticsFeature History for Basic Threat Detection Statistics 27-6Configuring Advanced Threat Detection Statistics 27-727-8 Monitoring Advanced Threat Detection Statistics 27-927-10 Using the show threat-detection rate acl-drop command 27-11Field Protocolnumber argument is an integer between 0Statistics 27-12Field Description 27-13Feature History for Advanced Threat Detection Statistics 27-1427-15 Configuring Scanning Threat DetectionInformation About Scanning Threat Detection Average Rate Burst Rate 27-16Monitoring Shunned Hosts, Attackers, and Targets Configuring Scanning Threat DetectionConfiguration see the Configuring Basic Threat Detection Displays the hosts that are currently shunnedFeature History for Scanning Threat Detection 27-18Configuration Examples for Threat Detection 27-1927-20 Preventing IP Spoofing 28-128-2 Configuring the Fragment SizeBlocking Unwanted Connections Configuring IP Audit, IP Audit Signature List, Configuring IP Audit for Basic IPS SupportConfiguring IP Audit 28-3Signature Message Number Signature Title IP Audit Signature List1lists supported signatures and system message numbers 28-428-5 28-6 28-7 28-8 Information About Web Traffic Filtering 29-1Information About ActiveX Filtering Configuring ActiveX FilteringLicensing Requirements for ActiveX Filtering 29-2Guidelines and Limitations for ActiveX Filtering Configuring ActiveX FilteringConfiguration Examples for ActiveX Filtering 29-3Information About Java Applet Filtering Configuring Java Applet FilteringFeature History for ActiveX Filtering Licensing Requirements for Java Applet FilteringGuidelines and Limitations for Java Applet Filtering Configuring Java Applet FilteringConfiguration Examples for Java Applet Filtering 29-5Information About URL Filtering Feature History for Java Applet FilteringFiltering URLs and FTP Requests with an External Server 29-629-7 Licensing Requirements for URL FilteringGuidelines and Limitations for URL Filtering 29-8 Identifying the Filtering ServerChoose from the following options 29-9 Replaces block-buffer with the maximum number of Http Configuring Additional URL Filtering SettingsBuffering the Content Server Response Maximum memory allocation of 2 KB to 10 MBOn the Websense server Caching Server AddressesFiltering Http URLs Websense server29-12 Filtering Https URLs 29-1329-14 Filtering FTP RequestsMight enter cd ./files instead of cd /public/files 29-15 Following is sample output from the show url-servercommandMonitoring Filtering Statistics Ciscoasa# show url-serverFollowing is sample output from the show filter command Following is sample output from the show url-blockcommandFollowing is sample output from the show perfmon command 29-16Feature History for URL Filtering 29-1729-18 Configuring Modules Page Information About the ASA CX Module 30-1How the ASA CX Module Works with the ASA 30-2Traffic-Forwarding Interface in Monitor-Only Mode Monitor-Only ModeService Policy in Monitor-Only Mode 30-3Information About ASA CX Management Initial ConfigurationInitial Configuration, Policy Configuration and Management, 30-4Policy Configuration and Management Information About Authentication ProxyCompatibility with ASA Features Information About VPN and the ASA CX ModuleLicensing Requirements for the ASA CX Module 30-6Does not support clustering Monitor-Only Mode GuidelinesASA Clustering Guidelines 30-7Parameters Default Configuring the ASA CX ModuleSee the Compatibility with ASA Features section on Task Flow for the ASA CX Module30-9 Connecting the ASA CX Management InterfaceASA 5585-X Hardware Module 30-10 If you have an inside routerIf you do not have an inside router ASA 5512-X through ASA 5555-X Software Module 30-1130-12 30-13 ExamplePartition the SSD Sets the ASA CX management IP address, mask, and gateway Session 1 do setup host ipASA 5585-X Changing the ASA CX Management IP Address 30-14Ciscoasa# session cxsc console Configuring Basic ASA CX Settings at the ASA CX CLI30-15 Enter an IPv6 address 2001DB80CD301234/6430-16 Change the admin password by entering the following commandAsacx config passwd Optional Configuring the Authentication Proxy Port 30-1730-18 Creating the ASA CX Service PolicyRedirecting Traffic to the ASA CX Module See the Monitor-Only Mode section on page 30-3 for more 30-1930-20 Configuring Traffic-Forwarding Interfaces Monitor-Only ModeSee the Feature Matching Within a Service Policy section on Managing the ASA CX Module 30-21For a software module ASA 5512-X through ASA Resetting the PasswordReloading or Resetting the Module 30-22Shutting Down the Module 30-2330-24 Sw-module module cxsc uninstallNew module type ReloadShowing Module Status Admin123Monitoring the ASA CX Module 30-25Showing Module Statistics 30-26Monitoring Module Connections 30-2730-28 Dp-cp‘X’ flag Show asp event dp-cp cxsc-msgCiscoasa# show asp event dp-cp cxsc-msg 30-29Ciscoasa# show asp drop Debugging the Module Troubleshooting the ASA CX ModuleCapturing Module Traffic 30-30Problems with the Authentication Proxy 30-31Check the authentication proxy rules Configuration Examples for the ASA CX ModuleCheck the authentication proxy port 30-32Feature History for the ASA CX Module 30-33Cxsc monitor-only We modified or introduced the following commands cxscFail-close fail-openmonitor-only,traffic-forward 30-3430-35 Capture interface asadataplane commandAsadataplane 30-36 Information About the ASA IPS Module 31-1How the ASA IPS Module Works with the ASA 31-231-3 Using Virtual Sensors ASA 5510 and HigherOperating Modes Information About Management Access 31-4Licensing Requirements for the ASA IPS module 31-531-6 1lists the default settings for the ASA IPS moduleManagement Vlan ASA 5505 only 31-7 Configuring the ASA IPS moduleTask Flow for the ASA IPS Module Connecting the ASA IPS Management Interface 31-831-9 ASA 31-1031-11 ASA 5512-X through ASA 5555-X Booting the Software ModuleSessioning to the Module from the ASA Ciscoasa# sw-module module ips recover boot Configuring Basic IPS Module Network SettingsFor example, using the filename in the example in , enter 31-12Connecting the ASA IPS Management Interface section on ASA 5510 and Higher Configuring Basic Network SettingsASA 5505 Configuring Basic Network Settings Sessioning to the Module from the ASA Section on31-14 31-15 Configuring the Security Policy on the ASA IPS ModuleDetails command 31-16 31-17 Diverting Traffic to the ASA IPS module 31-1831-19 31-20 IPS module Installing and Booting an Image on the ModuleManaging the ASA IPS module 31-2131-22 For a software module for example, the ASA 5545-X Uninstalling a Software Module ImageSw-module module ips uninstall 31-2331-24 Sw-module module ips password-resetFor a software module for example, the ASA 31-25 Monitoring the ASA IPS moduleIps for a software module Ciscoasa# show module ips Configuration Examples for the ASA IPS module31-26 Module allow-ip Feature History for the ASA IPS moduleAllow-ssc-mgmt,hw-module module ip, and hw-module 31-2731-28 Inventory, show environmentSession, show module, sw-module Information About the CSC SSM 32-1ASA 32-2Determining What Traffic to Scan 32-3Common Network Configuration for CSC SSM Scanning 32-432-5 Licensing Requirements for the CSC SSMPrerequisites for the CSC SSM Supported in single and multiple context modes 1lists the default settings for the CSC SSMParameter Default 32-632-7 Configuring the CSC SSMBefore Configuring the CSC SSM 32-8 Connecting to the CSC SSMSee the Connecting to the CSC SSM section on 32-9 Determining What Traffic to Scan section on Diverting Traffic to the CSC SSMSee the Diverting Traffic to the CSC SSM section on 32-1032-11 Guidelines and Limitations section on 32-12Displays the status Monitoring the CSC SSMSee the Monitoring the CSC SSM section on Displays additional status information32-14 Troubleshooting the CSC ModuleInstalling an Image on the Module 32-15 Resetting the PasswordRecover command Reloading or Resetting the Module 32-16Shutting Down the Module Configuration Examples for the CSC SSMCiscoasaconfig-cmap#policy-map cscinpolicy Shuts down the moduleInstructions on use of the CSC SSM GUI Additional ReferencesRelated Topic Document Title Assistance with the Startup WizardDetails recover Feature History for the CSC SSMFeature Name Platform Releases Feature Information 32-1932-20 IN-1 IN-2 IN-3 IN-4 IN-5 RPC not supported with See also policy mapLDP 6-7router-id 6-7TDP Multi-session PAT IN-6IN-7 IN-8 IN-9 IN-10
Related manuals
Manual 754 pages 55.66 Kb Manual 52 pages 35.74 Kb

ASA 5555-X, and the ASA Services Module, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.